[Stop Press: since I haven’t been working much in the security industry since January 2019, I haven’t been maintaining this page. However, I was asked for commentary as described in this article from 29th May 2019: Who owns social media?]
Like many others, I’ve been at least partially assimilated by the social media Cookie Monster. Once upon a time I opened accounts on sites like Facebook and Twitter, so as to find out about their implications for security. (Like many others in the security profession, I suspect.) They also quickly became integrated into my armoury as a means of exchanging and disseminating information, whether it’s a matter of hard data or work-oriented PR. And when friends, colleagues and fellow musicians (some people, of course, are members of two or all three of those sets!) found me on those platforms, it would have been churlish not to have accepted invitations to link up there. (Besides, you can’t tell as much about Facebook’s workings, for instance, if you don’t actually have any Facebook friends…)
However, I’ve always borne in mind the wider implications of membership of such platforms (sociological, psychological, and security-specific), and have often written on those topics. (I’ll probably look back at some of those posts and see if any of them are worth flagging here.) But with the excitement over the Cambridge Analytica, it’s self-proclaimed success at social engineering, and its alleged misuse of data harvested from social media, I can’t help but notice that people who’ve previously expressed no interest in privacy and security have started to voice concern. So I’m going to use this page to flag some news and resources of interest. Starting with a minor deluge of advice from various quarters:
- Ioana Rijnetu for Heimdal Security from a few months back: Facebook Privacy & Security Guide: Everything You Need to Know (I haven’t looked at this closely, but I’ve frequently contributed comment to Heimdal for their “expert roundup” features like this one on software monoculture, and have a lot of respect for their willingness to put the quality of advice and information above competitive advantage.)
- The Motherboard: The Motherboard Guide to Using Facebook Safely
- Sophos: Facebook fallout: How to protect your data
- Basic fairly recent advice from SANS: Top Tips to Securely Using Social Media
- Facecrooks: How to Protect Your Facebook Account from Rogue Applications
- Lots and lots of links in Bruce Schneier’s Cryptogram for April 15th 2018.
- Sophos: How to protect your Facebook data [UPDATED]
[11th December 2018]
ESET: Google+ to shut earlier as new bug exposed data of 52.5 million users
“There is no evidence that the flaw was misused during the six days it was alive, said the tech giant”
Lisa Vaas for Sophos: Facebook fined $11m for misleading users about how data will be used – “Italy’s competition regulator announced on Friday that it’s fining Facebook €10m (USD $11m, £8.9m) for laying it on thick when it comes to the service being “free” to users but keeping quiet about how the company’s making money off their data.”
Also by Lisa Vaas: Kids’ VTech tablets vulnerable to eavesdropping hackers
And one more from Lisa: Facebook staff’s private emails published by fake news inquiry – “Want to know what Mark Zuckerberg and his underlings really think about us users?
Get ready to read ’em and weep: against the wishes of the Facebook CEO, the UK parliament’s inquiry into fake news has published confidential correspondence between Zuck and his staff.” And depressing and unedifying it is, too.
[18th November 2018]
The Register: Sorry, Mr Zuckerberg isn’t in London that day. Or that one. Nope. I’d give up if I were you – “Facebook boss delays, denies and deflects more invitations to international committee …. The UK’s digital committee has been trying to get Mark Zuckerberg to have a chat with them since the Cambridge Analytica scandal broke in April. Its latest tactic is an “international grand committee” made up of parliamentary committees from five different nations” ”
My attention was drawn via an article from the Homeland Security News Wire – Using social media to weaken impact of terrorist attacks – to a report spearheaded by Cardiff University’s Crime and Security Research Institute and commissioned by the Five Country Ministerial (FCM) Countering Extremism Working Group, and called From Minutes to Months – A rapid evidence assessment of the impact of media and social media during and after terror events. According to the Executive Summary it centres on:
1. An overview of the relationships between terrorist violence and media, and
how these have been influenced by changes to the media ecosystem.
2. A brief outline of the key typical developments that take place in particular
time periods as one moves further away from the occurrence of the original
3. Recommendations for police, government and others involved in public
safety provision, in terms of what strategic communications postures they
can adopt to limit the impacts and harms of terror attacks.
The Register: As if connected toys weren’t creepy enough, kids’ data could be used against them in future – “Watchdog tells manufacturers to reveal what they slurp on tots …. the UK’s Office of the Children’s Commissioner has said in a report warning of the long-term impact of amassing data on kids…. young folk will have sent out an average of 70,000 social media posts by the time they reach 18, while snap-happy parents will have uploaded 1,300 photos and videos of their offspring online before they become teenagers.”
Graham Cluley: On eve of US elections, Facebook blocked 115 accounts engaged in ‘coordinated inauthentic behavior’ – “In a statement posted on its website … Facebook explained that in the last year it has found and removed bad actors from the site on many occasions – based on its own internal investigations and information provided by law enforcement, and external experts.”
[26th October 2018]
The Register: Apple boss decries ‘data industrial complex’ while pocketing, er, billions to hook Google into iOS – ” …”Advancing AI by collecting huge personal profiles is laziness, not efficiency,” he said. “For artificial intelligence to be truly smart, it must respect human values including privacy.”….Apple … sells Google access to iOS customers for $9bn. That’s how much Google is expected to pay Apple this year to be the default search provider on iDevices, according to a Goldman Sachs estimate.”
The Register: Jeez, not now, Iran… Facebook catches Mid East nation running trolly US political ads – “Whack-a-Troll: Ad biz smashes latest manipulation plot to show it’s doing…something … Facebook, the antisocial advertising platform on which anyone can promote just about anything, on Friday said it found people promoting political discord in the US and UK, yet again.”
[29th October 2018]
Tomáš Foltýn for ESET: Nothing exceeds like excess; or, a lack of privacy in the digital age
What has the internet brought us? And how does privacy stay anchored in the data deluge of the digital age? Here’s a brief reflection to celebrate today’s Internet Day
[24th October 2018]
Graham Cluley: Twitter thought Elon Musk’s bizarre tweets were evidence he’d been hacked – “It’s an odd state of affairs when the bogus Elon Musk accounts offering bitcoin giveaways appear more legitimate than the real Elon’s tweets.”
Since there’s been a spate of Bitcoin fraud tweets spoofing his account, offering to sell someone some Bitcoin may have been a tweet too far.
The Register: Facebook, Google sued for ‘secretly’ slurping people’s whereabouts – while Feds lap it up – “Facebook and Google are being sued in two proposed class-action lawsuits for allegedly deceptively gathering location data on netizens who thought they had opted out of such cyber-stalking.”
[23rd October 2018]
New York Times: U.S. Begins First Cyberoperation Against Russia Aimed at Protecting Elections – “WASHINGTON — The United States Cyber Command is targeting individual Russian operatives to try to deter them from spreading disinformation to interfere in elections, telling them that American operatives have identified them and are tracking their work, according to officials briefed on the operation.”
The Facebook Newsroom: The Hunt for False News – fairly undramatic examples of fake news stories discovered, but somewhat interesting for the insight it gives into what approaches FB is taking towards finding such stories.
Graham Cluley: If Facebook buys a security company, how will it retain the staff who absolutely hate Facebook? – “…if Facebook did actually acquire a company brimming with security boffins, there’s a good chance that a fair proportion of them would be very privacy-minded. And it’s quite possible that a good number of them would rather pull their toenails out with pliers than find that their new boss is Mark Zuckerberg.”
TNW’s cookie statement says: “You give your consent for cookies to be placed and read out on our Platform by clicking “agree” on the cookie notice or by continuing to use the Platform. For more information about the use of the information collected through cookies see our Privacy Statement.”
[22nd October 2018]
Wired: How a suspicious Facebook page is pushing pro-Brexit ads to millions – “The UK’s fake news inquiry says the website Mainstream has spent around £257,000 on pushing a pro-Brexit advertising campaign on Facebook in the last 10 months. The problem? Nobody knows who runs the page or where the money comes from”
And I somehow didn’t get round to posting this nearly a year ago, but it’s still worth reading. The Verge: Former Facebook exec says social media is ripping apart society – ‘No civil discourse, no cooperation; misinformation, mistruth….He went on to describe an incident in India where hoax messages about kidnappings shared on WhatsApp led to the lynching of seven innocent people.’
[20th October 2018]
BBC: Children ‘blackmailed’ for sexual images in online video chats. “A surge in the use of video chats and live-streaming among children is leaving them vulnerable to abuse, the NSPCC has warned, calling for a social network regulator to be introduced.”
Graham Cluley: Facebook Portal isn’t designed to be as private as you might hope – Graham says “I doubt I’m alone in the world in thinking that allowing Facebook, of all companies, into your home with a microphone and a video camera is a pretty terrible idea.” Indeed he isn’t… And this story is not reassuring, with FB’s weaselly partial backtracking on the assertion that it would not collect data for targeted advertising.
I’m not the biggest fan of SANS and its newsletters. (That would be SANS…) But the Top Of The News section in its October 19th 2018 Newsbites newsletter includes a number of links relevant to election interference and social media that you might find worth reading.
[19th October 2018]
ESET: Tumblr patches bug that could have exposed user data
The microblogging platform is assuring its users that has found no evidence that any data was actually stolen
The Register: Tumblr turns stumblr, left humblr: Blogging biz blogs bloggers’ private info to world+dog – “Tumblr today reveal it has fixed a security bug in its website that quietly revealed private details of some of its bloggers”
The Next Web: Twitter releases 10M Iranian and Russian propaganda tweets ahead of US Midterms – “Twitter yesterday released a bevy of data related to Iranian and Russian-sponsored misinformation campaigns started as long ago as 2009. The hope, in releasing the trove, is that academics and researchers will use it to come up with solutions to the propaganda problem plaguing US politics.”
[17th October 2018]
Sophos: Donald Daters app for pro-Trump singles exposes users’ data at launch – “Donald Daters, a new dating app that promises to “make dating great again” has instead leaked its users’ data.”
The Mercury News: Facebook lured advertisers by inflating ad-watch times up to 900 percent: lawsuit – “A group of small advertisers … alleged in the filing that Facebook “induced” advertisers to buy video ads on its platform because advertisers believed Facebook users were watching video ads for longer than they actually were.”
[12th October 2018]
Sophos: Instagram tests sharing your location history with Facebook – “For those Facebook users who still cling to the notion that they can limit Facebook’s tracking of our lives like it’s an electronic bloodhound, you should be aware that its Instagram app has been prototyping a new privacy setting that would enable location history sharing with its parent company.”
The Register: Facebook mass hack last month was so totally overblown – only 30 million people affected – “Good news: 20m feared pwned are safe. Bad news: That’s still 30m profiles snooped…”
[10th October 2018]
Catalin Cimpanu for ZDnet: Google sets new rules for third-party apps to access Gmail data – “All Gmail third-party apps with full access to Gmail user data will need to re-submit for a review by February 15, 2019, or be removed.” Meanwhile, according to the Hacker News: Google+ is Shutting Down After a Vulnerability Exposed 500,000 Users’ Data.
“The vulnerability was open since 2015 and fixed after Google discovered it in March 2018, but the company chose not to disclose the breach to the public—at the time when Facebook was being roasted for Cambridge Analytica scandal.”
The Register comments: Google now minus Google Plus: Social mini-network faces axe in data leak bug drama – “Project Zero would have been all over this – yet it remained under wraps”
The Register: Rap for WhatsApp chat app chaps in phone-to-pwn security nap flap – “Memory corruption flaw present in Android, iOS builds. Aaand it’s been fixed”
[6th October 2018]
Lisa Vaas for Sophos: Facebook finds “no evidence” attackers accessed third-party apps – “Facebook said … Nevertheless, it’s building a tool to allow developers to manually identify which of their apps’ users may have been affected, so they can log them out.”
[3rd October 2018]
ESET: Facebook: No evidence attackers used stolen access tokens on third-party sites
“The social networking behemoth is expected to face a formal investigation by Ireland’s Data Protection Commission in what could be the “acid test” of GDPR since the law became effective in May”
Graham Cluley: Two reasons to reconsider your Facebook membership
“Not only was it revealed that millions of users had their accounts exposed by a vulnerability, but the site has been up to dirty tricks with mobile phone numbers you gave them to supposedly enhance your security.”
Joseph Cox for Motherboard: Hackers Are Holding High Profile Instagram Accounts Hostage
Hackers have hijacked the accounts of at least four high profile Instagrammers recently, locking them out and demanding a bitcoin ransom.[29th September 2018]
[28th September 2018]
Thomas Claburn for The Register: Facebook sued for exposing content moderators to Facebook – “Endless series of beheadings and horrible images take mental toll, US lawsuit claims”
Silicon: WhatsApp Founder Admits Selling Out Privacy To Facebook – “Co-founder of WhatsApp Brian Acton admits selling out the privacy of WhatsApp users to Facebook”
‘In a letter to MPD Director Michael Rallings, Facebook’s Andrea Kirkpatrick, director and associate general counsel for security, scolded the police for creating multiple fake Facebook accounts and impersonating legitimate Facebook users as part of its investigations into “alleged criminal conduct unrelated to Facebook.”’
[24th September 2018]
Lisa Vaas for Sophos: Years on, third party apps still exposing Grindr users’ locations – “Grindr, the premium gay dating app, is exposing the precise location of its more than 3.6 million active users, in addition to their body types, sexual preferences, relationship status, and HIV status…
Nathan Gleicher for Facebook: Expanding Security Tools to Protect Political Campaigns – “Over the past year, we have invested in new technology and more people to stay ahead of bad actors who are determined to use Facebook to disrupt elections. Today we’re introducing additional tools to further secure candidates and campaign staff who may be particularly vulnerable to targeting by hackers and foreign adversaries. This pilot program is an addition to our existing security tools and procedures, and we will apply what we learn to other elections in the US and around the world.”
Commentary by Danny Bradbury for Sophos: How Facebook wants to protect political campaigners from hacking – “Facebook is making the extra protections available to a select class of political operatives, namely candidates for federal or statewide office, and staff members and representatives from federal and state political party committees.”
Lisa Vaas for Sophos: Facebook faces sanctions if it drags its feet on data transparency – Vera Jourova, the European Commissioner for justice, consumers and gender equality, is evidently not in the least impressed.
[18th September 2018]
Danny Bradbury for Sophos: Deepfake pics and videos set off Facebook’s fake news detector Centres on FB’s announcement that “To date, most of our fact-checking partners have focused on reviewing articles. However, we have also been actively working to build new technology and partnerships so that we can tackle other forms of misinformation. Today, we’re expanding fact-checking for photos and videos to all of our 27 partners in 17 countries around the world (and are regularly on-boarding new fact-checking partners). This will help us identify and take action against more types of misinformation, faster.”
The Register: Not so much changing their tune as enabling autotune: Facebook, Twitter bigwigs nod and smile to US senators – “Google slammed for no-show”
Graham Cluley: Twitter testing new feature that reveals when you’re online – “WHO OTHER THAN STALKERS ACTUALLY WANTS THIS?”
Lisa Vaas for Sophos: Review that! Fake TripAdvisor review peddler sent to jail
“The owner of a fake-review factory is going to get a chance to write a review about his trip to the inside of an Italian jail.
TripAdvisor announced (PDF) on Wednesday that, in one of the first cases of its kind, the criminal court of the Italian city of Lecce has ruled that writing fake reviews, under a fake identity, is criminal conduct.”
Michigan News (University of Michigan): Fake news detector algorithm works better than a human – “ANN ARBOR—An algorithm-based system that identifies telltale linguistic cues in fake news stories could provide news aggregator and social media sites like Google News with a new weapon in the fight against misinformation.
The University of Michigan researchers who developed the system have demonstrated that it’s comparable to and sometimes better than humans at correctly identifying fake news stories.”
[31st August 2018]
Raj Samani (McAfee) for Help Net: The anatomy of fake news: Rise of the bots
[30th August 2018]
Tomáš Foltýn for ESET: Instagram expands 2FA and account verification – “The move is part of a three-pronged plan that is intended to bolster user trust and safety on the photo-sharing platform”
Brian Krebs: Instagram’s New Security Tools are a Welcome Step, But Not Enough – “…Unfortunately, this welcome new security offering does nothing to block Instagram account takeovers when thieves manage to hijack a target’s mobile phone number…”
[28th August 2018]
Lisa Vaas for Sophos: Tumblr outlaws creepshots and deepfake porn – “The blogging site wants to go back to a simpler time, where, it says, people were a lot nicer … and didn’t glorify gore and upskirting.”
I was a little late spotting this New York Times article from August 21st: Sheera Frenkel and Nicholas Fandos: Facebook Identifies New Influence Operations Spanning Globe – “We know that trolls on social media are trying to sow discord on contentious subjects like race, guns and abortion, but how do they do it? Here is a visual guide to their strategy.”
It’s starting point is this article from Facebook – Taking Down More Coordinated Inauthentic Behavior – regarding how it has taken down 652 pages, groups and accounts for ‘inauthentic behavior’ after receiving information from FireEye about ‘Liberty Front Press’. FireEye’s analysis is summarized here – Suspected Iranian Influence Operation Leverages Network of Inauthentic News Sites & Social Media Targeting Audiences in U.S., UK, Latin America, Middle East – linking to a 38-page report. Fascinating stuff.
Richi Jennings for TechBeacon’s Security Blogwatch: It’s election hacking season: Are you a target? A selection of commentary from a variety of sources. “Allegedly, Russia and Iran have been phishing, hacking, and building fake profiles on Facebook, Twitter, and YouTube…With the midterms just a few months away, the froth is building.”
Graham Cluley for BitDefender: Facebook pulls its VPN from the iOS App Store after data-harvesting accusations – “Facebook has withdrawn its Onavo Protect VPN app from the iOS App Store after Apple determined that it was breaking data-collection policies.”
John Leyden for The Register: Facebook pulls ‘snoopy’ Onavo VPN from Apple’s App Store after falling foul of rules
Rebecca Hill for The Register: Chap asks Facebook for data on his web activity, Facebook says no, now watchdog’s on the case – “Info collected on folk outside the social network ‘not readily accessible’ … Facebook’s refusal … is to be probed by the Irish Data Protection Commissioner … Under the General Data Protection Regulation … people can demand that organisations hand over the data they hold on them.”
Lisa Vaas for Sophos: Facebook’s rating you on how trustworthy you are – a good analysis of the difficulties Facebook and other social media face in addressing the problem of fake news.
[21st August 2018]
A paper by Professor Douglas C. Schmidt on Google Data Collection makes clear just how much information Google is collecting about its users and the purposes for which it can be used. It is … disquieting …
Rebecca Hill for The Register: Bloke hurls sueball over Google’s ‘is it off yet?’ location data slurping – “…a lawsuit has accused the search-cum-ads biz of unlawfully invading users’ privates and intentionally complicating the opt-out process…after last week’s Associated Press probe into location data slurping.”
Lisa Vaas for Sophos: Social networks to be fined for hosting terrorist content – “On Sunday, the Financial Times reported that the EC’s going to follow through on threats to fine companies like Twitter, Facebook and YouTube for not deleting flagged content post-haste.”
An article in the New York Times focuses on a paper by Karsten Müller and Carlo Schwarz of the University of Warwick that made a startling assertion: “Wherever per-person Facebook use rose to one standard deviation above the national average, attacks on refugees increased by about 50 percent.” I don’t think they mean to imply that Facebook directly or intentionally encourages the negative traits that such attacks represent: more that it “isolates us from moderating voices or authority figures, siphons us into like-minded groups and, through its algorithm, promotes content that engages our base emotions.” Or to put it another way, our tendency to group ourselves into like-minded ‘bubbles’ inclines us to make distorted assumptions about how widespread our pet beliefs are, assumptions reinforced by ‘superposters’ who energetically promulgate those same beliefs.
While it’s not exactly the same thing,, being more focused on anonymity and pseudonymity, I was reminded of an older paper by Mich Kabay that has influenced my own thinking significantly over the years: Anonymity and Pseudonymity in Cyberspace: Deindividuation, Incivility and Lawlessness Versus Freedom and Privacy. The similarity is in the examination of the ways in which online behaviour can differ (for the worse) from behaviour in the real world. The difference is the way in which the Warwick study suggests that behaviour in the real world can be redirected into unacceptable channels by perceptions moulded by social media.
[Big catch-up after over a week Out of Office]
Zeljka Zorz for Help Net: Turning off Location History doesn’t prevent Google from knowing your location – “If you believe that by turning off Location History on your Android device or iPhone means that Google won’t be able to know your location, think again: Princeton University researchers have confirmed Google services store users’ location regardless of those settings.”
Help Net is quoting research performed on behalf of Associated Press…” AP says “Google’s support page on the subject states: “You can turn off Location History at any time. With Location History off, the places you go are no longer stored…That isn’t true. Even with Location History paused, some Google apps automatically store time-stamped location data without asking.”
Kashmir Hill and Surya Mattu for Gizmodo: Facebook Wanted Us to Kill This Investigative Tool – “Last year, we launched an investigation into how Facebook’s People You May Know tool makes its creepily accurate recommendations….In order to help conduct this investigation, we built a tool to keep track of the people Facebook thinks you know. …. In January, after hiring a third party to do a security review of the tool, we released it publicly on Github for users who wanted to study their own People You May Know recommendations.”
Facebook, it seems, wasn’t happy about the release of the tool, for more than one reason. I can actually understand that the terms of service that it might violate are at least in part imposed for reasons of security (or should be). Yet Gizmodo points out that “Journalists need to probe technological platforms in order to understand how unseen and little understood algorithms influence the experiences of hundreds of millions of people”: Facebook’s apparent distrust of this assertion may tell us something about its PR worries, and even about the intrusive nature of the algorithms it prefers to keep secret.
Graham Cluley: Twitter CEO says they’re taking no action against InfoWars and Alex Jones
IT’S THE SAME CONTENT THAT FACEBOOK, YOUTUBE, SPOTIFY, AND APPLE BANNED.
If you’re unaware of the fuss about Jones, you might like to check out this article in the New York Times: Alex Jones, Pursued Over Infowars Falsehoods, Faces a Legal Crossroads
Teiss: Facebook denies it asked banks to share customers’ financial information – Summarizes a story from the Wall Street Journal which I haven’t read because I’m not a subscriber.
Pierluigi Paganini: Social Mapper – Correlate social media profiles with facial recognition –
“Security experts at Trustwave have released Social Mapper, a new open-source tool that allows finding a person of interest across social media platform using facial recognition technology…Experts from Trustwave warn of potential abuses of Social Mapper that are limited “only by your imagination.””
Which is unfortunate in that it’s easily found for free…
An interesting article by William Suberg for CoinTelegraph: Researchers Reveal Network of 15K Crypto-Related Scam Bots on Twitter “New research published today, Aug. 6, has shed light on the infamous phenomenon of cryptocurrency-related Twitter accounts advertising fake “giveaways,” revealing a network of at least 15,000 scam bots.”
[3rd August 2018]
A fascinating article for Quartz by Nikhil Sonnad: Everything bad about Facebook is bad for the same reason – “Facebook only does the right thing when it’s forced to. Instead, it needs to be willing to sacrifice the goal of total connectedness and growth when this goal has a human cost; to create a decision-making process that requires Facebook leaders to check their instinctive technological optimism against the realities of human life.” Recommended. (Hat tip to Daring Fireball.)
The Next Web: Telegram Passport is already drawing fire for not being secure enough – “Its password encryption could be cracked for just $5”
[2nd August 2018]
New York Times: Facebook Has Identified Ongoing Political Influence Campaign – “Facebook announced on Tuesday that it has identified a coordinated political influence campaign, with dozens of inauthentic accounts and pages that are believed to be engaging in political activity around divisive social issues ahead of November’s midterm elections.”
Commentary from The Register: Facebook deletes 17 accounts, dusts off hands, beams: We’ve saved the 2018 elections – “Yeah, that’ll do the trick, Mark”
Facebook’s own blog post: Removing Bad Actors on Facebook
The Register: UK ‘fake news’ inquiry calls for end to tech middleman excuses, election law overhaul “British lawmakers have been told to create tougher rules for social media giants claiming to be neutral platforms, establish a code of ethics for tech firms, and plump up the UK’s self-styled “data sheriff”.”
Roger Thompson (Thompson Cyber Security Labs): Ok, this was scary – a disquieting example of how much more information is ‘publicly available’ than you probably think. Even scarier is the question of how much publicly available information is actually accurate.
[27th July 2018]
Reuters: Facebook’s grim forecast: privacy push will erode profits for years “The plummeting stock price wiped out as much as $150 billion in market capitalization and erased the stock’s gains since April when Facebook announced a surprisingly strong 63 percent rise in profit and an increase in users.” John Gruber offers terse but to-the-point commentary.
Graham Cluley: Mind your company’s old Twitter accounts, rather than allowing them to be hijacked by hackers – “DEFUNCT FOX TV SHOW HAS ITS TWITTER ACCOUNT COMPROMISED BY CRYPTOCURRENCY SCAMMERS.” “…it appears that hackers seized control of the moribund Twitter account and gave it a new lease of life promoting cryptocurrency scams.
Lisa Vaas for Sophos: Hidden camera Uber driver fired after live streaming passenger journeys The story concerns “Jason Gargac, a (now former) driver for Lyft and Uber who decided to start livestreaming his passengers, and himself as a narrator when they weren’t there, as he drove around St. Louis…Most of those rides were streamed to Gargac’s channel on Twitch: a live-video website that’s popular with video gamers”. Original story: the St. Louis Post-Dispatch.
Also from Lisa Vaas: Crimson Hexagon banned by Facebook over user data concern – “The Wall Street Journal last week reported that Facebook is investigating whether the firm’s contracts with the US government and a Russian nonprofit tied to the Kremlin violated its policies.”
Yet another article from the prolific Ms Vaas: Names and photos of Venmo ‘drug buyers’ published on Twitter – she offers another example of data scraped from publicly available data and used inappropriately and misleadingly. A recent article by John E. Dunn describes a rather more responsible use of Venmo’s open privacy settings: Venmo users: time to hide your drug deals and excessive pizza consumption.
And another. Maybe you should just shoot over to the Naked Security site while I get on with some other work… WhatsApp limits message forwarding in response to lynchings – an indication that fake news is no joke, and can be a matter of life or (more to the point) death. In recent months, “India … has seen dozens of mob lynchings sparked by rumors that have spread virally on social media.”
[23rd July 2018]
Nick Statt for The Verge: Undercover Facebook moderator was instructed not to remove fringe groups or hate speech – “A new documentary details how third-party Facebook moderators ignore the company’s rules … The accusation is a damning one, undermining Facebook’s claims that it is actively trying to cut down on fake news, propaganda, hate speech, and other harmful content that may have significant real-world impact.” The investigation focuses on CPL Resources, which provides a third-party content moderation service.
In an interview with Kara Swisher, Zuckerberg tries to explain why Facebook hasn’t simply taken down InfoWars presence on the platform, but simply moved them ‘down the line’ by reducing distribution. Hmm. Good interview, though, and lots of glimpses into the man’s head.
The Register: ‘Elders of the Internet’ apologise for social media, recommend Trump filters to fix it – “‘USENET was a pretty clear warning’ of things to come, says new draft IETF standard” I don’t think this IETF draft is entirely serious, but perhaps it should be. IT security remains fixated on technical security and has tended to fight shy of the psychosocial aspects of Internet interaction. Certainly the anti-malware industry in general could have paid more attention to the psychology of the victim than it has. And yes, USENET was a pretty good indication of how awful social media might (and did) turn out to be. And yes, abstention from social media and whisky do both have some appeal… A joke with teeth…
[15th July 2018]
Me, for this blog: Machine learning: science, engineering, or magic fairy dust?
You’re probably already aware of the gentle tap on the wrist administered by the UK’s Information Commissioner’s Office (ICO), but this does actually indicate why the penalty was so much less than you might have expected (in theory, up to 4% of the company’s total income).
(2) An article from The Next Web: Experts warn DeepFakes could influence 2020 US election – “Fake AI-generated videos featuring political figures could be all the rage during the next election cycle, and that’s bad news for democracy.”
(3) Graham Cluley: Facebook doesn’t want to eradicate fake news. If it did they’d kick out InfoWars – “Social networks giving sick conspiracy theorists a platform to spread hate.” Graham points out that InfoWars misinformation is also an issue on YouTube.
[11th July 2018]
The Register: Brit privacy watchdog reports on political data harvests: We’ve read the lot so you don’t have to – “‘Cambridge Analytica had data ferreted away on disconnected servers, Twitter actually kicked the firm’s ads off its platform, and Facebook still has a lot of questions to answer.”
Washington Post: Twitter is sweeping out fake accounts like never before, putting user growth at risk – “Twitter suspended more than 70 million accounts in May and June, and the pace has continued in July”
Sophos: Apple and Google questioned by Congress over user tracking – “Inquiring minds want to know, for one thing, whether our mobile phones are actually listening to our conversations, the committee said in a press release.”
Sophos: Facebook stares down barrel of $660,000 fine over data slurping. David Bisson notes: Facebook Fined £500,000 by ICO for Cambridge Analytica Data Scandal, And Graham Cluley comments: Facebook fined a paltry £500,000 (8 minutes’ revenue) over Cambridge Analytica scandal. Quite…
Pierluigi Paganini: Timehop data breach, data from 21 million users exposed. “The company admitted that hackers obtained access credential to its cloud computing environment, that incredibly was not protected by multifactor authentication.”
[5th July 2018]
Rhett Jones for Gizmodo: Google Says It Doesn’t Go Through Your Inbox Anymore, But It Lets Other Apps Do It
[28th June 2018]
Tomáš Foltýn for ESET: How (over)sharing on social media can trip you up. In case you’d forgotten just how many ways there are in which oversharing information can harm you…
The Register: Facebook shells out $8k bug bounty after quiz web app used by 120m people spews profiles – “Facebook has forked out an $8,000 reward after a security researcher flagged up a third-party web app that potentially exposed up to 120 million people’s personal information from their Facebook profiles.” In case you thought Facebook was past all that…
Maria Varmazis for Sophos: Are you happy with this technology that Facebook’s developing? – actually commentary on a story in the New York Times about what Facebook’s patent applications tell us. It seems that there are few aspects of our personal lives that Facebook isn’t interested in tracking. Though Maria rightly points out that “these patents are not a product roadmap for Facebook, so it is entirely possible we’ll never see them in action.” Unless, perhaps, FB is encouraged to pursue them by future commercial and political developments…
Also from Sophos: Facebook and Google accused of manipulating us with “dark patterns” – “In a report called Deceived By Design, the Norwegian Consumer Council (Forbrukerrådet) calls out Facebook and Google for presenting their GDPR privacy options in manipulative ways that encourage users to give up their privacy.” However, there are lots of more blatant manipulations to be seen: in many cases, it’s just a case of ‘let us drop our cookies or miss out on what we’re offering.”
[27th June 2018]
Metro: Facebook wants to hide secret inaudible messages in TV ads that can force your phone to record audio – this is so blatant I find it hard to believe, despite my own distrust of Zuckerberg and his minions. But I suppose we’ll see.
[20th June 2018]
Lukas Stefanko : New Telegram-abusing Android RAT discovered in the wild – “Entirely new malware family discovered by ESET researchers”
[15th June 2018]
Bloomberg: Apple Tries to Stop Developers From Sharing Data on Users’ Friends – “Apple Inc. changed its App Store rules last week to limit how developers use information about iPhone owners’ friends and other contacts, quietly closing a loophole that let app makers store and share data without many people’s consent.
[8th June 2018]
John E. Dunn for Sophos: Apple says no to Facebook’s tracking
“Later this year, users running the next version of Apple’s Safari browser on iOS and macOS should start seeing a new pop-up dialogue box when they visit many websites…this will ask users whether to allow or block web tracking quietly carried out by a certain co”mpany’s ‘like’, ‘share’ and comment widgets.” And the dialog text in the demo to which the article refers specifically mentions Facebook.
On the other hand: Caleb Chen for Privacy News Online: Apple could have years of your internet browsing history; won’t necessarily give it to you – “Apple has years of your internet browsing history if you selected “sync browser tabs” in Safari. This internet history does not disappear from their servers when you click “Clear internet history” on Safari … Additionally, the data stored and provided seems to be different for European Union based requesters versus United States based requesters. Discovering these sources of metadata is arguably one of the side effects of GDPR compliance. ”
New York Times: Facebook Gave Device Makers Deep Access to Data on Users and Friends –
“The company formed data-sharing partnerships with Apple, Samsung and
dozens of other device makers, raising new concerns about its privacy protections.” And commentary by Help Net Security: Facebook gave user data access to Chinese mobile device makers, too
James Barham of PCI Pal for Help Net: Shape up US businesses: GDPR will be coming stateside – “European consumers have long been preoccupied by privacy which leaves us wondering why the US hasn’t yet followed suit and why it took so long for consumers to show appropriate concern? With the EU passing GDPR to address data security, will we see the US implement similar laws to address increased consumer anxiety?” And yes, Facebook gets more than one mention here.
[6th June 2018]
The Register: ‘Tesco probably knows more about me than GCHQ’: Infosec boffins on surveillance capitalism – “Cambridge Uni powwow broods on Facebook, Wannacry” There seem to have been a lot of good points made there. I’m rather sorry I didn’t get to it, but it’s a long way from my part of the world…
Surveillance by cookie isn’t, of course, confined to social media. Perhaps more people have become aware of them recently with the pitter-patter of GDPR-inspired pop-ups on sites noting that they use them, and on occasion requiring visitors to agree to their being used if they’re to continue using the site. What could go wrong? Here’s an interesting, mildly techie paper from Digital Interruption: Are Your Cookies Telling Your Fortune? – An analysis of weak cookie secrets and OSINT. OSINT, by the way, is Open-Source Intelligence, information gathered from publicly available sources.
Sophos: Facebook faces furious shareholders at annual meeting – “Another investor, Will Lana of Trillium Asset Management, said that his firm has been keeping track of the scandals in which Facebook is embroiled. It’s tallied “at least 15 distinct controversies,” he said, as he spoke in favor of a proposal to change the board’s approach to risk management”. [But don’t worry: Zuckerberg and the Board of Directors managed to ’emerge from the meeting unscathed’. Well, you can worry if you like…]
Thomas Claburn for The Register: Facebook insists device data door differs from dodgy dev data deal – “Facebook on Sunday said an arrangement that gave some 60 mobile device makers access to data about device users’ Facebook friends is not at all like the deal it made with app developers that gave rise to the Cambridge Analytica scandal.” Oh, good…
Given the number of Facebook denizens who are interested in genealogy and heredity, this seems a suitable place to mention a Brian Krebs article: Researcher Finds Credentials for 92 Million Users of DNA Testing Firm MyHeritage
Catalin Cimpanu for Bleeping Computer: Washington State Sues Facebook and Google Over Election Ads – “Washington State Attorney General Bob Ferguson filed two lawsuits on Monday against Facebook and Google on the grounds of breaking local campaign finance laws.”
Here are a couple of items I’ve also posted to the Mac Virus site, and which are also relevant to the anti-social media page. I haven’t paid much attention to news-recycling sites (apart from The Register, maybe) in recent years, but these two ZDNet reports actually mildly impressed me.
Adrian Kingsley-Hughes for ZDNet: Your iPhone is tracking your movements and storing your favorite locations all the time. He says: “Now, you may be like me and not care about this data being collected, and might even find it a useful record of where you’ve been over the previous weeks and months. But if you’re uncomfortable for any reason with this data being collected, then Apple offers several ways you can take control over it.” Even if you don’t mind these data being collected by your operating system, you also have to think about the apps that may be accessing it at second hand.
Kind of weirdly, Larry Dignan (also for ZDNet) tells us that Apple, Google have similar phone addiction approaches with iOS, Android. Well, it’s always nice (if unexpected) when Big Business displays a sense of civic responsibility. However, Dignan is probably right when he remarks: “The research is just starting to be compiled on smartphone addiction and what happens when your life is overloaded by apps and notifications. Think of the digital health push from Apple and Google as a way to provide talking points before screen time becomes a Congressional hearing someday.”
[1st June 2018]
Tomáš Foltýn for ESET: More curious, less cautious: Protecting kids online – “How we can help protect a generation for which digital is the way of the world?”
[30th May 2018]
Sophos: Facebook battles tiny startup over privacy accusations John E. Dunn remarks:
“You can argue Six4Three’s allegations either way … they’re another example of the way the company perfectly understood the value of its user data and wanted to monetise it.”
“Alternatively, by restricting third parties, Facebook was simply reigning in risky access that privacy advocates believe should never have been allowed in the first place.”
[26th May 2018]
(1) Graham Cluley for ESET: Woman says Alexa recorded and shared the private conversation she was having with her husband – “It’s every Amazon Alexa owner’s worst nightmare – your private conversations not just being listened to, but shared with random contacts without your knowledge.” Here’s Amazon’s curious explanation of how it happened:
“Echo woke up due to a word in background conversation sounding like ‘Alexa.’ Then, the subsequent conversation was heard as a ‘send message’ request. At which point, Alexa said out loud ‘To whom?’ At which point, the background conversation was interpreted as a name in the customers contact list. Alexa then asked out loud, ‘[contact name], right?’ Alexa then interpreted background conversation as ‘right’. As unlikely as this string of events is, we are evaluating options to make this case even less likely.”
(2) Also from ESET: Facebook refines 2FA setup, adds authenticator app support
(3) The Register: Welcome to your sci-fi dystopia: Sonic firewalls to crumble inaudible ad-tracking phone cookies – “Ultrasonic packets of data to and from your handheld killed
(4) The Register: New Facebook political ad rules: Now you must prove your ID before undermining democracy – “The horse is a speck on the horizon – but at least the barn door now has a bolt on it … Facebook has rolled out its promised disclosure regime for political and issue advertising, heralding a new age of transparency and civic responsibility. Or so Facebook folks suggest…”
(6) Sophos (again): Facebook’s counterintuitive way to combat nonconsensual porn
(7) The Register: ‘Facebook takes data from my phone – but I don’t have an account!’ – “Reg reader finds mobile apps can’t be cut or quieted”
(8) Gizmodo: Facebook and Google Accused of Violating GDPR on First Day of the New European Privacy Law – “So what are Facebook and Google allegedly doing to violate the GDPR? Privacy advocates in Europe say that instead of adhering to the letter of the law, companies aren’t really giving consumers a choice; you can either agree to let Facebook and Google collect enormous amounts of data on you, or you can delete their services. There is no middle ground.”
[20th May 2018]
New Scientist: Huge new Facebook data leak exposed intimate details of 3m users – “Data from millions of Facebook users who used a popular personality app, including their answers to intimate questionnaires, was left exposed online for anyone to access, a New Scientist investigation has found.” And some commentary from The Register: How could the Facebook data slurping scandal get worse? Glad you asked – “Three million “intimate” user profiles offered to researchers”
And commentary from Sophos: Facebook app left 3 million users’ data exposed for four years
[14th May 2018]
Infoblox have a very interesting report on What is Lurking on Your Network – Exposing the threat of shadow devices.
In his foreword, Gary Cox says:
“For IT departments, the complexities and security issues around managing BYOD schemes and unsanctioned Shadow IT operations have long been a cause for concern.
“In an increasingly complex, connected world, this challenge has now been exacerbated by the explosion in the number of personal devices individuals own, as well as the plethora of new IoT devices being added to the network.”
More reasons to feel uncomfortable with the unfettered enthusiasm for BYOD.
Commentary/summary from Help Net Security: Exposing the threat of shadow devices: “Employees in the US and UK admitted to connecting to the enterprise network for a number of reasons, including to access social media (39 percent), as well as to download apps, games and films … These practices open organizations up to social engineering hacks, phishing and malware injection.”
Updates 12th May 2018
- Sophos: Google cracks down on election meddling advertisers
- Raj Samani (McAfee) for Help Net Security: Social media: The zero-trust game. On social media and propaganda. See also High-Profile Twitter Accounts Hit by Turkish Propaganda Campaign
- Pierluigi Paganini: Secret Conversation – Twitter is testing End-to-End Encryption for direct messages
- Paul Ducklin for Sophos: The WhatsApp text bomb – no, it won’t destroy your phone! But it might force a restart. I was mildly amused to note that a Sophos mail notification tagged the story “Text bomb, text bomb, WhatsApp text bomb, you can crash my application when I want to get things done,” echoing this article of mine from last February (about quite a different bug): Text bomb, text bomb you’re my text bomb… Great minds think alike…
- The Register: Crypto chat app Signal’s disappearing messages found hiding on macOS – “Mac Notification Center sometimes clones supposedly transient notes”
Updates 5th May 2018
Lots of commentary this week on Twitter’s mishaps with our credentials:
- Twitter: Keeping your account secure – “Out of an abundance of caution, we ask that you consider changing your password on all services where you’ve used this password. You can change your Twitter password anytime by going to the password settings page.”
- Graham Cluley: Yes, you should change your Twitter password – but don’t panic – “THE SKY IS NOT FALLING. BUT DO CHANGE YOUR TWITTER PASSWORD.”
- ESET: Twitter advises all users to change passwords after glitch
- Brian Krebs: Twitter to All Users: Change Your Password Now!
- Help Net Security: Twitter reveals security blunder, asks users to change their passwords
- Sophos: Twitter admits to password storage blunder – change your password now!
- And some relevant thoughts from ESET on/around World Password Day: Recycling is a must, but why would you reuse your password?
- Twitter: No big deal, but everyone needs to change their password – “Biz does a GitHub, downplays security blunder as log file of credentials left unencrypted”
The Register: Google will vet political ads to ward off Phantom Menace of fake news – “Mountain View’s Empire Strikes Back against election meddling”
And The Register again, on old favourite Facebook: Time to ditch the Facebook login: If customers’ data should be protected, why hand it over to Zuckerberg? – “How The Social Network and its partners use that info is a total black box”
Updates 3rd May 2018
- CA Commercial: Cambridge Analytica and Scl Elections Commence Insolvency Proceedings and Release Results of Independent Investigation into Recent Allegations – a sort of corporate suicide note…
- Graham Cluley: Goodbye Cambridge Analytica, hello Emerdata? – “HOPE YOU’RE NOT PLANNING TO COME BACK UNDER A DIFFERENT GUISE…”
Kaspersky Threat Post: TENS OF THOUSANDS OF MALICIOUS APPS USING FACEBOOK APIS – “At least 25,936 malicious apps are currently using one of Facebook’s APIs, such as a login API or messaging API. These allow apps to access a range of information from Facebook profiles, like name, location and email address.”
- Post-Facebook fallout: Americans envy Europeans’ privacy – top EU data watchdog – “US can’t operate in ‘splendid isolation’ – Giovanni Buttarelli” From the article: “… in the US, where privacy laws are much less stringent, the Facebook scandal could be described as a wake-up call. Lawmakers are now seriously discussing regulation and during Mark Zuckerberg’s mammoth Congressional hearings, politicians grilled him on plans to apply EU rules globally.”
- What could Facebook possibly do next to reassure privacy fears? Yup – make a dating app
Talking of Zuckerberg, here’s his summary of the forthcoming ‘Clear History’ control.
Updates 1st May 2018
- Venafi: Social Media Data Collection Regulation: Survey – “…70 percent of respondents said governments should regulate the collection of personal data by social media companies to protect user privacy, but 72 percent believe government officials do not have a good understanding of the threats impacting digital privacy…”
- Commentary from Help Net Security: Should governments regulate social media data collection?
The Guardian: WhatsApp CEO Jan Koum quits over privacy disagreements with Facebook – “WhatsApp was built with a focus on privacy and a disdain for ads, but the Facebook-owned service is now under pressure to make money”
Selina Wang for Bloomberg: Twitter Sold Data Access to Cambridge Analytica–Linked Researcher. And commentary from Help Net.
ENISA: Strengthening network & information security & protecting against online disinformation (“fake news”) – “In this paper, ENISA presents some views on the problem of online disinformation in the EU from a Network and Information Security (NIS) perspective. A number of recommendations are presented which relate both to general NIS measures, as well as targeted measures to protect against online disinformation specifically.”
Updates 27th April 2018
- Filip Truta: Researchers show how Amazon Echo can be used for eavesdropping
- The Register: ‘Alexa, listen in on my every word and send it all to a shady developer’ – “Amazon fixes up app security hole affecting always-listening Echo assistants”
- Sophos: Getting an Amazon Echo app to silently eavesdrop on you
Also from Sophos: Know what Instagram knows – here’s how you download your data
The Register: Facebook: Crisis? What crisis? Look at our revenue, it’s fantastic “But analysts say ditch your stock as opex set to blow up”
And again from Sophos: Yahoo fined $35m for staying quiet about mega breach
Updates 25th April 2018
The Register: Happy having Amazon tiptoe into your house? Why not the car, then? In-trunk delivery – what could go wrong? – “New Bezos scheme opens up vehicles as drop-off points” What could go wrong?
Sophos: Ex-Reddit mogul apologizes for making the world ‘a worse place’ “New York Magazine recently interviewed McComas for a project called “The Internet Apologizes.”That project has involved interviews with more than a dozen prominent technology figures about “what has gone wrong with the contemporary internet.” “
Updates 23rd April 2018
Hacker News: Flaw in LinkedIn AutoFill Plugin Lets Third-Party Sites Steal Your Data. Summarizes Jack Cable’s article LinkedIn AutoFill Exposed Visitor Name, Email to Third-Party Websites.
Updates 21st April 2018
(1) Reuters: Exclusive: Facebook to put 1.5 billion users out of reach of new EU privacy law – “The previously unreported move, which Facebook confirmed to Reuters on Tuesday, shows the world’s largest online social network is keen to reduce its exposure to GDPR, which allows European regulators to fine companies for collecting or using personal data without users’ consent.” (HT to Artem Baranov)
(2) Steven Englehardt et al: No boundaries for Facebook data: third-party trackers abuse Facebook Login – “Today we report yet another type of surreptitious data collection by third-party scripts that we discovered: the exfiltration of personal identifiers from websites through “login with Facebook” and other such social login APIs. Specifically, we found two types of vulnerabilities:
- seven third parties abuse websites’ access to Facebook user data
- one third party uses its own Facebook “application” to track users around the web.”
Commentary from The Register: Facebook’s login-to-other-sites service lets scum slurp your stuff – “A security researcher has claimed it’s possible to extract user information from Facebook’s Login service, the tool that lets you sign into third-party sites with a Facebook ID.”
(3) Help Net: Researchers develop algorithm to detect fake users on social networks – “Ben-Gurion University of the Negev and University of Washington researchers have developed a new generic method to detect fake accounts on most types of social networks, including Facebook and Twitter.”
Commentary from The Register: Gang way! Compsci geeks coming through! AI engine can finger fakes on social networks – “Take note Twitter, Facebook et al, it’s really not that hard to weed out bots”
(4) Graham Cluley: Facebook pushes ahead with controversial facial recognition feature in Europe “Facebook uses facial recognition software to automatically match people in photos your friends upload with the other billions of images on Facebook’s servers in which you might appear.”
(5) Help Net: LocalBlox found leaking info on tens of millions of individuals – “The discovery was made by UpGuard researcher Chris Vickery, who stumbled upon the unsecured Amazon Web Services S3 bucket holding the data, bundled in a single, compressed file. When decompressed, it revealed 48 million records in a format that’s easy for anyone to peruse.”
Here’s the Upguard blog post.
And commentary from Graham Cluley for Hot for security: 48 million people put at risk after firm that scraped info from social networks left it exposed for anyone to download
(6) Sophos: Facebook: 3 reasons we’re tracking non-users – more light cast into the shadows by the House Energy and Commerce Committee’s questions to Mark Zuckerberg.
(9) Tech Crunch: A flaw-by-flaw guide to Facebook’s new GDPR privacy changes
“Just click accept, ignore those settings”
(10) Brian Krebs: Is Facebook’s Anti-Abuse System Broken?
Updates 17th April 2018
Brian Krebs: Deleted Facebook Cybercrime Groups Had 300,000 Members – “Hours after being alerted by KrebsOnSecurity, Facebook last week deleted almost 120 private discussion groups … who flagrantly promoted a host of illicit activities on the social media network’s platform … The average age of these groups on Facebook’s platform was two years.”
Updates 15th April 2018
The Register: Super Cali’s frickin’ whiz kids no longer oppose us: Even though Facebook thought info law was quite atrocious – “Zuck & Co end fight against California’s privacy legislation” Extra points to El Reg for that title, even if it doesn’t scan very well. 🙂
Sophos: Facebook shines a little light on ‘shadow profiles’ (or what Facebook knows about people who haven’t signed up to Facebook).
Also from Sophos: Interview: Sarah Jamie Lewis, Executive Director of the Open Privacy Research Society. OPRS is a privacy advocacy and research group aiming to “to make it easier for people, especially marginalized groups (including LGBT persons), to protect their privacy and anonymity online…”
Updates 12th April 2018
- Roger Thompson: The Privacy Revolution in Action
- Sophos: Congress chews up Zuckerberg, day two: A far more thorough mastication
- Daring Fireball: Regarding Mark Zuckerberg’s Unused Talking Points on Tim Cook and Apple
- The Register: Mark Duckerberg: Second Congressional grilling sees boss dodge questions like a pro – “Zuck shows curious amnesia about his own business”
Updates 11th April 2018
Updates 9th April 2018
- Sadly for Facebook, Sophos is watching. Lisa Vaas counts 5 Facebook facepalms (just last week) – “Your weekly roundup of Facebook news, also known as #SOMUCHPRIVACYSPLATTER!!!”
- CNBC: Facebook suspends another data analytics firm after CNBC discovers it was using tactics like Cambridge Analytica – “CubeYou misleadingly labeled its quizzes “for non-profit academic research,” then shared user information with marketers.”
Updates 8th April 2018
- [April 7th 2018] The Guardian: Christopher Wylie: Why I broke the Facebook data story – and what should happen now – “The whistleblower at the centre of the Cambridge Analytica storm asks if Britain will now address the hard issues which it has raised”
- [April 4th 2018] Daring Fireball quoting New York Times and Washington Post: FACEBOOK SHARPLY INCREASES ESTIMATE OF HOW MANY USERS’ INFORMATION WAS HARVESTED BY CAMBRIDGE ANALYTICA (the Post comment relates to the more recent profile scraping story, but it does tie in).
- [April 6th 2018] Graham Cluley:
Updates 5th-7th April 2018
- [6th April 2018] Zeljka Zorz for Help Net: Malicious actors used Facebook’s own tools to scrape most users’ public info
- Related links:
- [7th April 2018] Chicago Tribune: Facebook hackers could have collected personal data of 2 billion users
- [4th April 2018] Facebook newsroom blog: An Update on Our Plans to Restrict Data Access on Facebook and We’re Making Our Terms and Data Policy Clearer, Without New Rights to Use Your Data on Facebook
- [5th April 2018] Sophos: “Most people on Facebook” have had data scraped by malicious actors
- [6th April 2018] Sophos: Facebook’s new fake news strategy is… decide for yourself! “…the context is going to include the publisher’s Wikipedia entry, related articles … how many times the article has been shared on Facebook…”
Updates 3rd/4th April 2018
- Graham Cluley: Why you might want to tell Facebook you now live in Europe – “(OR JUST DELETE YOUR ACCOUNT) … Facebook CEO and professional hoody-wearer Mark Zuckerberg has told Reuters that it won’t stick to Europe’s new strict data privacy rules globally.” However, an update quotes Zuckerberg as saying subsequently “We intend to make all the same controls and settings available everywhere, not just in Europe. Is it going to be exactly the same format? Probably not.” Make of that what you will…
- The Security Ledger: AggregateIQ Data reveals tools behind pro-Brexit Leave campaigns. Cites Upguard data that “suggested a link between AggregateIQ and the strategy and activity of Cambridge Analytica and its parent company, Strategic Communication Laboratories (SCL).” And also mentions “allegations that the group helped disparate Brexit campaigns coordinate their activities in contravention of UK campaign laws.”
- Sophos: Those Facebook videos you thought were deleted were not deleted – “In this most recent case, the content in question is users’ supposedly deleted videos. Facebook’s blaming a bug for the fact that those videos hung around…Also last week, many were shocked to discover, when they peeked into their archives, that Facebook had been logging call and text data since they downloaded the Facebook app for Android.”
- Sophos: Facebook and Twitter may be forced to identify bots. California has “ntroduced a bill that would give online platforms such as Facebook and Twitter three days to investigate whether a given account is a bot, to disclose that it’s a bot if it is in fact auto-generated, or to remove the bot outright.”
Update 2nd/3rd April 2018
- [3rd April 2018] John Leyden for The Register: One solution to wreck privacy-hating websites: Flood them with bogus info using browser tools – Chad Loder is quoted as saying “The internet ought to “route around” known privacy abusers, shifting from passive blocking of cookies, host names, and scripts to a more active deception model. ” Lots of other useful commentary.
- [2nd April 2018] Facecrooks: Facebook Is Making Its Privacy Settings Easier To Find
Updates 1st April 2018
- Bruce Schneier for CNN: It’s not just Facebook. Thousands of companies are spying on you
- The Register: Facebook reviews defenses as exec pulls foot from mouth – “We didn’t really mean growth matters more than human life”
- Apple: This is how we protect your privacy – “Your personal data should always be protected on your device and never shared without your permission. So we build encryption, on-device intelligence, and other tools into our products to let you share what you want on your terms.”
- Summary from Help Net: Apple puts privacy information screens in users’ line of sight
Updates 31st March 2018
(HT to Mich Kabay for pointing out the Economist articles – NB there’s a limit on how many you can view without subscribing.)
- The Register: Any social media accounts to declare? US wants travelers to tell
“The State Department seeks to expand its social media vetting beyond flagged visa applicants”
- The Economist: To understand digital advertising, study its algorithms – “A Skinner box for software”
- The Economist: The Facebook scandal could change politics as well as the internet – “Even used legitimately, it is a powerful, intrusive political tool”
- The Economist: [What Zuckerberg should do] Facebook faces a reputational meltdown – “This is how it, and the wider industry, should respond”
- Facebook: It’s Time to Make Our Privacy Tools Easier to Find – “We’ll also update our data policy to better spell out what data we collect and how we use it. These updates are about transparency – not about gaining new rights to collect, use, or share data.” Let’s hope so.
- Lisa Vaas for Sophos: Facebook revamps security, privacy settings following huge data scandal – “Facebook says it’s going to reach into the 20 or so dusty corners where it’s tucked away privacy and security settings and pull them into a centralized spot for users to more easily find and edit whatever data it’s got on them.” And about time too…
Updates 29th March 2018
- Dylan Curran for The Guardian: Are you ready? This is all the data Facebook and Google have on you (Well, it’s all the data they have on him: your mileage may vary, as mine does.)
- Richi Jennings for TechBeacon: Facebook fallout followup: Can you trust BYOD? (As ever, Richi does a good job of curating various ‘bloggy bits’ on the topic: sobering reading…)
- Help Net: Consumers worry that small privacy invasions may lead to a loss of civil rights – commentary on the report What the Internet of Things means for consumer privacy from The Economist Intelligence Unit.
Updates 28th March 2018
- Swati Khandelwal for The Hacker News: Facebook Collected Your Android Call History and SMS Data For Years. Re tweets by Dylan McKay. I love the fact that if you download the data Facebook has from you, it says: “Because this download may contain private information, you should keep it secure and take precautions when storing it, sending it or uploading it to another service.”
- Thomas Claburn for The Register: Political ad campaign biz AggregateIQ exposes tools, DB logins online – “Denies ties to Cambridge Analytica and insists it didn’t knowingly break the law”. The company is said to have played a part in the 2016 US election and also the Brexit campaign.
- Rory Cellan-Jones for the BBC: If I’ve got your number, so has Facebook (includes summary of how to get your data from Facebook).
- CNBC: Palantir worked with Cambridge Analytica on the Facebook data it acquired, whistleblower alleges
- Gizmodo: AggregateIQ Created Cambridge Analytica’s Election Software, and Here’s the Proof
- Mashable: Mozilla releases new Firefox extension to stop Facebook from tracking you
- Cylance: Android Trojans Steal Sensitive Facebook Data
- ZDNet: Data breach exposes Cambridge Analytica’s data mining tools – “The exposed data shows Cambridge Analytica used software developed by Canadian firm AggregateIQ to benefit US campaigns.”
- Sophos: Cambridge Analytica’s secret coding sauce allegedly leaked
- The Register: Fed up with Facebook data slurping? Firefox has a cunning plan – “The Facebook Container add-on quarantines the social network to limit data harvesting”
Updates 26th March 2018
- Paul Wagenseil for Tom’s Guide: Facebook Is Working Like It’s Supposed To (And That’s the Real Scandal)
- Help Net: How Facebook’s data issue is a lesson for everyone
- Rebecca Hill for The Register: You’ll like this: Facebook probed by US watchdog amid privacy storm – “‘Non-public’ FTC investigation a new headache for Zuckerberg”
- Sue Poremba for Security Boulevard: The Facebook Privacy Breach: What It Can Teach Us About Privacy Threats Before GDPR
Updates 23rd March 2018
- For The Register, Rebecca Hill gets a bit snarky, which amused me no end: Cambridge Analytica seeks data protection assistant – “Jobseeker? You may have heard of it…”
- org: Researchers find leaky apps that put privacy at risk (not just a Facebook issue). Refers “to a paper presented by Northeastern associate professor Alan Mislove at the the Federal Trade Commission conference PrivacyCon last month,” but, annoyingly, doesn’t include a link.
- John Gruber for Daring Fireball: Sheryl Sandberg and Mark Zuckerberg respond to cambridge analytics scandal. As usual, Gruber’s commentary is terse but very much to the point.
- Sophos: New whistleblower says Facebook turned a blind eye to covert data harvesting
- The Register: UK privacy watchdog finally gets Cambridge Analytica search warrant
Updates 22nd March 2018
- For Tech Beacon, Richi Jennings does a good job (as usual) of finding ‘bloggy bits’ relating to the Facebook/Cambridge Analytica mess: No ‘likes’ for Facebook’s API leak, but it’s not a data breach—and not news. And no, the fact that Facebook collects and shares too much information isn’t exactly news. Nor, come to that, the fact that Facebook has itself engaged in some experimental social engineering though I’m guessing that fewer people are or ever were aware of those particular experiments. I think I’ll probably come back to that…
- A comment to Richi’s announcement of that Tech Beacon article – ironically, on Facebook – brought my attention to this article by Kalev Leetaru for Forbes:
The Problem Isn’t Cambridge Analytica: It’s Facebook. The article makes some excellent points. For instance:
- “In 2014 academic researchers at Cornell and Facebook published research in which they had manipulated the emotions of three quarters of a million users … the research had been fully approved by Facebook and Cornell, with ethical review by Cornell’s IRB.” Yes, that’s one of the experiments I was thinking of.
- “A central theme of the rhetoric and coverage of Cambridge Analytica is that it somehow violated accepted societal norms over the use of Facebook data … referring to it in the cybersecurity parlance of a data “breach.” In fact, this could not be further from the truth in our modern “surveillance economy.”
- Taylor Lorenz for The Daily Beast: Mark Zuckerberg Swears He’ll Protect Your Data—Next Time – “The Facebook chief promised users that he would do more to ensure that their online lives weren’t put up for sale. One small problem: that’s kind of Facebook’s business model.”
- Matthew Yglesias, for Vox (that’s the news site, not the music equipment manufacturer), comments on The case against Facebook – “It’s not just about privacy; its core function makes people lonely and sad.” Well, you could argue with that tagline. FB does have a useful function in terms, for instance, of connecting with friends far away. If you keep the Big Picture in mind, you sometimes forget that there are valid reasons why people are prepared to compromise their data by using Facebook (if they think about it at all). Still, there are plenty of very valid points in the article:
- “…according to Craig Silverman’s path-breaking analysis for BuzzFeed, the 20 highest-performing fake news stories of the closing days of the 2016 campaign did better on Facebook than the 20 highest-performing real ones.”
- “By turning news consumption and news discovery into a performative social process, Facebook turns itself into a confirmation bias machine — a machine that can best be fed through deliberate engineering….Meanwhile, Facebook is destroying the business model for outlets that make real news.”
- Kurt Wismer makes a good point about the get-me-out-of-here trend in The problem with #DeleteFacebook. “…a movement to abandon Facebook is going to open up a lot of opportunities for fraud all at once.” He suggests disabling rather than deleting an account. (Actually, I have a similar strategy regarding LinkedIn: I’m not job-hunting any more, but I don’t want to make misuse of my name too easy.)
- While Brian X. Chen points out for the New York Times: Want to #DeleteFacebook? You Can Try. A few pertinent points here, too:
- “Keep in mind that Facebook isn’t the only company capable of collecting your information. One big culprit: Web trackers, like cookies embedded into websites and their ads. They are everywhere, and they follow your activities from site to site.”
- “…you may be better off tweaking your privacy settings on the site.”
- Help Net Security: Facebook’s trust crisis: Has it harmed democracy? – “Facebook is losing the faith of the Americans people, according to the Digital Citizens Alliance. ”
- Sophos: Mozilla stops Facebook advertising, demands privacy changes
- Mozilla: Mozilla Presses Pause on Facebook Advertising
Updates 21st March 2018
- BBC: Facebook’s Zuckerberg admits mistakes over Cambridge Analytica
- Bleeping Computer:
- Help Net Security: Cambridge Analytica and Facebook’s privacy storm: Latest developments