Skip to main content
 
Security Education Companion
A free resource for digital security educators

Security News

Security News is an archive of curated EFF Deeplinks posts for trainers, technologists, and educators who teach digital security.

Issues that we track here include: country-specific policy updates on security and privacy, updates on malware and vulnerabilities, discussions on encryption and privacy-protecting tools, updates on surveillance (corporate surveillance, street-level surveillance, and mass surveillance), device searches by law and border enforcement, tracking via devices, and general digital security tips.

What You Need to Know About the Latest WhatsApp Vulnerability

Icon security 2

If you are one of WhatsApp’s billion-plus users, you may have read that on Monday the company announced that it had found a vulnerability. This vulnerability allowed an attacker to remotely upload malicious code onto a phone by sending packets of data that look like phone calls from a number not in your contacts list. These repeated calls then cause WhatsApp to crash. This is a particularly scary vulnerability because the does not require that the user pick up the phone, click a link,...

Read More

Shareholders Demand To Know How Northrop Grumman Will Protect Human Rights While Building Massive DHS Database

Biometric hart 2b

Over the next few years, the Department of Homeland Security (DHS) plans to implement an enormous biometric collection program which will endanger the rights of citizens and foreigners alike. The agency intends to collect at least seven types of biometric identifiers, including face and voice data, DNA, scars, and tattoos, often from questionable sources, and from innocent people.

But DHS isn’t building all of the technology: Northrop Grumman, a defense contractor, won the nearly...

Read More

Human Rights Watch Reverse-Engineers Mass Surveillance App Used by Police in Xinjiang

China eye 2

For years, Xinjiang has been a testbed for the Chinese government’s novel digital and physical surveillance tactics, as well as human rights abuses. But there is still a lot that the international human rights community doesn’t know, especially when it comes to post-2016 Xinjiang.

Last Wednesday, Human Rights Watch released a report detailing the inner workings of a mass surveillance app used by police and other officials. The application is used by offiicals to communicate with...

Read More

We Got U.S. Border Officials to Testify Under Oath. Here’s What We Found Out

This is a guest post by Hugh Handeyside, Senior Staff Attorney, ACLU National Security Project, Nathan Freed Wessler, Staff Attorney, ACLU Speech, Privacy, and Technology Project, and Esha Bhandari, Staff Attorney, ACLU Speech, Privacy, and Technology Project. It was originally posted on the ACLU Speak Freely blog.

In September 2017, we, along with the Electronic Frontier Foundation, sued the federal government for its warrantless and suspicionless searches of phones and...

Read More

Skip the Surveillance By Opting Out of Face Recognition At Airports

Face 2 1

Government agencies and airlines have ignored years of warnings from privacy groups and Senators that using face recognition technology on travelers would massively violate their privacy. Now, the passengers are in revolt as well, and they’re demanding answers.

Last week, a lengthy exchange on Twitter between a traveler who was concerned about her privacy and a spokesperson for the airline JetBlue went viral, and many of the questions asked by the traveler and others were the same...

Read More

Google's Sensorvault Can Tell Police Where You've Been

Location city

Do you know where you were five years ago? Did you have an Android phone at the time? It turns out Google might know—and it might be telling law enforcement.

In a new article, the New York Times details a little-known technique increasingly used by law enforcement to figure out everyone who might have been within certain geographic areas during specific time periods in the past. The technique relies on detailed location data collected by Google from most Android devices as...

Read More

The Ecuadorean Authorities Have No Reason to Detain Free Software Developer Ola Bini

Hours after the ejection of Julian Assange from the London Ecuadorean embassy last week, police officers in Ecuador detained the Swedish citizen and open source developer Ola Bini. They seized him as he prepared to travel from his home in Quito to Japan, claiming that he was attempting to flee the country in the wake of Assange’s arrest. Bini had, in fact, booked the vacation long ago, and had publicly mentioned it on his twitter account before Assange was arrested.

Ola’s detention...

Read More

The Ecuadorean Authorities Have No Reason to Detain Free Software Developer Ola Bini

Hours after the ejection of Julian Assange from the London Ecuadorean embassy last week, police officers in Ecuador detained the Swedish citizen and open source developer Ola Bini. They seized him as he prepared to travel from his home in Quito to Japan, claiming that he was attempting to flee the country in the wake of Assange’s arrest. Bini had, in fact, booked the vacation long ago, and had publicly mentioned it on his twitter account before Assange was arrested.

Ola’s detention...

Read More

Facebook Got Caught Phishing For Friends

Facebook zuck 2b 0

Once again, Facebook is in the news for bad security practices, dark design patterns, and secretly reappropriating sensitive data meant for “authentication” to its own ends. Incredibly, this time, the company managed to accomplish all three in one fell swoop.

What happened?

Last weekend, news broke that Facebook has been demanding some new users enter their email passwords in order to sign up for an account on the site. First publicized by cybersecurity specialist e-sushi on...

Read More

Who Defends Your Data? Report Reveals Peruvian ISPs Progress on User Privacy, Still Room for Improvement

Qdtd banner2x

Hiperderecho, the leading digital rights organization in Peru, in collaboration with the Electronic Frontier Foundation, today launched its second ¿Quien Defiende Tus Datos? (Who Defends Your Data?), an evaluation of the privacy practices of the Internet Service Providers (ISPs) that millions of Peruvians use every day.  This year's results are more encouraging than those in 2015's report, with Telefonica's Movistar making significant improvement in its privacy policy,...

Read More

Here’s Why You Can’t Trust What Cops and Companies Claim About Automated License Plate Readers

Og policealpr 2
Emails Prove ICE Could Access Data from Orange County Shopping Malls, Despite the Companies' Denials

In response to an ACLU report on how law enforcement agencies share information collected by automated license plate readers (ALPRs) with Immigration and Customs Enforcement, officials have been quick to deny and obfuscate despite documentary evidence obtained directly from ICE itself through a Freedom of Information Act lawsuit

Let’s be clear: you can’t trust what ALPR...

Read More

A Privacy-Focused Facebook? We'll Believe It When We See It.

Facebook zuck 2b 0

In his latest announcement, Facebook CEO Mark Zuckerberg embraces privacy and security fundamentals like end-to-end encrypted messaging. But announcing a plan is one thing. Implementing it is entirely another. And for those reading between the lines of Zuckerberg’s pivot-to-privacy manifesto, it’s clear that this isn’t just about privacy. It’s also about competition.

The Proof is in the Pudding

At the core of Zuckerberg’s announcement is Facebook’s plan to merge its three...

Read More

Facebook Doubles Down On Misusing Your Phone Number

Facebook eyes 1 0

When we publicly demanded that Facebook stop messing with users’ phone numbers last week, we weren’t expecting the social network to double down quite like this: By default, anyone can use the phone number that a user provides for two-factor authentication (2FA) to find that user’s profile. For people who need 2FA to protect their account and stay safe, Facebook is forcing them into unnecessarily choosing between security and privacy.

While settings are available to choose...

Read More

Massive Database Leak Gives Us a Window into China’s Digital Surveillance State

China eye 2

Earlier this month, security researcher Victor Gevers found and disclosed an exposed database live-tracking the locations of about 2.6 million residents of Xinjiang, China, offering a window into what a digital surveillance state looks like in the 21st century.

Xinjiang is China’s largest province, and home to China’s Uighurs, a Turkic minority group. Here, the Chinese government has implemented a testbed police state where an estimated 1 million individuals from these minority...

Read More

Fix It Already: Nine Steps That Companies Should Take To Protect You

Fix it eff banner 1

Today we are announcing Fix It Already, a new way to show companies we're serious about the big security and privacy issues they need to fix. We are demanding fixes for different issues from nine tech companies and platforms, targeting social media companies, operating systems, and enterprise platforms on issues ranging from encryption design to retention policies.

Some of these issues stem from business decisions. Some are security holes. Some are design choices. The common...

Read More

Watching the Black Body

54 banner eff2

[This is a guest post authored by Malkia Cyril, executive director of the Center for Media Justice. It was originally published in The End of Trust (McSweeney's 54)]

In December 2017, FBI agents forced Rakem Balogun and his fifteen-year-old son out of their Dallas home. They arrested Balogun on charges of illegal firearms possession and seized a book called Negroes with Guns. After being denied bail and spending five months in prison, Balogun was released with all charges...

Read More

ETS Isn't TLS and You Shouldn't Use It

Banner encrypttheweb2

The good news: TLS 1.3 is available, and the protocol, which powers HTTPS and many other encrypted communications, is better and more secure than its predecessors (including SSL).

The bad news: Thanks to a financial industry group called BITS, there’s a look-alike protocol brewing called ETS (or eTLS) that intentionally disables important security measures in TLS 1.3. If someone suggests that you should deploy ETS instead of TLS 1.3, they are selling you snake oil and you should...

Read More

Cyber-Mercenary Groups Shouldn't be Trusted in Your Browser or Anywhere Else

Og laptop

Update 2019-06-21: DarkMatter has renamed its CA business Digital Trust – Sole Proprietorship L.L.C. (“DigitalTrust”). The criticisms below still apply.

DarkMatter, the notorious cyber-mercenary firm based in the United Arab Emirates, is seeking to become approved as a top-level certificate authority in Mozilla’s root certificate program. Giving such a trusted position to this company would be a very bad idea. DarkMatter has a business interest in subverting encryption, and would...

Read More

What’s the Emergency? Keeping International Requests for Law Enforcement Access Secure and Safe for Internet Users

Eu octopus1

Law enforcement access to data is in the middle of a profound shake-up across the globe. States are pushing to get quicker, deeper, and more invasive access to personal data stored on the global Internet, and are looking to water down the international safeguards around privacy and due process in the name of “speed” and “modernization.”

One part of that push is concentrated on the Council of Europe’s Cybercrime Convention (also known as the “Budapest Convention”) — an international...

Read More

Designing Welcome Mats to Invite User Privacy

Consent dark patterns

The way we design user interfaces can have a profound impact on the privacy of a user’s data. It should be easy for users to make choices that protect their data privacy. But all too often, big tech companies instead design their products to manipulate users into surrendering their data privacy. These methods are often called “Dark Patterns.”

When you purchase a new phone, tablet, or “smart” device, you expect to have to set it up with the needed credentials for it to be fully...

Read More

Powerful Permissions, Wimpy Warnings: Installing a Root Certificate Should be Scary

More lessons from "Facebook Research"

Last week, Facebook was caught using a sketchy market research app to gobble large amounts of sensitive user activity after instructing users to alter the root certificate store on their phones. A day after, Google pulled a similar iOS “research program” app. Both of these programs are a clear breach of user trust that we have written about extensively.

This news also drew attention to an area both Android and iOS could improve on. Asking...

Read More

Powerful Permissions, Wimpy Warnings: Installing a Root Certificate Should be Scary

More lessons from "Facebook Research"

Last week, Facebook was caught using a sketchy market research app to gobble large amounts of sensitive user activity after instructing users to alter the root certificate store on their phones. A day after, Google pulled a similar iOS “research program” app. Both of these programs are a clear breach of user trust that we have written about extensively.

This news also drew attention to an area both Android and iOS could improve on. Asking...

Read More

The San Francisco District Attorney’s 10 Most Surveilled Neighborhoods

Surveillance camera 1 0

%3Ciframe%20src%3D%22https%3A%2F%2Fwww.google.com%2Fmaps%2Fd%2Fembed%3Fmid%3D1gn9aYH09MHPQk7YD9EbOwg_sGJEFtefN%22%20width%3D%22700%22%20height%3D%22500%22%3E%3C%2Fiframe%3E Privacy info. This embed will serve content from google.com

Launch map in new window (Google privacy policy applies). 

With the spread of advanced spying technology, such as social media monitoring and cell-phone tracking, it’s easy to forget...

Read More

Google Screenwise: An Unwise Trade of All Your Privacy for Cash

Google spy eye

Imagine this: an enormous tech company is tracking what you do on your phone, even when you’re not using any of its services, down to the specific images that you see. It’s also tracking all of your network traffic, because you’re installing one of its specially-designed routers. And even though some of that traffic is encrypted, it can still know what websites you visit, due to how DNS resolution works. Oh, it’s also recording audio from a custom-microphone that’s placed near your...

Read More

What We Should Learn From “Facebook Research”

Facebook eyes 1 0

Once again, Facebook has broken the trust of its users—this time, through reportedly paying people to give up their privacy by installing an application that sucks up huge amounts of sensitive data, and explicitly sidestepping Apple's Enterprise Developer program rules. In doing so, the company has repeated several of the privacy-abusive practices that it’s been chastised for before. This underscores just how little the company has learned from a year of user complaints, privacy group...

Read More
Close tooltip