Privacy


Recently China implemented new restrictions on the use of Virtual Private Networks (VPNs), by introducing the requirement for VPN providers to be registered with the Chinese Government. VPNs are very popular in China as a means of getting around the Chinese Government’s internet monitoring and censorship programme that goes under the euphemism of the “Great Firewall of China”.   Given the ability of VPNs to break state censorship it is not surprising that the Chinese government has initiated a clamp-down on their use. The internet monitoring busting capabilities of VPNs is something that the UK Government may have to face in the near future following the introduction of the Investigatory Powers Act (IP Act) and the Digital Economy Act (DE Act).  Both of these will drive an increased use of VPNs in the UK. In the case of the IP Act VPNs are likely to be employed by internet users to […]

What Chance a UK Ban on VPNs?


2
The creepy extent to which folk at GCHQ have been monitoring and spying on all web users has been revealed in leaked documents on operation ‘Karma Police’. The documents published by The Intercept demonstrate that the UK government’s listening service GCHQ was building a “web browsing profile for every visible user on the internet”. James Baker NO2ID Campaigns Manager said: “Sensitive meta data can be used to build up a profile of the websites you visit. If you’ve ever sought marriage guidance, googled medical conditions or viewed pornography then chances are this programme will have used that information to build up a profile about you. “This is out of control surveillance which demonstrates that ,more than ever, we need independent judicial oversight of government surveillance powers.” These surveillance powers are a typical example of a database state, which is the term we use to describe the tendency of governments to […]

GCHQ surveillance powers – less ‘Karma Police’ and more ’Creep’


The BBC news website reports that More than 11 million passwords stolen in the Ashley Madison website hack have been decoded by a password cracking group. Initially, it was thought that the hacked passwords were unbreakable because hashing with bcrypt had been employed which effectively scrambles the password.  However, an amateur password cracking group called Cynosure Prime has discovered that the site had at some point changed the way passwords were stored, which reduced the strength of the bcrypt protection.  As a result the group have been able to crack 11 million passwords scrambled since the changes were made. Exactly, why Ashley Madison changed the way passwords were stored is not known, but it is speculated that it was done to make accessing the site easier. In a previous Newsblog post it has been highlighted that it is often the case that the reputational and financial impact on companies from […]

Flaws found in Ashley Madison password protection



Anna Hodgekiss reports on the Mail Online that a sexual health clinic in London’s Soho has revealed the names of up to 780 HIV positive patients in an e-mail error. The error involved patients who had signed up to the Clinic’s Option E service when a monthly newsletter was sent out. It appears to have occurred when the newsletter was sent out using an open group circulation list rather than as a blind copy. The clinic tried to recall the message using Microsoft Outlook’s recall function and then sent another e-mail apologising for the error and asking recipients to delete the message. Comment from the Newsblog Editor: A mistake like this is easy to make on an e-mail client like Microsoft’s Outlook, where an e-mail list can easily be mistakenly copied into the wrong field and sent out as a CC (carbon copy) to all recipients, rather than as a […]

Hundreds of HIV-positive patients have their identities revealed in e-mail ...


In a very interesting article on the Slate website Kevin Bankston highlights that despite claims by some law enforcement officials that encryption is a tool that will allow criminals to evade justice, the use of strong encryption actually helps to reduce crime. Bankston points out that although it is true that criminals will make use of encryption technology to shield their activities, the use of the technology will overall prevent millions of crimes.  For example smartphone theft is at epidemic proportions, with millions being stolen annually which often involves robberies which are by definition violent crimes.  However, strong encryption will block the criminals from using the commonly available tools to unlock a smartphone, rendering it useless to them. The article also highlights that criminals are increasingly not just interested in the phone, but also the personal and other data contained on it which can for example, allow them to commit […]

Smartphone encryption will help cops more than it hurts them


The Electronic Frontier Foundation (EFF) has released a tool called Privacy Badger to allow web users to block tracking cookies and spying adverts which ignore the Do Not Track setting in browsers.  Privacy Badger is not an ad blocker and adverts which do not contain tracking functionality, or respect Do Not Track settings are not blocked. Privacy badger also offers some protection against browser fingerprinting (see Panopticlick) by blocking third-party domains that use the technique, although it is not totally effective against what is a very sophisticated and subtle form of tracking. The plug-in is currently available for Chrome and Firefox and can be found and downloaded here.

EFF Release Privacy Badger Browser Plug-in to Stop Online Tracking



Darren Pauli reports on The Register website that security researchers have discovered that the HTC One Max phone stored user fingerprints as clear text in a “world readable” folder that could be accessed by  other Apps.  The Samsung Galaxy S5 was also found to have similar vulnerabilities. The revelation was made by researchers presenting at the Black Hat security conference in Las Vegas earlier this month.  It was one of four situations in which biometric data on an Android phone could be accessed by hackers.  In one scenario they showed how attackers could have money transfers authenticated by getting a user scan their fingerprints on a fake login screen to unlock the device. A link to the original research paper can be found here.

HTC Phone Stored Fingerprints as Clear Text


Mark Stockley reports on the Sophos Naked Security website that the HTML5 battery status API (Application Program Interface) on mobile phones can be used to track the phone user. The technique in a recently released paper, relies on the fact that browsers such as Chrome, Firefox and Opera will provide information about battery status to any website that asks for it, without asking the phone users permission.  The information given up is a series of values covering discharging and charging.  However, it is very unlikely that two or more users will have the same value in a short time frame thus effectively making it a unique identifier for the device. These battery values are usually very short-lived; however, they could last long enough to allow a tracking website to respawn deleted cookies and defeat incognito modes.  Currently the only browser that offers protection against battery tracking is the Tor browser […]

How your Battery Life could be used as an Undeletable ...


Sally Adee discusses in an article in New Scientist magazine whether it is possible to permanently delete a social media profile. The article highlights the situation with the recently hacked Ashley Madison website (an adultery website) which guaranteed to remove all members date upon payment of a £15 fee.  However, the recent hacking of the site has highlighted that due to financial auditing requirements, credit card details and the name used to scrub the account have been retained.  This obviously defeats the point of the user paying to have their records removed. Many sites such as Facebook have ambiguous policies on deleting data and what data is actually deleted after a user deletes their account.  This is compounded by the fact that deleting digital records is not necessarily as straight-forward as it seems, as account information may be held in multiple data centres distributed across the world. The problem with […]

Is it Possible to Permanently Delete a Social Media Profile?



1
In a land mark case two MPs, David Davis and Tom Watson, have won a High Court judgement that the Data Retention and Investigatory Powers Act (DRIPA) is incompatible with human rights (see this BBC News article here). Legislation is normally subject to significant Parliamentary scrutiny, but the MPs claimed that because DRIPA was rushed through in days, there was no time for proper parliamentary scrutiny, hence the need for the unusual step of judicial review.   The MPs argued before the court that DRIPA was incompatible with the right to a private and family life, and data protection, under both the Human Rights Act and the European Union Charter of Fundamental Rights.  An argument that the court accepted. In the judgement the court has ruled that the unlawful sections of DRIPA can stay in force until the end of March 2016, to allow time for the government to compose new […]

MPs Win Surveillance Powers Legal Challenge, but Government to Appeal


A recent article in The Independent newspaper by Andrew Griffin highlights that Facebook is almost certainly tracking people using its rainbow picture tool, which enables users to change their profile picture to rainbow coloured in support of same-sex marriage. In using the tool many users are probably not aware that they are providing demographic data to Facebook which could be used to target advertising, or be supplied to third parties.  Just as many are not aware that the Facebook “pay with data” financial model, means that all information provided to the site may potentially be used for commercial purposes.  It should also be noted that although Facebook has stated that the information gathered by the tool will not be used for serving advertising, the site is notorious for its ever-changing privacy model, so the assurance probably needs to be taken with a pinch of salt. Interestingly, social scientists have already […]

Facebook Could Use Rainbow Profile Pictures to Profile Users


5
Julian De Vries reports on The Nation website that in the US it is possible for someone to be prosecuted for deleting their browser history or other electronic records, even though the individual has no idea they are under any sort of investigation. The problem lies with the Sarbanes-Oxley Act, which was originally enacted in the wake of the Enron scandal to stop corporations under investigation from shredding or destroying incriminating documents.  However, its application has been broadened out by prosecutors to cover situations way beyond its original aims. One reason why it has been possible to expand its use is that prosecutors do not have to show that an individual deleting material is aware an investigation is underway.  As a result anybody even innocently deleting electronic records such as browser history or text messages, could years later be prosecuted for doing so.  The scenario is not a hypothetical one […]

In the US You Can Be Prosecuted for Clearing Your ...



Ryan Whitwam reports on the ExtremeTech website that researchers have found a way to track android phones by studying their power use over time. The technique works on the principle that the further away a phone is from a base station, the more power the phone uses to maintain a connection.  Researchers called their proof of concept application PowerSpy.  Before it can be used a power map of an area has to be established so that PowerSpy knows what performance to expect in a particular location. Although making a call or using apps will also drain power, the algorithm used in PowerSpy is designed to monitor power use over several minutes, so that battery usage not associated with location can be filtered out.

Battery Power Alone Can be Used to Track Android Phones


4
Benny Evangelista and Peter Fimrite report on the SFGATE website that a bill is to be put forward in the Californian Assembly to force smart TV makers to give customers the ability to opt out of features that could monitor their conversations. The bill is being put forward by Assemblyman Mike Gatto, who amongst other things is concerned about the ability of smart TV’s to be turned into tools that determine what kind of adverts viewers see.  Gatto said: “It’s not just that you could be sent bankruptcy ads after you talk with your wife about financial problems while watching television, it’s what happens if someone hacks it.” He also highlights the privacy issues if a smart TV is listening in a room where a couple are getting intimate. “Those sounds, if you had your voice recognition on, is what would be included,” Gatto said. “That’s what’s disturbing about this.” […]

Bill seeks ban on Smart Televisions becoming ‘Big Brother’


2
Alex Matthews-King reports in Pulse that the NHS is overriding 700,000 patient opt-outs to GP data being shared. The Health and Social Care Information Centre has said that 700,000 patients registered an objection to their identifiable information being passed from the HSCIC to a third-party before the aborted roll-out of care.data in March 2014.  However, it admitted that it doesn’t currently have the resources to deal with this volume of objections and thus it has not been possible to implement the patient opt-outs. Dr Beth McCarron-Nash, who leads on care.data for the General Practitioners Committee, told Pulse: ‘Obviously, if there are technical difficulties that HSCIC are experiencing, they must be resolved, and it is their responsibility to make sure patients are protected. But basically it’s a mess.’

NHS overriding 700,000 patient opt-outs