Month: July 2022

Apple Previews Lockdown Mode, Coming to iOS 16 and MacOS Ventura apple.com

Apple:

Lockdown Mode offers an extreme, optional level of security for the very few users who, because of who they are or what they do, may be personally targeted by some of the most sophisticated digital threats, such as those from NSO Group and other private companies developing state-sponsored mercenary spyware. Turning on Lockdown Mode in iOS 16, iPadOS 16, and macOS Ventura further hardens device defenses and strictly limits certain functionalities, sharply reducing the attack surface that potentially could be exploited by highly targeted mercenary spyware.

Problems with the bug bounty program notwithstanding, Apple is doubling its payouts for vulnerabilities in Lockdown Mode, to up to two million dollars.

Apple is not kidding about this being an optional level of security, either. Enabling Lockdown Mode will mean a noticeably hampered device experience. FaceTime calls from people you have not previously called will be blocked, shared photo albums are removed, and you cannot use wired accessories while your phone is locked. Here is a weird one:

Messages: Most message attachment types other than images are blocked. Some features, like link previews, are disabled.

The reason I think this is strange is because files in an image format were implicated in Pegasus attacks, while web previews are generated on the sender’s side. But the apparent GIF files used in ForcedEntry included PDF files containing the exploit — a vulnerability in CoreGraphics which has now been patched — so perhaps Lockdown Mode would correctly parse a similar attack as a non-image attachment and block it.

A preview of Lockdown Mode is included in the beta seeds released today.

See Also: Citizen Lab’s John Scott-Railton on Twitter.

European Parliament Passes Digital Markets Act and Digital Services Act europarl.europa.eu

The European Parliament’s press release:

On Tuesday, Parliament held the final vote on the new Digital Services Act (DSA) and Digital Markets Act (DMA), following a deal reached between Parliament and Council on 23 April and 24 March respectively. The two bills aim to address the societal and economic effects of the tech industry by setting clear standards for how they operate and provide services in the EU, in line with the EU’s fundamental rights and values.

Lauren Leffer, Gizmodo:

Not all tech companies fall under the new legislation. The DMA will target companies valued at more than €75 billion (about $77 billion), or with annual gross revenue of more than €7.6 billion. To be considered a so-called “gatekeeper,” a company’s services will also have to have at least 45 million monthly users in the European Union and 10,000 annual business users. Companies that meet these requirements include Apple, Google, Meta, Amazon, and China-based mega-online-retailer Alibaba.

Both of these laws represent, on paper at least, the most effectual regulation anywhere of the modern technology industry. Expect to see commonplace practices upended and significant pushback, some of which will be warranted; Casey Newton has commented previously about the possible privacy and security risks of the DMA on messaging clients, for example, which I also built upon.

These policies give us the opportunity to see to what extent first-party applications and services really are great for their own sake, and also how much of their use comes from their inherent advantages. Of course I hope the things I love about the way I use computers today are not destroyed, but I am also trying to be prepared for a huge amount of change we will likely see around the world.

The leadership of DuckDuckGo, Ecosia, and Qwant jointly published a set of principles for search engine and browser choice. You can read the list for yourself, but I want to call out one specific recommendation:

Choice screens should be shown periodically to users, for instance on major OS updates. Initial device onboarding is not the only time when users are in the mindset to change core services, and major software updates can reset or affect gatekeeper-controlled search and browser default settings.

This is an example of the kind of thing I am worried about. I am struggling to imagine an implementation of this which would not be irritating. There are people who stick with the same browser or search engine for years because it is the default, certainly, but there are others who consciously prefer the options that just happen to be the default. If there is no way to distinguish between the two, it is a waste of the latter’s time to pester them with a choice screen.

The Electronic Frontier Foundation, in an otherwise largely positive reflection:

However, the DSA is not a panacea for all problems users face online and the final deal isn’t all good news: It gives way too much power to government agencies to flag and remove potentially illegal content and to uncover data about anonymous speakers. The DSA obliges platforms to assess and mitigate systemic risks, but there is a lot of ambiguity about how this will turn out in practice. Much will depend on how social media platforms interpret their obligations under the DSA, and how European Union authorities enforce the regulation.

These rules will likely go into effect next year, so expect to see changes to your favourite gatekeepers’ platforms in the near future.

Vast Leaked Cache of Chinese Police Files Offered for Sale wsj.com

Karen Hao and Rachel Liang, Wall Street Journal:

The cache allegedly includes billions of records stolen from police in Shanghai, containing data on one billion Chinese citizens, according to a post advertising its availability that was published on Thursday by the hacker on a popular online cybercrime forum. The post, which began circulating on social media over the weekend, put the price for the leak at 10 Bitcoin, or roughly $200,000.

[…]

While the scope of the data leak remains unconfirmed, reporters verified several of the records in the leak by calling people whose numbers were listed. Five people confirmed all of the data, including case details that would be difficult to obtain from any source other than the police. Four more people confirmed basic information such as their names before hanging up.

Take the numbers here with a grain of salt. The alleged amount of information here is so vast that a difference of a single-digit percentage either way would mean tens of millions of people. If this database ends up being records of, say, hundreds of millions instead of a billion, it is still huge but it would be significant.

Yesterday, “lz__233” tweeted evidence of database credentials disclosed in a CSDN user’s since-deleted technical post. Regardless of whether that played a role in this staggering disclosure, it is enough to make anyone wonder if it is just a matter of time before the leak of any given massive data set. These are the kinds of records you would imagine are more carefully protected — in theory — than an average web service.

Update: It appears the disclosed database credentials likely had nothing to do with this leak. Hao and Liang, in a followup Journal article:

The Shanghai police records — containing the names, government ID numbers, phone numbers and incident reports of nearly 1 billion Chinese citizens — were stored securely, according to the cybersecurity experts. But a dashboard for managing and accessing the data was set up on a public web address and left open without a password, which allowed anyone with relatively basic technical knowledge to waltz in and copy or steal the trove of information, [cybersecurity experts] said.

Breathtaking incompetence, but I would bet this is more common than you might believe. Clever attacks — like 2020’s Solarwinds breach — are more attention-grabbing, but there are many examples of entirely unsecured control panels, server passwords and databases.

Google Says It Will Automatically Delete Location Data Collected From Visits to Health Facilities blog.google

Jen Fitzpatrick, SVP of “Core” at Google:

Location History is a Google account setting that is off by default, and for those that turn it on, we provide simple controls like auto-delete so users can easily delete parts, or all, of their data at any time. Some of the places people visit — including medical facilities like counseling centers, domestic violence shelters, abortion clinics, fertility centers, addiction treatment facilities, weight loss clinics, cosmetic surgery clinics, and others — can be particularly personal. Today, we’re announcing that if our systems identify that someone has visited one of these places, we will delete these entries from Location History soon after they visit. This change will take effect in the coming weeks.

I think there may be many people realizing for the first time that Google was tracking their time in an addictions treatment facility or an abortion clinic. Even the biggest privacy nihilist who assumes Google tracks them everywhere must have, from time to time, a revelation of Google’s awareness of specific moments of their day.

Regardless, it is unclear to me whether removing these destinations from a user’s Location History will truly eradicate these visits from their account. A 2018 AP investigation found users’ physical locations were also recorded in other parts of their Google account, often under labels not immediately related to local functionality. To stop recording addresses a user entered in Google Maps and wayfinding directions, for example, a user would need to disable Web & App Activity. In 2019, Google began automatically deleting some history from Web & App Activity on a rolling eighteen-month basis.

Two TikTok Updates npr.org

So where are we at with TikTok? Over the past couple of years, the momentum it had built up transformed into a global phenomenon. But critics have questioned the app’s ties to its Chinese parent company, leading to a letter sent to Tim Cook and Sundar Pichai from FCC commissioner Brendan Carr asking them to pull the app from their app stores. (Maybe you read my commentary.) Only one problem with that demand.

Karl Bode, Techdirt:

If you were to dig through the resulting news reports covering Carr’s empty letter, you’d be hard pressed to find a single one that could be bothered to note that Carr doesn’t have any regulatory authority over social media or app stores, the letter has absolutely no meaningful legal backing to support his request, or that Carr himself has absolutely zero credibility on consumer privacy issues.

Perhaps Carr intended this letter in the same way other public figures write letters of support for a position without having direct control. It is maybe a way to move the needle and generate discussion. But, still, it should have been pointed out by everyone reporting on this letter how ineffectual this demand is.

Bode’s coverage of Carr’s regulatory history is also worth reading. If the collection of and access to Americans’ private data — maybe by a foreign government — really is a giant security concern, there are meaningful levers Carr could pull. But it is easier to blame this one app because it is very popular.

For its part, TikTok responded to several Republican senators’ concerns. Bobby Allyn, NPR:

Shou Zi Chew, TikTok’s chief executive, wrote that the company is nearing a final agreement with the U.S. government to ensure its data-sharing practices do not raise national security concerns.

As part of that arrangement, TikTok says all U.S. user traffic is now being routed to servers controlled by California-based Oracle, rather than TikTok’s own infrastructure. Soon, he said, TikTok hopes to delete all U.S. data from the company’s servers and rely completely on Oracle’s storage “with access limited only to authorized personnel, pursuant to protocols being developed with the U.S. Government,” Chew wrote.

I guess a good question for skeptics would be whether any measures are enough. If TikTok were truly spun off as an entirely separate company and there were no remaining connections to ByteDance, would that create enough separation between the app’s data and intelligence agencies in China? For those worried about Chinese data access, surely a more comprehensive privacy approach is required.