Skip to main content
 
Security Education Companion
A free resource for digital security educators

Security News

Security News is an archive of curated EFF Deeplinks posts for trainers, technologists, and educators who teach digital security.

Issues that we track here include: country-specific policy updates on security and privacy, updates on malware and vulnerabilities, discussions on encryption and privacy-protecting tools, updates on surveillance (corporate surveillance, street-level surveillance, and mass surveillance), device searches by law and border enforcement, tracking via devices, and general digital security tips.

A Privacy-Focused Facebook? We'll Believe It When We See It.

Facebook zuck 2b 0

In his latest announcement, Facebook CEO Mark Zuckerberg embraces privacy and security fundamentals like end-to-end encrypted messaging. But announcing a plan is one thing. Implementing it is entirely another. And for those reading between the lines of Zuckerberg’s pivot-to-privacy manifesto, it’s clear that this isn’t just about privacy. It’s also about competition.

The Proof is in the Pudding

At the core of Zuckerberg’s announcement is Facebook’s plan to merge its three...

Read More

Facebook Doubles Down On Misusing Your Phone Number

Facebook eyes 1 0

When we publicly demanded that Facebook stop messing with users’ phone numbers last week, we weren’t expecting the social network to double down quite like this: By default, anyone can use the phone number that a user provides for two-factor authentication (2FA) to find that user’s profile. For people who need 2FA to protect their account and stay safe, Facebook is forcing them into unnecessarily choosing between security and privacy.

While settings are available to choose...

Read More

Massive Database Leak Gives Us a Window into China’s Digital Surveillance State

China eye 2

Earlier this month, security researcher Victor Gevers found and disclosed an exposed database live-tracking the locations of about 2.6 million residents of Xinjiang, China, offering a window into what a digital surveillance state looks like in the 21st century.

Xinjiang is China’s largest province, and home to China’s Uighurs, a Turkic minority group. Here, the Chinese government has implemented a testbed police state where an estimated 1 million individuals from these minority...

Read More

Fix It Already: Nine Steps That Companies Should Take To Protect You

Fix it eff banner 1

Today we are announcing Fix It Already, a new way to show companies we're serious about the big security and privacy issues they need to fix. We are demanding fixes for different issues from nine tech companies and platforms, targeting social media companies, operating systems, and enterprise platforms on issues ranging from encryption design to retention policies.

Some of these issues stem from business decisions. Some are security holes. Some are design choices. The common...

Read More

Watching the Black Body

54 banner eff2

[This is a guest post authored by Malkia Cyril, executive director of the Center for Media Justice. It was originally published in The End of Trust (McSweeney's 54)]

In December 2017, FBI agents forced Rakem Balogun and his fifteen-year-old son out of their Dallas home. They arrested Balogun on charges of illegal firearms possession and seized a book called Negroes with Guns. After being denied bail and spending five months in prison, Balogun was released with all charges...

Read More

ETS Isn't TLS and You Shouldn't Use It

Banner encrypttheweb2

The good news: TLS 1.3 is available, and the protocol, which powers HTTPS and many other encrypted communications, is better and more secure than its predecessors (including SSL).

The bad news: Thanks to a financial industry group called BITS, there’s a look-alike protocol brewing called ETS (or eTLS) that intentionally disables important security measures in TLS 1.3. If someone suggests that you should deploy ETS instead of TLS 1.3, they are selling you snake oil and you should...

Read More

Cyber-Mercenary Groups Shouldn't be Trusted in Your Browser or Anywhere Else

Og laptop

DarkMatter, the notorious cyber-mercenary firm based in the United Arab Emirates, is seeking to become approved as a top-level certificate authority in Mozilla’s root certificate program. Giving such a trusted position to this company would be a very bad idea. DarkMatter has a business interest in subverting encryption, and would be able to potentially decrypt any HTTPS traffic they intercepted. One of the things HTTPS is good at is protecting your private communications from snooping...

Read More

What’s the Emergency? Keeping International Requests for Law Enforcement Access Secure and Safe for Internet Users

Eu octopus1

Law enforcement access to data is in the middle of a profound shake-up across the globe. States are pushing to get quicker, deeper, and more invasive access to personal data stored on the global Internet, and are looking to water down the international safeguards around privacy and due process in the name of “speed” and “modernization.”

One part of that push is concentrated on the Council of Europe’s Cybercrime Convention (also known as the “Budapest Convention”) — an international...

Read More

Designing Welcome Mats to Invite User Privacy

Consent dark patterns

The way we design user interfaces can have a profound impact on the privacy of a user’s data. It should be easy for users to make choices that protect their data privacy. But all too often, big tech companies instead design their products to manipulate users into surrendering their data privacy. These methods are often called “Dark Patterns.”

When you purchase a new phone, tablet, or “smart” device, you expect to have to set it up with the needed credentials for it to be fully...

Read More

Powerful Permissions, Wimpy Warnings: Installing a Root Certificate Should be Scary

More lessons from "Facebook Research"

Last week, Facebook was caught using a sketchy market research app to gobble large amounts of sensitive user activity after instructing users to alter the root certificate store on their phones. A day after, Google pulled a similar iOS “research program” app. Both of these programs are a clear breach of user trust that we have written about extensively.

This news also drew attention to an area both Android and iOS could improve on. Asking...

Read More

Powerful Permissions, Wimpy Warnings: Installing a Root Certificate Should be Scary

More lessons from "Facebook Research"

Last week, Facebook was caught using a sketchy market research app to gobble large amounts of sensitive user activity after instructing users to alter the root certificate store on their phones. A day after, Google pulled a similar iOS “research program” app. Both of these programs are a clear breach of user trust that we have written about extensively.

This news also drew attention to an area both Android and iOS could improve on. Asking...

Read More

The San Francisco District Attorney’s 10 Most Surveilled Neighborhoods

Surveillance camera 1 0

%3Ciframe%20src%3D%22https%3A%2F%2Fwww.google.com%2Fmaps%2Fd%2Fembed%3Fmid%3D1gn9aYH09MHPQk7YD9EbOwg_sGJEFtefN%22%20width%3D%22700%22%20height%3D%22500%22%3E%3C%2Fiframe%3E Privacy info. This embed will serve content from google.com

Launch map in new window (Google privacy policy applies). 

With the spread of advanced spying technology, such as social media monitoring and cell-phone tracking, it’s easy to forget...

Read More

Google Screenwise: An Unwise Trade of All Your Privacy for Cash

Google spy eye

Imagine this: an enormous tech company is tracking what you do on your phone, even when you’re not using any of its services, down to the specific images that you see. It’s also tracking all of your network traffic, because you’re installing one of its specially-designed routers. And even though some of that traffic is encrypted, it can still know what websites you visit, due to how DNS resolution works. Oh, it’s also recording audio from a custom-microphone that’s placed near your...

Read More

What We Should Learn From “Facebook Research”

Facebook eyes 1 0

Once again, Facebook has broken the trust of its users—this time, through reportedly paying people to give up their privacy by installing an application that sucks up huge amounts of sensitive data, and explicitly sidestepping Apple's Enterprise Developer program rules. In doing so, the company has repeated several of the privacy-abusive practices that it’s been chastised for before. This underscores just how little the company has learned from a year of user complaints, privacy group...

Read More

A Surveillance Wall Is Not a Good Alternative to a Concrete Wall

Fingerprint 1

Since even before he took office, President Trump has called for a physical wall along the southern border of the United States. Many different organizations have argued this isn’t a great idea. In response, some Congressional Democrats have suggested turning to surveillance technology to monitor the border instead of a physical barrier.

Without specific legislative proposals, it’s hard to know what these suggestions actually mean. However, any bill Congress considers related to...

Read More

The 5G Protocol May Still Be Vulnerable to IMSI Catchers

Og stingrayfcc 6

It’s hard to talk about the vulnerabilities in cellular technology without increasing the amount of fear, uncertainty, and doubt. There is already much uncertainty around cell-site simulators (CSS, aka Stingrays), their capabilities, and how widely they are used. Partly this is because of the veil of secrecy that has surrounded the workings of commercial cell-site simulators thanks to the widespread use of non-disclosure agreements by the manufacturing companies like Rayzone and Harris...

Read More

A Guided Tour of the Data Facebook Uses to Target Ads

Facebook eyes 1 0

Last week, Pew released the results of a survey investigating how users understand Facebook’s data collection practices and how they react when shown what the platform thinks it knows about them. The upshot is that 74% of users weren’t aware that Facebook assembles lists of their interests and traits. 88% of respondents were assigned “categories” for advertising, which could include racial or ethnic “affinities” and political leanings. 58% of those users were “not comfortable” with the...

Read More

Detecting Ghosts By Reverse Engineering: Who Ya Gonna Call?

Defend encryption grey 1

This article was first published on Lawfare.

The most recent purportedly serious proposal by a Western government to force technology companies to provide access to the content of encrypted communications comes from Ian Levy and Crispin Robinson of the Government Communications Headquarters, or GCHQ, the U.K.’s equivalent of the National Security Agency. Cryptography luminaries such as Susan Landau, Matt Green, and Bruce Schneier have published detailed critiques of this...

Read More

(Don't) Return to Sender: How to Protect Yourself From Email Tracking

Email encrypted 0

Tracking is everywhere on the Internet. Over the past year, a drumbeat of tech-industry scandals has acclimated users to the sheer number of ways that personal information can be collected and leaked. As a result, it might not come as a surprise to learn that emails, too, can be vectors for tracking. Email senders can monitor who opens which emails, when, and what device they use to do it. If you work for a business or a non-profit that sends mass emails, maybe you’ve used tools to...

Read More

From Encrypting the Web to Encrypting the Net: A Technical Deep Dive on Using Certbot to Secure your Mailserver

Certbot logo type 1

We’ve come a long way since we launched Encrypt the Web, our initiative to onboard the World Wide Web to HTTPS. Not only has Let’s Encrypt issued over 380 million certificates, but also nearly 85% of page loads in the United States are over HTTPS, and both figures are still on an upward trajectory.

However, TLS, the technology that helps to secure HTTP connections, can and should be used to protect all Internet communications—not just the HTTP protocol used to fetch webpages....

Read More

Data Privacy Scandals and Public Policy Picking Up Speed: 2018 in Review

Year in review 2018

2018 may be remembered as the Year of the Facebook Scandal, and rightly so. The Cambridge Analytica fiasco, Mark Zuckerberg’s congressional testimony, a massive hack, and revelations of corporate smear campaigns were only the tip of the iceberg. But many more companies mishandled consumer privacy in 2018, too. From the Strava heatmap exposing military locations in January to the gigantic Marriot hack discovered in November, companies across Silicon Valley and beyond made big mistakes with...

Read More

Where Governments Hack Their Own People and People Fight Back: 2018 in Review

Year in review 2018

Throughout 2018, new surveillance practices continued to erode the privacy of people in Latin America. Yet local and regional digital rights organizations continue to push back with strategic litigation, journalists and security researchers investigate to shed light on government use of malware, and local activists work tirelessly to fight overarching surveillance laws and practices across the region.

Brazil: Secretly Tracking 600,000 Subway Riders

In a win for privacy, the...

Read More

Where Governments Hack Their Own People and People Fight Back: 2018 in Review

Year in review 2018

Throughout 2018, new surveillance practices continued to erode the privacy of people in Latin America. Yet local and regional digital rights organizations continue to push back with strategic litigation, journalists and security researchers investigate to shed light on government use of malware, and local activists work tirelessly to fight overarching surveillance laws and practices across the region.

Brazil: Secretly Tracking 600,000 Subway Riders

In a win for privacy, the...

Read More

From Encrypting the Web to Encrypting the Net: 2018 Year in Review

Encryption og

We saw 2017 tip the scales for HTTPS. In 2018, web encryption continues to improve. EFF has begun to shift its focus towards email security, and the security community is shifting its focus towards further hardening TLS, the protocol that drives encryption on the Internet.

By default, all Internet traffic is unencrypted and subject to tampering, including HTTP. A technology called TLS (Transport Layer Security) can provide authenticated encryption and message integrity so no one...

Read More

Pushing Back Against Backdoors: 2018 Year in Review

Year in review 2018

This wasn’t a great year for those of us whose job it is to defend the use of encryption.

In the United States, we heard law enforcement officials go on about the same “going dark” problem they’ve been citing since the late 90s, but even after all these years, they still can’t get basic facts straight. The National Academy of Sciences was entirely (and unsurprisingly) unhelpful. And in the courts, there was at least some action surrounding encryption, but we don’t know exactly...

Read More
Close tooltip