Security News is an archive of curated EFF Deeplinks posts for trainers, technologists, and educators who teach digital security.
Issues that we track here include: country-specific policy updates on security and privacy, updates on malware and vulnerabilities, discussions on encryption and privacy-protecting tools, updates on surveillance (corporate surveillance, street-level surveillance, and mass surveillance), device searches by law and border enforcement, tracking via devices, and general digital security tips.
For years, EFF has commended companies who make cloud applications that encrypt data in transit. But soon, the new gold standard for cloud application encryption will be the cloud provider never having access to the user’s data—not even while performing computations on it.
Microsoft has become the first major cloud provider to offer developers the ability to build their applications on top of Intel’s Software Guard Extensions (SGX) technology, making Azure “the first SGX-capable...Read More
When iOS 11 is released to the public next week, it will bring a new feature with big benefits for user security. Last month, some vigilant Twitter users using the iOS 11 public beta discovered a new way to quickly disable Touch ID by just tapping the power button five times. This is good news for users, particularly those who may be in unpredictable situations with physical security concerns that change over time.
The newly uncovered feature is simple. Tapping an iPhone power...Read More
Last week's unanimous judgment by the Supreme Court of India (SCI) in Justice K.S. Puttaswamy (Retd) vs Union of India is a resounding victory for privacy. The ruling is the outcome of a petition challenging the constitutional validity of the Indian biometric identity scheme Aadhaar. The judgment's ringing endorsement of the right to privacy as a fundamental right marks a watershed moment in the constitutional history of India. The one-page order signed by all nine judges declares:... Read More
Twitter recently abandoned their longstanding support for the Do Not Track (DNT) signal, disregarding the privacy preferences of millions of their users. Twitter can see when you visit other sites where its code is present through Tweet/Follow buttons and embedded tweets (like tweets you see quoted in a forum or an article). Embedded Twitter content is so widespread that Twitter can likely reconstruct a significant portion of your browsing history. Twitter's rejection of DNT leaves users’...Read More
This weekend Apple took a dispiriting step in the policing of its Chinese mainland App store: the company removed several Virtual Private Network (VPN) applications that allowed users to circumvent the China’s extensive internet censorship apparatus. In effect, the company has once again aided the Chinese government in its censorship campaign against its own citizens.
A commercial VPN is a private service that offers to securely relay your internet communications via their own...Read More
Many people crossing the U.S. border are concerned about the amount of power that the government has asserted to search and examine travelers’ possessions, including searching through or copying contents of digital devices, like photos, emails, and browsing history. The frequency of these intrusive practices has been increasing over time.
Some travelers might choose to delete everything on a particular device or disk to ensure that border agents...Read More
The detention of a group of human rights defenders in Turkey for daring to learn about digital security and encryption continued last week with a brief appearance of the accused in an Istanbul court. Six were returned to jail, and four released on bail. In an additionally absurd twist, the four released activists were named in new detention orders on Friday, and are now being re-arrested.
Among those currently being held in jail are Ali Gharavi and Peter Steudtner, digital security...Read More
Turkish police officers in plainclothes yesterday raided a digital security training meeting on the island of Buyukuda in Istanbul, seizing equipment and detaining ten attendees, including Idil Eser, the director of Amnesty International Turkey. The human rights defenders are still being held in separate detention centers, and were denied access to lawyers and the press for over 24 hours.
Amnesty's Turkey researcher reports that Eser faces at least seven days pre-trial detention...Read More
This week, the political heads of the intelligence services of Canada, New Zealand, Australia, the United Kingdom, and the United States (the "Five Eyes" alliance) met in Ottawa. The Australian delegation entered the meeting saying publicly that they intended to "thwart the encryption of terrorist messaging." The final communiqué states more diplomatically that "Ministers and Attorneys General [...] noted that encryption can severely undermine public safety efforts by impeding lawful...Read More
Several journalists and experts have recently focused on the fact that a scanned document published by The Intercept contained tiny yellow dots produced by a Xerox DocuColor printer. Those dots allow the document's origin and date of printing to be ascertained, which could have played a role in the arrest of Reality Leigh Winner, accused of leaking the document. EFF has previously researched this tracking technology at some length; our work on it has helped bring it to public...Read More
Since last year, Indian citizens have been required to submit their photograph, iris and fingerprint scans in order to access legal entitlements, benefits, compensation, scholarships, and even nutrition programs. Submitting biometric information is needed for the rehabilitation of manual scavengers, the training and aid of disabled people, and anti-retroviral therapy for HIV/AIDS patients. Soon police in the Alwar district of Rajasthan will be able to register criminals, and track missing...Read More
For governments interested in suppressing information online, the old methods of direct censorship are getting less and less effective.
Over the past month, the Thai government has made escalating attempts to suppress critical information online. In the last week, faced with an embarrassing video of the Thai King, the government ordered Facebook to geoblock over 300 pages on the platform and even threatened to shut Facebook down in the country. This is on top of last month's...Read More
In the latest sign of mission creep in domestic deployment of battlefield-strength surveillance technology, U.S. Immigration and Customs Enforcement (ICE) earlier this year used a cell site simulator (CSS) to locate and arrest an undocumented immigrant, according to a report yesterday by The Detroit News.
CSSs, often called IMSI catchers or Stingrays, masquerade as cell phone towers and trick our phones into connecting to them so police can track down a target. EFF has long...Read More
Contrary to the inviting “Sounds good” button to accept the new policy and get to tweeting, the changes Twitter has made around user tracking and data personalization do not sound good for user privacy. For example, the company will now record and store non-EU users’ off-Twitter web browsing history for...Read More
Since 2008, most of Intel’s chipsets have contained a tiny homunculus computer called the “Management Engine” (ME). The ME is a largely undocumented master controller for your CPU: it works with system firmware during boot and has direct access to system memory, the screen, keyboard, and network. All of the code inside the ME is secret, signed, and tightly controlled by Intel. Last week, vulnerabilities in the Active Management (AMT) module in some...Read More
Republicans in Congress recently voted to repeal the FCC’s broadband privacy rules. As a result, your Internet provider may be able to sell sensitive information like your browsing history or app usage to advertisers, insurance companies, and more, all without your consent. In response, Internet users have been asking what they can do to protect their own data from this creepy, non-consensual tracking by Internet providers—for example, directing their Internet traffic through a VPN or...Read More
Today InternetLab, Brazil’s leading digital rights organization, released their 2017 report on local telecommunications companies, and how they treat their customer's private information. Brazil’s “Quem defende seus dados?” (“Who Defends Your Data?”) seeks to encourage companies to compete for users by showing who will stand up for their customer privacy and data protection. That is why InternetLab, one of the leading independent research centers on Internet policy in Brazil, has...Read More
This post was written in collaboration with Amie Stepanovich at Access Now.
On April 6, Russian math instructor Dmitry Bogatov was arrested in Moscow and charged with “preparing to organize mass disorder” and making “public calls for terrorist activity” due to a gross misunderstanding about the operation of the Tor internet anonymization service. Bogatov is accused of authoring a series of online posts published to the sysadmins.ru discussion platform on March 29 under the...Read More
The Bill of Rights at the Border: Fifth Amendment Protections for Account Passwords and Device Passcodes
This is the third and final installment in our series on the Constitution at the border. Today, we’ll focus on the Fifth Amendment and passwords. Click here for Part 1 on the First Amendment or Part 2 on the Fourth Amendment.
Lately, a big question on everyone's mind has been: Do I have to give my password to customs agents?
As anyone who’s ever watched any cop show knows, the Fifth Amendment gives you the right to remain silent and to refuse to provide evidence against...Read More
EFF is pleased to announce a series of community security trainings in partnership with the San Francisco Public Library. High-profile data breaches and hard-fought battles against unlawful mass surveillance programs underscore that the public needs practical information about online security. We know more about potential threats each day, but we also know that encryption works and can help thwart digital spying. Lack of knowledge about best practices puts individuals at risk, so EFF will...Read More
Wikileaks today released documents that appear to describe software tools used by the CIA to break into the devices that we all use at home and work. While we are still reviewing the material, we have not seen any indications that the encryption of popular privacy apps such as Signal and WhatsApp has been broken. We believe that encryption still offers significant protection against surveillance.
The worst thing that...Read More
On February 23rd, a joint team from the CWI Amsterdam and Google announced that they had generated the first ever collision in the SHA-1 cryptographic hashing algorithm. SHA-1 has long been considered theoretically insecure by cryptanalysts due to weaknesses in the algorithm design, but this marks the first time researchers were actually able to demonstrate a real-world example of the insecurity. In addition to being a powerful Proof of Concept (POC), the computing power that went into...Read More