Security News is an archive of curated EFF Deeplinks posts for trainers, technologists, and educators who teach digital security.
Issues that we track here include: country-specific policy updates on security and privacy, updates on malware and vulnerabilities, discussions on encryption and privacy-protecting tools, updates on surveillance (corporate surveillance, street-level surveillance, and mass surveillance), device searches by law and border enforcement, tracking via devices, and general digital security tips.
Victory: Android 11 Rolls out Improved Certificate Warnings
Now that HTTPS encrypts over 80% of web connections, powerful actors are targeting root certificate stores to compromise our security and surveil us. In the past year alone, that’s included a “market research” company secretly owned by Facebook and the government of Kazakhstan.
Forcing users to install a root certificate enables the certificate owner to decrypt almost all their Internet traffic. This capability is allowed primarily for enterprise network monitoring, and is...Read More
Tech Lobbyists Are Pushing Bad Privacy Bills. Washington State Can, and Must, Do Better.
A data privacy bill in Washington State has gained momentum. The bill, 2SSB 6281 (also known as the Washington Privacy Act, or WPA), has received widespread support from big tech companies. It’s no wonder they like it because, as currently written, the WPA would be a weak, token effort at reining in corporations’ rampant misuse of personal data.
The WPA didn’t come from nowhere, and it didn’t come alone. A number of industry-friendly groups have...Read More
The Graham-Blumenthal Bill: A New Path for DOJ to Finally Break Encryption
Members of Congress are about to introduce a bill that will undermine the law that undergirds free speech on the Internet. If passed, the bill known as the Eliminating Abusive and Rampant Neglect of Interactive Technologies (EARN IT) Act, will fulfill a long-standing dream of U.S. law enforcement. If passed, it could largely mark the end of private, encrypted messaging on the Internet.
The Department of Justice and the FBI have long seen encryption as a threat. In 1993, the Clinton...Read More
Hundreds of New Yorkers Demand a Ban on NYPD Face Surveillance
Over two hundred New York City residents—including workers, parents, students, business owners, and technologists—have signed a petition calling to end government use of face surveillance in New York City. This morning, EFF and a coalition of over a dozen civil liberties groups delivered that petition to New York's City Council.
In the letter accompanying the petition, the groups commend the City Council members (more than thirty of them) that have signed on as cosponsors of the...Read More
Schools Are Pushing the Boundaries of Surveillance Technologies
Learn more at EFF's Surveillance Self-Defense guide for students.
A school district in New York recently adopted facial recognition technology to monitor students, and it is now one of a growing number of schools across the country conducting mass privacy violations of kids in the name of “safety.” The invasive use of surveillance technologies in schools has grown exponentially, often without oversight or recourse for concerned students or their parents.
Not only...Read More
How Ring Could Really Protect Its Users: Encrypt Footage End-To-End
Last week, we responded to recent changes Amazon’s surveillance doorbell company Ring made to the security and privacy of their devices. In our response, we made a number of suggestions for what Ring could do to be responsive to the privacy and security concerns of its customers and the larger community. One of our suggestions was for Ring to implement measures that require warrants to be issued directly to device owners in order for law enforcement to gain access to footage. This post...Read More
EFF to Ninth Circuit: Border Searches of Electronic Devices Require a Warrant
Although the Ninth Circuit issued a strong opinion last year in favor of digital privacy rights at the border, EFF filed an amicus brief [PDF] in a new case urging the court to go a step further. The Ninth Circuit should finally hold that the Fourth Amendment requires a probable cause warrant for border searches of electronic devices.
Our brief was filed in a case brought by Haisam Elsharkawi, a U.S. citizen who attempted to board a flight at Los Angeles International Airport to...Read More
Ring Updates Device Security and Privacy—But Ignores Larger Concerns
Amazon’s surveillance doorbell company Ring has announced extra layers of security and control for users after a wave of backlash from civil liberties and cyber security organizations like EFF and Mozilla. Organizations raised major concerns over Ring’s lack of effort in protecting the data and security of users, including permitting multiple log-in attempts that allowed bad actors to take control of people’s Ring cameras; not requiring two-factor authentication; and allowing a number of...Read More
What to Know Before You Buy or Install Your Amazon Ring Camera
So, you own or are thinking of buying a Ring camera. This post outlines a list of privacy and civil liberties concerns we have with Amazon’s Ring system so that you can be a more informed consumer, or—if you already own a Ring camera—be a more considerate neighbor.If You’re Thinking of Buying a Ring Camera 1. You are not the only one who can access your footage.
Your Ring footage isn’t private. It’s in the cloud. That means that you are not the only one with...Read More
Clearview AI—Yet Another Example of Why We Need A Ban on Law Enforcement Use of Face Recognition Now
This week, additional stories came out about Clearview AI, the company we wrote about earlier that’s marketing a powerful facial recognition tool to law enforcement. These stories discuss some of the police departments around the country that have been secretly using Clearview’s technology, and they show, yet again, why we need strict federal, state, and local laws that ban—or at least press pause—on law enforcement use of face recognition.
Clearview’s service allows law...Read More
New Bill Would Make Needed Steps Toward Curbing Mass Surveillance
Last week, Sens. Ron Wyden (D–Oregon) and Steve Daines (R–Montana) along with Reps. Zoe Lofgren (D–California), Warren Davidson (R–Ohio), and Pramila Jayapal (D–Washington) introduced the Safeguarding Americans’ Private Records Act (SAPRA), H.R 5675. This bipartisan legislation includes significant reforms to the government’s foreign intelligence surveillance authorities,...Read More
Why Public Wi-Fi is a Lot Safer Than You Think
If you follow security on the Internet, you may have seen articles warning you to “beware of public Wi-Fi networks" in cafes, airports, hotels, and other public places. But now, due to the widespread deployment of HTTPS encryption on most popular websites, advice to avoid public Wi-Fi is mostly out of date and applicable to a lot fewer people than it once was.
The advice stems from the early days of the Internet, when most communication was not encrypted. At that time, if...Read More
Ring Doorbell App Packed with Third-Party Trackers
Ring isn't just a product that allows users to surveil their neighbors. The company also uses it to surveil its customers.
An investigation by EFF of the Ring doorbell app for Android found it to be packed with third-party trackers sending out a plethora of customers’ personally identifiable information (PII). Four main analytics and marketing companies were discovered to be receiving information such as the names, private IP addresses, mobile network carriers, persistent...Read More
Iranian Tech Users Are Getting Knocked Off the Web by Ambiguous Sanctions
Between targeted killings, retaliatory air strikes, and the shooting of a civilian passenger plane, the last few weeks have been marked by tragedy as tensions rise between the U.S. and Iranian governments. In the wake of these events, Iranians within the country and in the broader diaspora have suffered further from actions by both administrations—including violence and lethal force against protesters and internet shutdowns in Iran, as well as detention, surveillance and device seizure at...Read More
Top Apps Invade User Privacy By Collecting and Sharing Personal Data, New Report Finds
A new year often starts with good resolutions. Some resolve to change a certain habit, others resolve to abandon an undesired trait. Mobile app makers, too, claim to have user behavior and their preferences at their heart. From dating to health to music, their promise is to add convenience to consumers’ lives or to offer support when needed. The bad news is that the ecosystem of the underlying ad tech industry has not changed and still does not respect user privacy. A new report, called...Read More
No Digital Surveillance of Iranians at the U.S. Border—Or Within the U.S.
Update 1/10/20: New reporting alleges that officers didn't just search phones, they also acquired social media passwords. Collecting social media passwords would violate existing Department of Homeland Security policy, which requires officers to “respect individuals’ privacy settings” and “access only information that is publicly available." And, if officers used social media passwords to search social media content on a person’s devices, such an action would violate CBP’s policy that...Read More
Surveillance Self-Defense: Year in Review 2019
Here at EFF, we maintain a repository of self-help resources on circumventing surveillance across a variety of different platforms, devices, and threat models. We call it Surveillance Self-Defense, or SSD for short.
SSD covers myriad topics, and is broken up into four main sections:Basics: Overviews on what digital surveillance is and how you can fight it. And if you don’t understand a term being used, there’s an extensive glossary at your disposal. Tool Guides:... Read More
Fighting Back Against Face Surveillance in the Skies: 2019 Year in Review
While cities and municipalities made clear strides to limit the use of face surveillance technology throughout 2019, airlines and government agencies tasked with identifying travelers have spent much of the year trying to expand its use. But while the Department of Homeland Security (DHS) and Customs and Border Patrol (CBP), along with several different airlines, did launch or conclude pilot programs that tested the waters of face recognition technology on travelers this year, they also...Read More
Caught Between Worlds: Imprisoned Tech Users In 2019
Saeed Malekpour crossed the border from Iran to Turkey at night, terrified of capture. He was fleeing from the country that had held him prisoner for a decade, escaping with just a backpack into one of the most chaotic regions of the world. Malekpour was a Canadian web developer who had spent over a decade barely surviving in Iranian jail. He had survived an inexplicable arrest on a trip to Tehran, torture at the hands of that country's secret police, forced public confessions, an...Read More
Smart Home Tech, Police, and Your Privacy: Year in Review 2019
If 2019 confirmed anything, it is that we should not trust the microphones and cameras that large corporations sell us to put inside and near our homes. Thanks to the due diligence of reporters, public records requesters, and privacy researchers and activists, consumers have been learning more and more about how these “smart” home technologies can be hacked, exploited, or utilized by the police and other law enforcement agencies.
Because many technologies that record audio and...Read More
More Than Thirty Human Rights Groups Protest the Targeting of Digital Rights Defenders in Ecuador, Argentina, and Beyond
Protecting human rights comes in many forms. Some human rights defenders are lawyers, defending clients against violations of their basic humanity. Some are journalists, exposing corruption and the secret injustices that might otherwise hide behind power. Some are activists, working in politics and in their communities to give support to those who might not be able to defend themselves.
And some human rights defenders are technologists: building tools to defend or enhance the...Read More
Ring Throws Customers Under the Bus After Data Breach
Just a week after hackers broke into a Ring camera in a child’s bedroom, taunting the child and sparking serious concerns about the company’s security practices, Buzzfeed News is reporting that over 3,600 Ring owners’ email addresses, passwords, camera locations, and camera names were dumped online. This includes cameras recording private spaces inside homes.
This stunning new leak could potentially provide criminals and stalkers with access to view live video feeds from inside and...Read More
Sanctions, Protests, and Shutdowns: Fighting to Open Iran’s Internet
Last week, Iranians took to the streets nationwide in protest after an abrupt spike in fuel prices. As the protests grew, the government disrupted the internet across Iran in an apparent attempt to quell unrest. The slowdown was, for most, experienced as a full blackout of internet and mobile connectivity. The shutdown is in gross violation of Iran’s obligations to its citizens based on international treaties to which the country is a party, including the International Covenant on Civil...Read More
Virtual(ly) Private Network: NordVPN’s Breach and the Limitations of VPNs
UPDATE (11/8/2019): We have clarified that the NordVPN user credentials impacted were not in result of this breach.
The popular VPN provider, NordVPN, recently announced a server breach at a third-party data center. NordVPN reassured users that its key services were not impacted by this breach in particular, however, NordVPN users credentials were used with credential stuffing attacks. NordVPN stresses that there is no indication the breach and the credential stuffing...Read More
Companies Can Still Do More to Protect Privacy in Brazil: Internet Lab Releases Fourth "Who Defends Your Data" Report
Internet Lab, the Brazilian independent research center, has published their fourth annual report of “Quem Defende Seus Dados?" (“Who defends your data?"), comparing policies of their local Internet Service Providers (ISPs) and how they treat users’ data after receiving government requests. Vivo (Telefónica) still takes the lead, but Tim is not far behind. Claro/NET (América Móvil), SKY (DirectTV/AT&T), and Oi also show progress compared to 2018’s...Read More