Security

  • Germany – photographing illegal parking is lawful

    Steve WoodsLanguage, Media, Privacy, Security, Tech

    German newspaper <a href="https://www.welt.de/regionales/bayern/article241937155/Urteil-Buerger-duerfen-Falschparker-fuer-Anzeige-fotografieren.html".Die Welt states that it’s so obvious: people wanting to report an illegal parker just pull out their smartphone and then send the picture to the police. However, two men in Bavariahad trouble with the state’s data protection authorities. A court has now decided who acted corrected.

    A Ferrari parked on the footway being booked in Munich. Image courtesy of Wikimedia Commons
    A Ferrari parked on the footway being booked in Munich.
    Image courtesy of Wikimedia Commons

    Anyone who sends photos of illegal parkers as part of a report to the police does not normally violate data protection legislation. This emerged on Thursday from two landmark rulings published by the Ansbach Administrative Court. With these the court agreed with two men who corroborated their reports of parking infringements on footways and cycleways with photos. For using this they received a warning and a fine of €100 each from the Bavarian State Data Protection Office (LDA). Both objected and went to court with the support of Deutsche Umwelthilfe e.V. (DUH)

    The administrative court combined the two procedures in a joint hearing because of the identical questions and ultimately ruled that the procedure involved lawful data processing. However, the actual statement of is not available. The verdicts are of fundamental significance from the legal point of view, but are still not absolute.

    The DUH, which supported one of the two plaintiffs in a test case, welcomed the verdict. “Illegal parking is no trivial offence, but endangers people who are travelling by bike, wheeled walking frame, wheelchair or pram”, commented Jürgen Resch, its Federal director. “The authorities should not take action against civil society commitment, but rather take consistent measures against blocked footpaths and cycle paths, illegal parking in front of dropped kerbs or at junctions; and do so not just in Bavaria, but nationwide.»

    The crux of the proceedings was the question of whether digital transmission of the photos constituted lawful data processing within the meaning of the General Data Protection Regulation since there must be a legitimate interest in forwarding the image files. On the other hand, data transmission and processing must be necessary.

    Accordingly, the parties to the proceedings before the court argued about whether the plaintiffs had to be personally affected by the parking violations and whether a written or telephone description of the facts including the vehicle registration number, was not sufficient. In addition, the LDA pointed out that other data such as other cars with registration plates and people can often be seen in the pictures. In reply, the plaintiffs stressed that the police had asked them to document the parking situation as accurately as possible with photos as evidence.

    The LDA stated that once the judgment’s statement of grounds was available, it would examine whether the decision was an individual case or whether a reassessment of the use of photos in public places that was critical for data protection had been initiated. In addition, it wants to agree clear and uniform guidelines with the police regarding which information is required when reporting illegal parking and which communication channel should be used.

  • Chrome’s incognito mode is anything but – allegedly

    Steve WoodsLanguage, Media, Open Source, Privacy, Security, Tech

    Google Chrome iconGoogle Chrome is a cross-platform web browser first introduced in 2008. Based largely on the open source Chromium browser, perhaps the best description for it is proprietary freeware.

    French IT news website Le Monde Informatique reports that a federal judge in California is examining complaints against Google alleging that the company is tricking users into believing that their private life is protected when using the browser’s incognito mode. The lawsuit which was initiated before the North California District Court more than 2 years ago by 5 users is now awaiting a more recent petition from these plaintiff in a class action. One of the complaints concerns Chrome users with a Google account who accessed a non-Google website containing Google tracking or advertising code and who were browsing in incognito mode; a second covers all users of Safari, Edge and Internet Explorer with a Google account who accessed a non-Google website containing Google tracking or advertising code in private browsing mode. According to legal documents first disclosed by Bloomberg, Google employees joked about the browser’s incognito mode and the fact that it was not really private. They also took the company to task for not having done more to provide users with the privacy they though they were enjoying.

    Judge Yvonne Gonzalez Rogers, who presides over the United States District Court for the Northern District of California, will decide whether the tens of thousands of users of Chrome’s incognito mode can be grouped together to seek statutory damages of $100 to $1,000 per violation, which could potentially increase the fine to over $5 bn. The definition of the word incognito is to disguise or conceal one’s identity. The confidentiality settings of web browsers are intended to delete local traces of sites visited by a user, as well as web searches and information provided when filling in online forms. Simply put, private modes such as incognito are not supposed to track and record data from web searches and sites visited by users. Google is also facing proceedings linked to user confidentiality from the justice ministers and public prosecutors of several federal states including Texas, the District of Columbia and Washington. Earlier this month Google settled a lawsuit filed by the attorney general of Arizona for $85 mn. Initially filed in June 2020, the class action was asking for at least $5 bn., accusing Google of surreptitiously collecting data on what people were viewing online and where they were browsing despite using private browsing mode. Lawyers for the plaintiffs say they have a large number of internal Google emails proving that managers have known for years that private browsing mode does not do what it claims. When a user chooses to use this incognito mode, Google’s browser is supposed to delete browsing history and cookies automatically at the end of a session.

    Data sold for advertising purposes in auctions

    The plaintiffs, who are Google Account holders, alleged that the search engine collected their data, distributed it and sold it for targeted advertising through a real-time auction system (RTB). LThe plaintiffs allege that even in incognito mode, Google can see what sites Chrome users are visiting and collect data by means which include Analytics, digital fingerprinting techniques, concurrent applications and processes on a user’s device and AdManager. The latter is a Google service enabling businesses to distribute and create web, mobile and video advertising reports for a company.

    According to one report, more than 70% of all website use one of more of Google’s services. More specifically, the plaintiffs allege that every time a user with private browsing mode active visits a website running Analytics or AdManager, the search giant’s software scripts on the site surreptitiously order the user’s browser to send a secret separate message to its servers in California. “Google learns exactly what content the user’s browser software was asking the website to display, and it also passes a header containing the URL information of what the user viewed and requested online. Device IP address, geolocation data and user ID are all tracked and logged by Google”, according to one report in the lawsuit. “Once collected, this mountain of data is analyzed to build digital records on millions of consumers, in some cases identifying us by name, gender, age, and medical conditions and political issues we researched online”, the lawsuit claims.

    Truly private browsing results in loss of revenue

    In March 2021, a California judge denied 82 motions by Google’s attorneys to end the lawsuit and ruled against the company, allowing it to proceed. In July that year the company was sentenced to pay almost one million dollars in legal fees and expenses as a penalty for not having disclosed evidence concerning the lawsuit in a timely manner.

    This week a spokesperson for Google told the Washington Post it had been frank with users about what its incognito mode offers in terms of privacy and that the plaintiffs “deliberately misrepresented our statements”. Jack Gold, senior analyst at J. Gold Associates, said the company makes the majority of its revenue by tracking everyone and selling ad space. “If they’re really creating a completely private browsing experience, then the revenue stream is gone,” he said. “So, I suspect there is a ‘balancing act’ going on internally as to where the borders are around privacy vs. tracking. No company builds a free browser without being able to generate revenues somehow”. The plaintiffs in the case said they chose “private browsing mode” to prevent others from learning what they’re viewing on the internet. When it comes to using Google Chrome and other browsers, “let the user beware,” Gold said. “You have to trust the maker to take care of your privacy, but it’s not always in their best interest to do so”.

  • Introducing Ubuntu Pro beta

    Steve WoodsLinux, Open Source, Security, Tech

    Ubuntu logoCanonical is currently offering a public beta version of Ubuntu Pro, giving Ubuntu Linux users extended maintenance and security compliance for software packages ranging from the Node.js runtime to Python 2 and Rust. Security cover will be extended for average and high common vulnerabilities and exposures (CVE) for thousands of applications and toolchains including Ansible, Apache Tomcat, Apache Zookeeper, Docker, Drupal, Node.js, Puppet, Python 2, Rust and others.

    A free thirty days trial is available for businesses. Ubuntu Pro is available for data centres and workstations. A free level is being offered for small-scale personal use (up to 5 machines).

    Since the launch of Ubuntu LTS with 5 years support for the main operating system, businesses have asked the supplier to cover a larger area of the open source landscape under private commercial agreements. These benefits are now offered free of charge to anyone with a free personal subscription to Ubuntu Pro. This may also be combined with 24/7 enterprise level for the Ubuntu operating system.

    Ubuntu Pro is available for all Long Term Support (LTS) versions of Ubuntu from version 16.04 LTS upwards. The standard Ubuntu Pro subscription covers security updates for all Ubuntu packages. In addition, Canonical’s Ubuntu Advantage for Infrastructure subscription has been renamed Ubuntu Pro (Infra-only) with no change in its price or range. The Infra-Only subscription covers the base operating system and the private cloud components required for large-scale and bare metal and excludes wider cover for applications. Subscribing to Ubuntu Pro costs US $25 dollars per year excl. tax for one workstation or US $500 dollars per year for a server. On public clouds Ubuntu Pro costs some 3.5% of the average cost of the underlying processing environment.

  • Family matters

    Steve WoodsBristol, Language, Politics, Privacy, Security

    There are some writers whose importance does not diminish with their demise. Take, for example, the ancient Athenian playwright Aristophanes; his plays are still being staged nearly two and half millennia after his death; then there’s that genius in understanding human emotions and the human condition, William Shakespeare.

    George Orwell press card photoTo these giants of literature, your ‘umble scribe would add the name of George Orwell. Even though he died in 1950, his works still seem startlingly relevant to life in the 21st century and its politics in particular. The major annual prize for political writing in the English Empire (which some still call the United Kingdom. Ed.) is named after him.

    Nineteen Eighty-Four (in words, not numerals. Ed.), which was written in 1948 and published in 1949, was intended as a warning against authoritarianism and oppression. However, successive twenty-first century governments seem to have used it as a manual for the implementation of mass surveillance of the population and the removal of their right to privacy, particularly as regards the use of information technology (via e.g. the Regulation of Investigatory Powers Act 2000); and all in the name of so-called security.

    What has been exercising your correspondent this morning is a particular passage from The Lion and the Unicorn: Socialism and the English Genius. This was an essay written in 1941 during World War 2 relating to the state of the English, as opposed to the British. In particular, it highlights the outdated English class system as a major impediment in the mid-20th century, as exemplified below.

    England is not the jewelled isle of Shakespeare’s much-quoted message, nor is it the inferno depicted by Dr Goebbels. More than either it resembles a family, a rather stuffy Victorian family, with not many black sheep in it but with all its cupboards bursting with skeletons. It has rich relations who have to be kow-towed to and poor relations who are horribly sat upon, and there is a deep conspiracy of silence about the source of the family income. It is a family in which the young are generally thwarted and most of the power is in the hands of irresponsible uncles and bedridden aunts. Still, it is a family. It has its private language and its common memories, and at the approach of an enemy it closes its ranks. A family with the wrong members in control – that, perhaps, is as near as one can come to describing England in a phrase.

    Looking at the cupboards bursting with skeletons, one only has to look at the colonial oppressors and crooks that our Victorian forebears sought to elevate to figures of admiration, such as Robert ‘Lord Vulture’ Clive, who used his position in the East India Comp;any for personal enrichment and the likes of Waterloo hero Thomas Picton, formerly a sadistic and cruel governor of Trinidad. Both Clive and Picton have featured in the recent statue wars where the right wing, including government ministers, sought to deny the brutality of empire and its legacy. Sorry, but introducing the system of common law and the game of cricket are not adequate compensation for centuries of plunder, expropriation, conquest, repression and genocide.

    Looking at the deep conspiracy of silence about the source of the family income, there has yet to be any official acknowledgement that the family income from the late 16th century onwards was based upon piracy and then increasingly upon slavery, for which some former British Caribbean colonies are clamouring increasingly for reparations.

    Elizabeth Mary Truss, alleged Prime Minister of the English EmpireFinally, let’s come to that family with the wrong members in control. They don’t come more wrong than the current occupant of Number 10 Downing Street, one Elizabeth Mary Truss.

    Truss is clearly an admirer – and blatant imitator – of her Tory predecessor Margaret Thatcher, who did so much to destroy the British economy and society in the 1980s. However, what really grates with many people is the manner in which Truss was elevated to the premiership, i.e. elected to the leadership of her party by its 160,000 strong membership which is mainly elderly, white, male and racist (occasionally referred to as a ‘selectorate‘. Ed.), and thus hardly representative of the country.

    If England truly is akin to a family, it is one that is deeply dysfunctional.

  • DuckDuckGo blocks Microsoft trackers

    Steve WoodsPrivacy, Security, Tech

    French IT news site Le Monde Informatique reports that DuckDuckGo has decided to block Microsoft’s trackers in its mobile browser applications and browser plug-ins in an effort to extend its approach to privacy protection. It had already been criticised at the start of the year on the matter.

    Screenshot of DuckDuckGo search engine

    Protecting internet users from tracking and protecting their anonymity is not simple. DuckDuckGo is part of this move and was very upset to find out that as part of its agreement with the Bing search engine, Microsoft had given the green light for user tracking. This is no longer the case since from that date onwards DuckDuckGo’s CEO, Gabriel Weinberg, has stated that blocking the loading of scripts on websites by the browser was extended to Microsoft’s scripts in DuckDuckGo browser applications for iOS and Android and browser extensions (Chrome, Firefox, Safari, Edge and Opera) and that beta applications will follow next month.

    DuckDuckGo is attempting to block tracking scripts from search engines and sites such as Facebook, as well as other types of tracking scripts or software. It uses what it calls third-party tracking loading protection to prevent these third-party scripts or cookies from being loaded into the browser. If they did, they could track movements on the web and build a profile of the user, their preferences, etc. If other browsers and browser plug-ins also enable users to protect their privacy, DuckDuckGo has made privacy its priority.

    Delayed neutralising

    Mr Weinburg’s decision was taken after the discovery at the start of the year by security researcher Zach Edwards that DuckDuckGo was blocking trackers from Google and Facebook, but was allowing some of Microsoft’s trackers via Linkedin and Bing. The discovery was then reported by BleepingComputer. “Previously, we were limited in how we could apply our third-party tracker download protection to Microsoft tracking scripts due to policy requirements related to our use of Bing as the source of our private search results,” Weinberg explained, adding that, “We’re glad that’s no longer the case. We didn’t have and don’t have similar restrictions with any other company.”

    DuckDuckGo still has an advertising relationship with Microsoft, which it will maintain. Clicking through on advertisements on DuckDuckGo is anonymous and Microsoft has undertaken not to profile DuckDuckGo users. If Microsoft continues to save the user’s link, it will not associate them with a profile. On an updated support page, DuckDuckGo has provided a summary of everything which its its browser authorises and does not authorise, as well as providing details of web tracking protection.

  • Prying Google is not your friend

    Steve WoodsMedia, Privacy, Security, Tech

    The Irish Council for Civil Liberties (ICCL) is pointing its finger at Google for spying on users, French IT news website Le Monde Informatique reports. A real-time bidding (RTB) system which is actively used by the company enables it to follow and share what everyone is looking at or doing online and note down this activity’s location. RTB is the technology underpinning all online advertising and it relies on sharing of personal information without user consent, according to the ICCL.

    Google’s troubles are far from over. Widely singled out for its actions in terms of the use of personal data, the company is now in the spotlight for its tracking and advertising targeting activity. A report (PDF) published by the ICCL on 16 May accuses the search giant of an unprecedented data breach. The report sheds light on the RTB system, which works in the background on websites and in applications. “It tracks what you are looking at, no matter how private or sensitive, and it records where you go. Every day it broadcasts this data about you to a host of companies continuously, enabling them to profile you,” the report states.

    The ICCL report claims it presents the scale of this data breach for the first time.

    This data breach takes place throughout the world. The RTB system “tracks and shares what users are viewing online with their location in real time 294 bn. times in the USA and 197 bn. times in Europe each day”, it states. On average a person in the USA has their online activity and location tracked 747 times a day by those using RTB. In Europe, RTB exposes personal data 376 times a day. In Germany alone, Google sends 19.6 million broadcasts about German Internet users’ online behaviour every minute that they are online. “Europeans and U.S. Internet users’ private data is sent to firms across the globe, including to Russia and China, without any means of controlling what is then done with the data”. It is a high-earning business generating more than $117 bn. in the USA and Europe in 2021.

    Maps of Europe and USA showing billions of daily Google RTB broadcasts

    Advertising is an indispensable condition of this system as the majority of advertising on websites and in applications is placed there using RTB. Advertisers spend $100 bn. annually in the USA and Europe. The RTB market’s estimated value was $91 bn. in the USA in 2021 and €23 bn. in Europe in 2019. It therefore highlights that Americans’ online activity and their locations is exposed 57% more frequently than that of users in Europe.

    Google is one of the five largest users of this real-time bidding system. No fewer than 4,698 US companies are authorised by Google to receive RTB data on people, whilst in Europe the number drops to 1,058 companies. More specifically, the data collected by Google, like what people are looking at online or doing with an application and their ‘hyperlocal‘ geographical location is broadcast 42 bn. times per day in Europe and 31 bn. times daily in the USA.

    The ICCL is working to end the RTB data breach in Europe and has litigation ongoing in three European courts, as follows:

  • Research reveals websites collecting information without consent

    Steve WoodsPrivacy, Security, Tech

    online spying imageToday’s Journal du Geek reports that some unscrupulous websites do not clutter up their webpages with a Submit button when visitors are filling in a form.

    If you have already filled in a web form before changing your mind, your data has doubtless been sucked up by an unscrupulous website. In a recent study carried out by researchers from 3 European universities, which will be presented at the Usenix Security conference in August, we learn that some platforms are capable of spying on every character typed on a keyboard.

    By analysing 2.8 mn. webpages on the world’s 100,000 most visited websites, the research’s assessment is definitive: in the case of a web form filled completed in Europe, nearly 2,000 of them are capable of collecting the user’s email address before that user has clicked the Send button. One of the joint authors Güne Acar of Radboud University in Nijmegen states: “We were very surprised by the results. We thought we might find a few hundred sites where your email address is collected before you send it, but the result far exceeded our expectations”.

    However, the situation in Europe remains better than that in the United States. Whereas the old continent recorded “only” 1844 cases of abusive data sucking, the same request, when sent from the United States triggered 60% more instances, for a total of 2,950 cases, a difference which can be explained in particular by the presence in Europe of the GDPR , which since 2018 has obliged platforms to obtain users’ consent before collecting data..

    How do websites record one’s data without consent?

    For all practical purposes the majority of sites collecting data before submission forwards email addresses (encrypted or unencrypted) to third party sites are generally specialist advertising campanies, which collected the data to serve up personalised advertising (aka corporate graffiti. Ed.). In some less frequent instances a key logger is used to enable the keystrokes made to be directly recorded.

    In Europe, the matter is even more sensitive since a good number of major sites, including Facebook owners Meta and TikTok were amongst the sites tested.

  • No Microsoft account, no Windows 11

    Steve WoodsPrivacy, Security, Tech

    French tech news site Frandroid reports that there has been a very unobtrusive but significant change to the installation procedure for Windows 11, but one with major implications for users’ privacy and security.

    Since the launch of Windows 11, users of the home edition have been obliged to have a Microsoft account and an internet connection for the initial configuration of a machine if a fresh installation is involved. The company could soon extend this obligation to the operating system’s Professional edition.

    Windows 11 desktop
    Do I look like a Mac in this?
    Image courtesy of Wikimedia Commons.

    This week Microsoft has released build 22557 to members of the Windows Insider programme. This is a rather ambitious new version of Windows 11 packed with new “features“, including a change in policy regarding Windows 11 Pro.

    As Microsoft wrote on its blog announcing the release:

    Similar to Windows 11 Home edition, Windows 11 Pro edition now requires internet connectivity during the initial device setup (OOBE) only. If you choose to setup device for personal use, MSA will be required for setup as well. You can expect Microsoft Account to be required in subsequent WIP flights.

    As you have read, Microsoft has stated in black and white that people will need to have an internet connection and a Microsoft account, even from Windows 11 Pro to enable a machine’s personal use (as distinct from business or educational use).

    As a matter of fact, Microsoft is stating what the obligation will be included in all future versions of Windows 11 in the Insider programme. It can therefore be assumed that this new constraint only affects the initial configuration of machines with versions of Windows 11 from the Insider programme.

    We will have to await the next major update of Windows 11 which incorporates the new features of build 22557 to check if having a Microsoft account has really become mandatory for the operating system’s Pro edition.

    The use of an online account has long been required by Apple and Google on iOS and Android respectively, but less so for Windows, since historically there has not been any Microsoft account to connect, much to the chagrin of the software publisher. Users are therefore not accustomed to such a requirement, which Microsoft has been trying to promote since the launch of Windows 8

  • Google and Microsoft finance open source security campaign

    Steve WoodsLinux, Open Source, Security, Tech

    A new initiative by the Open Source Security Foundation (OpenSSF) should improve the security of open source applications, German news site heise reports. The campaign, called the Alpha-Omega Project, is the result of negotiations at the White House between representatives of technology companies, US authorities and non-profit organisations. The initial funding of $5 mn. is being financed jointly by Google and Microsoft.

    Image courtesy of opensource.com

    OpenSSF is organising the project in two parts – Alpha and Omega. In the Alpha section expert groups are analysing the security situation of the most-used open source applications to find and remedy vulnerabilities. This should train software operators and users in security awareness. In the Omega section a team of software developers is working on automated tests for over 10,000 distributed open source project to propose possible security measures to their user communities.

    Open source projects and libraries are widely used in software development. The Log4Shell vulnerability in the widely-distributed Log4j Java library recently showed how critical an attack can be. Even after a month and a half it still remains unclear whether companies have survived the worst. Users and companies should therefore investigate their own systems for vulnerable instances of the Log4j library and install current patches.

    More details of the Alpha-Omega Project can be found in the official announcement.

Posts navigation