Skip to main content
 
Security Education Companion
A free resource for digital security educators

Security News

Security News is an archive of curated EFF Deeplinks posts for trainers, technologists, and educators who teach digital security.

Issues that we track here include: country-specific policy updates on security and privacy, updates on malware and vulnerabilities, discussions on encryption and privacy-protecting tools, updates on surveillance (corporate surveillance, street-level surveillance, and mass surveillance), device searches by law and border enforcement, tracking via devices, and general digital security tips.

Top Apps Invade User Privacy By Collecting and Sharing Personal Data, New Report Finds

A new year often starts with good resolutions. Some resolve to change a certain habit, others resolve to abandon an undesired trait. Mobile app makers, too, claim to have user behavior and their preferences at their heart. From dating to health to music, their promise is to add convenience to consumers’ lives or to offer support when needed. The bad news is that the ecosystem of the underlying ad tech industry has not changed and still does not respect user privacy. A new report, called...

Read More

No Digital Surveillance of Iranians at the U.S. Border—Or Within the U.S.

icon of a border agent examining digital devices

Update 1/10/20: New reporting alleges that officers didn't just search phones, they also acquired social media passwords. Collecting social media passwords would violate existing Department of Homeland Security policy, which requires officers to “respect individuals’ privacy settings” and “access only information that is publicly available." And, if officers used social media passwords to search social media content on a person’s devices, such an action would violate CBP’s policy that...

Read More

Surveillance Self-Defense: Year in Review 2019

Here at EFF, we maintain a repository of self-help resources on circumventing surveillance across a variety of different platforms, devices, and threat models. We call it Surveillance Self-Defense, or SSD for short.

SSD covers myriad topics, and is broken up into four main sections:

Basics: Overviews on what digital surveillance is and how you can fight it. And if you don’t understand a term being used, there’s an extensive glossary at your disposal. Tool Guides:... Read More

Fighting Back Against Face Surveillance in the Skies: 2019 Year in Review

This image shows a person's face with layers of pixelation throughout.

While cities and municipalities made clear strides to limit the use of face surveillance technology throughout 2019, airlines and government agencies tasked with identifying travelers have spent much of the year trying to expand its use. But while the Department of Homeland Security (DHS) and Customs and Border Patrol (CBP), along with several different airlines, did launch or conclude pilot programs that tested the waters of face recognition technology on travelers this year, they also...

Read More

Caught Between Worlds: Imprisoned Tech Users In 2019

Saeed Malekpour crossed the border from Iran to Turkey at night, terrified of capture. He was fleeing from the country that had held him prisoner for a decade, escaping with just a backpack  into one of the most chaotic regions of the world. Malekpour was a Canadian web developer who had spent over a decade barely surviving in Iranian jail. He had survived an inexplicable arrest on a trip to Tehran, torture at the hands of that country's secret police, forced public confessions, an...

Read More

Smart Home Tech, Police, and Your Privacy: Year in Review 2019

colorful letters on a black background spell out 2019: Year in Review

If 2019 confirmed anything, it is that we should not trust the microphones and cameras that large corporations sell us to put inside and near our homes. Thanks to the due diligence of reporters, public records requesters, and privacy researchers and activists, consumers have been learning more and more about how these “smart” home technologies can be hacked, exploited, or utilized by the police and other law enforcement agencies.

Because many technologies that record audio and...

Read More

More Than Thirty Human Rights Groups Protest the Targeting of Digital Rights Defenders in Ecuador, Argentina, and Beyond

Offline General

Protecting human rights comes in many forms. Some human rights defenders are lawyers, defending clients against violations of their basic humanity. Some are journalists, exposing corruption and the secret injustices that might otherwise hide behind power. Some are activists, working in politics and in their communities to give support to those who might not be able to defend themselves.

And some human rights defenders are technologists: building tools to defend or enhance the...

Read More

Ring Throws Customers Under the Bus After Data Breach

The shadow of a police officer looms in front of a Ring device on a closed door.

Just a week after hackers broke into a Ring camera in a child’s bedroom, taunting the child and sparking serious concerns about the company’s security practices, Buzzfeed News is reporting that over 3,600 Ring owners’ email addresses, passwords, camera locations, and camera names were dumped online. This includes cameras recording private spaces inside homes.

This stunning new leak could potentially provide criminals and stalkers with access to view live video feeds from inside and...

Read More

Sanctions, Protests, and Shutdowns: Fighting to Open Iran’s Internet

A multi-colored bullhorn icon surrounded by grey-blue hexagons

Last week, Iranians took to the streets nationwide in protest after an abrupt spike in fuel prices. As the protests grew, the government disrupted the internet across Iran in an apparent attempt to quell unrest. The slowdown was, for most, experienced as a full blackout of internet and mobile connectivity. The shutdown is in gross violation of Iran’s obligations to its citizens based on international treaties to which the country is a party, including the International Covenant on Civil...

Read More

Virtual(ly) Private Network: NordVPN’s Breach and the Limitations of VPNs

Facebook servers, with a speech bubble of a key above it.

UPDATE (11/8/2019): We have clarified that the NordVPN user credentials impacted were not in result of this breach.

The popular VPN provider, NordVPN, recently announced a server breach at a third-party data center. NordVPN reassured users that its key services were not impacted by this breach in particular, however, NordVPN users credentials were used with credential stuffing attacks. NordVPN stresses that there is no indication the breach and the credential stuffing...

Read More

Companies Can Still Do More to Protect Privacy in Brazil: Internet Lab Releases Fourth "Who Defends Your Data" Report

QTTD logo, question mark, on orange background

Internet Lab, the Brazilian independent research center, has published their fourth annual report of “Quem Defende Seus Dados?" (“Who defends your data?"), comparing policies of their local Internet Service Providers (ISPs) and how they treat users’ data after receiving government requests. Vivo (Telefónica) still takes the lead, but Tim is not far behind. Claro/NET (América Móvil), SKY (DirectTV/AT&T), and Oi also show progress compared to 2018’s...

Read More

Watering Holes and Million Dollar Dissidents: the Changing Economics of Digital Surveillance

Recently, Google’s Project Zero published a report describing a newly-discovered campaign of surveillance using chains of zero day iOS exploits to spy on iPhones. This campaign employed multiple compromised websites in what is known as a “watering hole” attack. The compromised websites would automatically run the chain of exploits on anyone who visited, with the aim of installing a surveillance implant on the device. Google didn’t reveal the names of the websites or indeed who was being...

Read More

Browsers Take a Stand Against Kazakhstan’s Invasive Internet Surveillance

Kazakhstan flag spying

Yesterday, Google Chrome, Mozilla Firefox, and Apple’s Safari browsers started blocking a security certificate previously used by Kazakh ISPs to compromise their users’ security and perform dragnet surveillance. We encourage other browsers to take similar security measures. Since the fix has been implemented upstream in Chromium, it shouldn’t take long for other Chromium-based browsers, like Brave, Opera, and Microsoft’s Edge, to do the same.

What Happened, and Why Is... Read More

Apple's New WebKit Policy Takes a Hard Line for User Privacy

Ever since mid-2017, Apple has been tackling web tracking in a big way. Various iterations of its Intelligent Tracking Prevention (ITP) technology have been introduced over the past few years in WebKit, the browser engine for Safari. ITP already protects users from tracking in various ways, but it left open a number of questions about the guidelines it uses to determine just who Apple considers a tracker, and what behavior is indicative of tracking. Last week, Apple answered...

Read More

Don't Renew Section 215 Indefinitely

The New York Times reported that the Trump administration wants Section 215, the legal authority that allows the National Security Agency to collect Americans’ telephone records, renewed indefinitely. That’s despite earlier reports the NSA had shuttered its Call Details Record (CDR) Program because it ran afoul of the law, violated the privacy of scores of Americans, and reportedly failed to produce useful intelligence. In a letter to Congress, outgoing Director of National Intelligence...

Read More

IPANDETEC Rates Panama’s ISPs in its First ¿Quién Defiende Tus Datos? Report

It's Panama’s turn to take a closer look at the practices of its most prominent Internet Service Providers, and how their policies support their users’ privacy. IPANDETEC, the leading digital rights NGO in Panama, has launched its first "Who Defends Your Data" (¿Quién Defiende Tus Datos?) report. The survey shines a light on the privacy practices of the main ISPs of the country: Claro (America Movil), Movistar (Telefonica), Digicel, and Más Móvil (A...

Read More

Amazon’s Ring Is a Perfect Storm of Privacy Threats

The shadow of a police officer looms in front of a Ring device on a closed door.

Doors across the United States are now fitted with Amazon’s Ring, a combination doorbell-security camera that records and transmits video straight to users’ phones, to Amazon’s cloud—and often to the local police department. By sending photos and alerts every time the camera detects motion or someone rings the doorbell, the app can create an illusion of a household under siege. It turns what seems like a perfectly safe neighborhood into a source of anxiety and fear. This raises the...

Read More

DEEP DIVE: CBP’s Social Media Surveillance Poses Risks to Free Speech and Privacy Rights

The U.S. Department of Homeland Security (DHS) and one of its component agencies, U.S. Customs and Border Protection (CBP), released a Privacy Impact Assessment [.pdf] on CBP’s practice of monitoring social media to enhance the agency’s “situational awareness.” As we’ve argued in relation to other government social media surveillance programs, this practice endangers the free speech and privacy rights of Americans.

“Situational Awareness”

The Privacy Impact...

Read More

ICE’s Rapid DNA Testing on Migrants at the Border Is Yet Another Iteration of Family Separation

As the number of migrants at the southern border has surged in the past several months, the Trump administration has turned to increasingly draconian measures as a form of deterrence. While the separation of children from their parents and housing of migrants in overcrowded and ill-equipped holding facilities have rightfully made front-page headlines, the administration’s latest effort—to conduct Rapid DNA testing on migrant families at the border—has flown under the radar. However, this...

Read More

In Ecuador, Political Actors Must Step Away From Ola Bini’s Case

After spending nearly a week in Ecuador to learn more about the case against Swedish open source software developer Ola Bini, who was arrested here in April, EFF has found a clear consensus among the experts: the political consequences of his arrest appear to be outweighing any actual evidence the police have against him. The details of who stood to benefit from Bini's prosecution varied depending on who we spoke with, but overall we have been deeply disturbed by how intertwined the...

Read More

Google’s Plans for Chrome Extensions Won’t Really Help Security

Google Spying
Note: Sam Jadali, the author of the DataSpii report referenced in this blog post, is an EFF Coders’ Rights client. However, the information about DataSpii in this post is based entirely on public reports.

Last week we learned about DataSpii, a report by independent researcher Sam Jadali about the “catastrophic data leak” wrought by a collection of browser extensions that surreptitiously extracted their users’ browsing history (and in some cases portions of visited web pages). Over four...

Read More

DOJ and FBI Show No Signs of Correcting Past Untruths in Their New Attacks on Encryption

Last week, Attorney General William Barr and FBI Director Christopher Wray chose to spend some of their time giving speeches demonizing encryption and calling for the creation of backdoors to allow the government access to encrypted data. You should not spend any of your time listening to them. 

Don’t be mistaken; the threat to encryption remains high. Australia and the United Kingdom already have laws in place that can enable those governments to undermine encryption, while other...

Read More

Building Community in Brooklyn: A Grassroots Case Study

Grassroots-level organizing has long been an important tool for advancing policy goals and activating a constituency. More importantly, local organizing can provide an avenue through which the skills and knowledge of some are leveraged to support the previously-unmet needs of the wider community. 

As a member of the Electronic Frontier Alliance—a network of independent local advocacy groups in the U.S.—The Cypurr Collective is offering down-to-earth tech guidance to their neighbors...

Read More

Fixed? The FTC Orders Facebook to Stop Using Your 2FA Number for Ads

Facebooks thumbs up thumbs down

Since academics and investigative journalists first reported last year that Facebook was using people’s two-factor authentication numbers and “shadow” contact information for targeted advertising, Facebook has shown little public interest in fixing this critical problem. Subsequent demands that Facebook stop all non-essential uses of these phone numbers, and public revelations that Facebook’s phone number abuse was even worse than initially reported, failed to move the company to...

Read More

Adblocking: How About Nah?

For more than a decade, consumer rights groups (including EFF) worked with technologists and companies to try to standardize Do Not Track, a flag that browsers could send to online companies signaling that their users did not want their browsing activity tracked. Despite long hours and backing from the FTC, foot-dragging from the browser vendors and outright hostility from the big online media companies mean that setting Do Not Track in your browser does virtually nothing to protect your...

Read More
Close tooltip