Security News is an archive of curated EFF Deeplinks posts for trainers, technologists, and educators who teach digital security.
Issues that we track here include: country-specific policy updates on security and privacy, updates on malware and vulnerabilities, discussions on encryption and privacy-protecting tools, updates on surveillance (corporate surveillance, street-level surveillance, and mass surveillance), device searches by law and border enforcement, tracking via devices, and general digital security tips.
Watering Holes and Million Dollar Dissidents: the Changing Economics of Digital Surveillance
Recently, Google’s Project Zero published a report describing a newly-discovered campaign of surveillance using chains of zero day iOS exploits to spy on iPhones. This campaign employed multiple compromised websites in what is known as a “watering hole” attack. The compromised websites would automatically run the chain of exploits on anyone who visited, with the aim of installing a surveillance implant on the device. Google didn’t reveal the names of the websites or indeed who was being...Read More
Browsers Take a Stand Against Kazakhstan’s Invasive Internet Surveillance
Yesterday, Google Chrome, Mozilla Firefox, and Apple’s Safari browsers started blocking a security certificate previously used by Kazakh ISPs to compromise their users’ security and perform dragnet surveillance. We encourage other browsers to take similar security measures. Since the fix has been implemented upstream in Chromium, it shouldn’t take long for other Chromium-based browsers, like Brave, Opera, and Microsoft’s Edge, to do the same.What Happened, and Why Is... Read More
Apple's New WebKit Policy Takes a Hard Line for User Privacy
Ever since mid-2017, Apple has been tackling web tracking in a big way. Various iterations of its Intelligent Tracking Prevention (ITP) technology have been introduced over the past few years in WebKit, the browser engine for Safari. ITP already protects users from tracking in various ways, but it left open a number of questions about the guidelines it uses to determine just who Apple considers a tracker, and what behavior is indicative of tracking. Last week, Apple answered...Read More
Don't Renew Section 215 Indefinitely
The New York Times reported that the Trump administration wants Section 215, the legal authority that allows the National Security Agency to collect Americans’ telephone records, renewed indefinitely. That’s despite earlier reports the NSA had shuttered its Call Details Record (CDR) Program because it ran afoul of the law, violated the privacy of scores of Americans, and reportedly failed to produce useful intelligence. In a letter to Congress, outgoing Director of National Intelligence...Read More
IPANDETEC Rates Panama’s ISPs in its First ¿Quién Defiende Tus Datos? Report
It's Panama’s turn to take a closer look at the practices of its most prominent Internet Service Providers, and how their policies support their users’ privacy. IPANDETEC, the leading digital rights NGO in Panama, has launched its first "Who Defends Your Data" (¿Quién Defiende Tus Datos?) report. The survey shines a light on the privacy practices of the main ISPs of the country: Claro (America Movil), Movistar (Telefonica), Digicel, and Más Móvil (A...Read More
Amazon’s Ring Is a Perfect Storm of Privacy Threats
Doors across the United States are now fitted with Amazon’s Ring, a combination doorbell-security camera that records and transmits video straight to users’ phones, to Amazon’s cloud—and often to the local police department. By sending photos and alerts every time the camera detects motion or someone rings the doorbell, the app can create an illusion of a household under siege. It turns what seems like a perfectly safe neighborhood into a source of anxiety and fear. This raises the...Read More
DEEP DIVE: CBP’s Social Media Surveillance Poses Risks to Free Speech and Privacy Rights
The U.S. Department of Homeland Security (DHS) and one of its component agencies, U.S. Customs and Border Protection (CBP), released a Privacy Impact Assessment [.pdf] on CBP’s practice of monitoring social media to enhance the agency’s “situational awareness.” As we’ve argued in relation to other government social media surveillance programs, this practice endangers the free speech and privacy rights of Americans.“Situational Awareness”
The Privacy Impact...Read More
ICE’s Rapid DNA Testing on Migrants at the Border Is Yet Another Iteration of Family Separation
As the number of migrants at the southern border has surged in the past several months, the Trump administration has turned to increasingly draconian measures as a form of deterrence. While the separation of children from their parents and housing of migrants in overcrowded and ill-equipped holding facilities have rightfully made front-page headlines, the administration’s latest effort—to conduct Rapid DNA testing on migrant families at the border—has flown under the radar. However, this...Read More
In Ecuador, Political Actors Must Step Away From Ola Bini’s Case
After spending nearly a week in Ecuador to learn more about the case against Swedish open source software developer Ola Bini, who was arrested here in April, EFF has found a clear consensus among the experts: the political consequences of his arrest appear to be outweighing any actual evidence the police have against him. The details of who stood to benefit from Bini's prosecution varied depending on who we spoke with, but overall we have been deeply disturbed by how intertwined the...Read More
Google’s Plans for Chrome Extensions Won’t Really Help Security
Last week we learned about DataSpii, a report by independent researcher Sam Jadali about the “catastrophic data leak” wrought by a collection of browser extensions that surreptitiously extracted their users’ browsing history (and in some cases portions of visited web pages). Over four...Read More
DOJ and FBI Show No Signs of Correcting Past Untruths in Their New Attacks on Encryption
Last week, Attorney General William Barr and FBI Director Christopher Wray chose to spend some of their time giving speeches demonizing encryption and calling for the creation of backdoors to allow the government access to encrypted data. You should not spend any of your time listening to them.
Don’t be mistaken; the threat to encryption remains high. Australia and the United Kingdom already have laws in place that can enable those governments to undermine encryption, while other...Read More
Building Community in Brooklyn: A Grassroots Case Study
Grassroots-level organizing has long been an important tool for advancing policy goals and activating a constituency. More importantly, local organizing can provide an avenue through which the skills and knowledge of some are leveraged to support the previously-unmet needs of the wider community.
As a member of the Electronic Frontier Alliance—a network of independent local advocacy groups in the U.S.—The Cypurr Collective is offering down-to-earth tech guidance to their neighbors...Read More
Fixed? The FTC Orders Facebook to Stop Using Your 2FA Number for Ads
Since academics and investigative journalists first reported last year that Facebook was using people’s two-factor authentication numbers and “shadow” contact information for targeted advertising, Facebook has shown little public interest in fixing this critical problem. Subsequent demands that Facebook stop all non-essential uses of these phone numbers, and public revelations that Facebook’s phone number abuse was even worse than initially reported, failed to move the company to...Read More
Adblocking: How About Nah?
For more than a decade, consumer rights groups (including EFF) worked with technologists and companies to try to standardize Do Not Track, a flag that browsers could send to online companies signaling that their users did not want their browsing activity tracked. Despite long hours and backing from the FTC, foot-dragging from the browser vendors and outright hostility from the big online media companies mean that setting Do Not Track in your browser does virtually nothing to protect your...Read More
Thank Q, Next
In its next release, Android plans to up its privacy game. But the operating system still caters to ad trackers at its users’ expense.
The newest release of Android, dubbed “Q,” is currently in late-stage beta testing and slated for a full release this summer. After a year defined by new privacy protections around the world and major privacy failures by Big Tech, this year, Google is trying to convince users that it is serious about “protecting their information.” The word...Read More
When Will We Get the Full Truth About How and Why the Government Is Using Face Recognition?
Earlier this month, the House Committee on Homeland Security held a hearing to discuss the role of face recognition and other invasive biometric technologies in use by the Department of Homeland Security (DHS). Despite some pushback from some lawmakers on the committee, John Wagner of the U.S. Customs and Border Protection (CBP), Austin Gould of the Transportation Security Administration (TSA), Joseph DiPietro of the Secret Service, and Charles Romine from the National Institute of...Read More
New Chilean ¿Quién Defiende Tus Datos? Report Shows Greater ISPs Commitment to User Privacy
Derechos Digitales, the leading digital rights organization in Chile, published its third annual Who Defends Your Data report today, in collaboration with EFF. The report assesses whether the country’s top ISPs enforce privacy policies and practices that put their users first. Kurt Opsahl, EFF’s Deputy Executive Director and General Counsel, joined the launch in Santiago de Chile, which highlighted the main findings and achievements of the report.
ISPs have made...Read More
Don’t Let Encrypted Messaging Become a Hollow Promise
Why do we care about encryption? Why was it a big deal, at least in theory, when Mark Zuckerberg announced earlier this year that Facebook would move to end-to-end encryption on all three of its messaging platforms? We don’t just support encryption for its own sake. We fight for it because encryption is one of the most powerful tools individuals have for maintaining their digital privacy and security in an increasingly insecure world.
And although encryption may be the backbone,...Read More
Sharpening Our Claws: Teaching Privacy Badger to Fight More Third-Party Trackers
The latest release of Privacy Badger gives it the power to detect and block a new class of evasive, pervasive third-party trackers, including Google Analytics.
Most blocking tools, like uBlock Origin, Ghostery, and Firefox’s native blocking mode (using Disconect’s block lists), use human-curated lists to decide whether to block or allow third-party resources. But Privacy Badger is different. Rather than rely on a list of known trackers, it discovers and learns to block new...Read More
Announcing “Gotta Catch 'Em All: Understanding How IMSI-Catchers Exploit Cell Networks”
Our phones hold a plethora of important, private information about our personal lives, and it’s not just their contents that matter: the data that our phones exchange with cell towers during basic connection procedures can reveal critical, and private, information. Perhaps you called the suicide prevention hotline from the Golden Gate Bridge; maybe you received a call from the local NRA office while it was having a campaign against gun legislation, and then called your senators and...Read More
Again!? The NSA’s Phone Records Program Still Can’t Stay Within the Law
Just as the Trump administration has signaled its interest in a permanent “clean” reauthorization of the Patriot Act’s phone surveillance provision, the NSA proves once again that it is not to be trusted with these tools. New documents obtained by the ACLU and reported in the Wall Street Journal have revealed that last year the NSA once again collected phone records of Americans that it was not authorized to obtain.
The NSA collected Information, including who phone-users were...Read More
What You Need to Know About the Latest WhatsApp Vulnerability
If you are one of WhatsApp’s billion-plus users, you may have read that on Monday the company announced that it had found a vulnerability. This vulnerability allowed an attacker to remotely upload malicious code onto a phone by sending packets of data that look like phone calls from a number not in your contacts list. These repeated calls then cause WhatsApp to crash. This is a particularly scary vulnerability because the does not require that the user pick up the phone, click a link,...Read More
Shareholders Demand To Know How Northrop Grumman Will Protect Human Rights While Building Massive DHS Database
Over the next few years, the Department of Homeland Security (DHS) plans to implement an enormous biometric collection program which will endanger the rights of citizens and foreigners alike. The agency intends to collect at least seven types of biometric identifiers, including face and voice data, DNA, scars, and tattoos, often from questionable sources, and from innocent people.
But DHS isn’t building all of the technology: Northrop Grumman, a defense contractor, won the nearly...Read More
Human Rights Watch Reverse-Engineers Mass Surveillance App Used by Police in Xinjiang
For years, Xinjiang has been a testbed for the Chinese government’s novel digital and physical surveillance tactics, as well as human rights abuses. But there is still a lot that the international human rights community doesn’t know, especially when it comes to post-2016 Xinjiang.
Last Wednesday, Human Rights Watch released a report detailing the inner workings of a mass surveillance app used by police and other officials. The application is used by offiicals to communicate with...Read More
We Got U.S. Border Officials to Testify Under Oath. Here’s What We Found Out
This is a guest post by Hugh Handeyside, Senior Staff Attorney, ACLU National Security Project, Nathan Freed Wessler, Staff Attorney, ACLU Speech, Privacy, and Technology Project, and Esha Bhandari, Staff Attorney, ACLU Speech, Privacy, and Technology Project. It was originally posted on the ACLU Speak Freely blog.
In September 2017, we, along with the Electronic Frontier Foundation, sued the federal government for its warrantless and suspicionless searches of phones and...Read More