Search
Content type: Key Resources
Political campaigns, debate and engagement has become increasingly digitalised in Italy. Here are some examples of concerns this has raised.
Content type: Examples
A couple who tried, in February 2018, to keep their unborn child a secret from the internet, in part so the child could create its own internet identity when it was ready. They had some success in avoiding being pursued by baby-related ads, but found themselves unable to exercise the control they wanted. While no one asks for pregnancy and parenting ads to be turned on, no one is able to get them turned off, and data brokers sell the most personal details of our lives. The cost of trying to…
Content type: Examples
In October 2018, Google developers announced Manifest V3, a new standard for developing extensions for its Chrome web browser. One of the modifications included replacing the API used by extensions that need to intercept and work with network requests. The new API, DeclarativeNetRequest, limits the number of network requests an extension can access; the result was to muzzle third-party adblockers but not the new one Google was building in. Google claimed that implementing a maximum value was…
Content type: Examples
In a December 2018 update, Facebook so effectively disguised sponsored posts that it took AdBlocker Plus a month, instead of the more usual few days, to find a way to counter it. Facebook has responded to the threat posed to its business model by adblockers by both providing users with advertising settings and tweaking its code to keep adblockers from working on the site. Federal Trade Commission rules require Facebook ads to be clearly labelled as such, but the adblocking arms race has…
Content type: Examples
In November 2018, a report by the consultancy Privacy Company, on behalf of the Dutch Ministry of Justice, found that Microsoft could be breaking European data collection rules because its Office software was collecting large amounts of personal data including email subject lines and snippets of content typed into emails or Word. The data was originally transmitted to the US, but in an effort to comply with GDPR Microsoft had switched to storing the data in Europe. The Dutch government was…
Content type: Examples
In November 2018 the campaign group Freedom from Facebook used the social network's own advertising tools to promote a "safe space" website where they can submit whistleblower tips anonymously. Facebook declined to comment but did not appear to be blocking the ads nor keeping a log of who viewed them. One leak suggested that recent scandals, including the Cambridge Analytica affair, had led to a rise in the percentage of staff who said they were optimistic about the company's future. The PR…
Content type: Examples
In November 2018, a UK Gambling Commission audit found that the number of problem gamblers aged 11 to 16 had quadrupled to 55,000 over two years, 70,000 children were at risk, and 450,000, or one in seven, children aged 11 to 16 bet regularly, spending, on average, £16 a week on fruit machines, bingo, betting shops, and online games, all of which are illegal for under-18s. Two-thirds of children told auditors they had seen gambling ads on TV; close to a million had been exposed to gambling…
Content type: Examples
In November 2018 Bidooh announced it was developing an intelligent and automated digital billboard advertising platform that it said would leverage facial recognition and blockchain technology to track engagement. Billboard advertising is valued globally at almost $34.8 billion a year. Bidooh has said it considers itself the "Google Adwords" for digital billboard advertising; it intends the new system to be able to target passers-by based on criteria such as age, gender, facial hair, and…
Content type: Examples
Days after the 2018 shooting that killed 11 Jewish congregants in a Pittsburgh synagogue, The Intercept found that Facebook still allowed advertisers to choose "white genocide conspiracy theory" as a targeting criterion, capturing 168,000 members of the social network. The technique used was the same as the one Pro Publica had discovered a year earlier that showed that "Jew hater", "How to burn Jews", and "History of 'why jews run the world'" were acceptable to Facebook as selection criteria…
Content type: Long Read
CEOs of the big tech companies have all recently discovered the value of privacy. On Tuesday, 30 April 2019, Mark Zuckerberg, announced his future plans to make Facebook a "privacy-focused social platform". This was followed by Google's Sundar Pichai demand that “privacy must be equally available to everyone in the world.” Meanwhile, Twitter's Jack Dorsey, has described the General Data Protection Regulation (GDPR) as "net-positive", while Apple had already positioned itself as the champion of…
Content type: Examples
In its February 2019 iOS release (12.2), Apple introduced a toggle enabling users to control whether websites received motion and orientation data collected by the gyroscope and accelerometer inside the iPhone, iPad, and iPod touch. The change is believed to be in response to a 2018 report that thousands of websites have uncontrolled access to motion, orientation, proximity, and light sensor data on mobile devices.
https://www.macrumors.com/2019/02/04/ios-12-2-safari-motion-orientation-access-…
Content type: Examples
In February 2019, an anonymous tip-off to Computer Sweden revealed that a database containing recordings of 170,000 hours of calls made to the Vårdguiden 1177 non-emergency healthcare advice line was left without encryption or password protection on an open web server provided by Voice Integrate Nordic AB. After the breach was discovered, MedHelp, which runs the 1177 service, shut the server down and found that 55 call files had been illegally downloaded from seven different IP addresses. Nine…
Content type: Examples
In January 2019, researchers reported finding two huge data dumps. Collection #1 contained passwords and usernames relating to nearly 773 million email addresses spread across about 2.7 spreadsheet rows in 12,000 files. Collection #2.5 contained 845GB of data and more than 25 billion records that included 2.2 billion unique usernames and passwords. Researchers at Phosphorus.io said that more than 130 people were making the data available, and there had been more than 1,000 downloads. Troy Hunt'…
Content type: Examples
In January 2019 Apple briefly disabled the group functionality in its FaceTime video calling application after bug was discovered that allowed users to listen on the people they were calling when they did not pick up the call and also allowed some callers to see video of the person they were calling before the receiver picked up. Apple fixed the problem a week later in its next software update, iOS 12.1.4.
https://www.theguardian.com/technology/2019/jan/28/apple-facetime-bug-listen-calls-…
Content type: Examples
In late 2018, researchers at SINTEF Digital Norway, ETH Zurich, and Berlin's Technical University discovered a new and serious vulnerability in several generations of the cellular mobile communications protocols: 3G, 4G, and the upcoming 5G. The flaw affected Authentication and Key Agreement, which negotiates and establishes authentication between cellular networks and users' phones. AKA as designed for 5G was intended to close a vulnerability in 3G and 4G that allows fake base stations, known…
Content type: Examples
In November 2018 the UK Information Commissioner's Office fined Uber's European operation £385,000 for inadequate security that permitted a November 2016 data breach affecting nearly 3 million British users and 82,000 drivers. In the 2016 breach, attackers obtained credentials that allowed them to access Uber's cloud servers and download 16 large files that held the records of 35 million Uber users worldwide. These included passengers' full names, phone numbers, email addresses, and sign-up…
Content type: Examples
In January 2019 Twitter revealed that it had discovered a security flaw in that meant that Android users who updated the email address linked to their account between November 2014 and January 2019 had inadvertently turned off the "protected" setting on their accounts so that their tweets could have been exposed publicly. The company said it was alerting the affected users and publishing the error because it wanted to be sure of reaching the users it could not identify in its internal…
Content type: Examples
As part of its planning for the 2020 Olympic Games, due to be held in Tokyo, Japan approved a law that would allow the government to conduct a survey to identify vulnerable Internet of Things devices. The National Institute of Information and Communications Technology staff who carry out the survey, who will be supervised by the Ministry of Internal Affairs and Communications, are required to follow strict rules in attempting to hack into these devices: they are only allowed to use default…
Content type: Examples
A November 2018 breach of a government-funded resettlement agency's database in South Korea allowed hackers, believed to be North Korean state security officials, to copy the personal information belonging to 997 North Koreans living in South Korea. Escaping to South Korea is considered an act of treason in North Korea, and those who leave North Korea without permission may be sentenced to prison or hard labour while their families are penalised financially. Previous attempts to attack escapees…
Content type: Examples
In November 2018, the criminal hacker group 3ve found a new way of exploiting security weaknesses in the Border Gateway Protocol that allowed them to take control of IP addresses belonging to the US Air Force and other reputable organisations; the result was to net them $29 million in fraudulent advertising revenue. The scheme involved a thousand servers that impersonated human beings viewing ads on bogus pages run by 3ve; to camouflage the origins of the traffic the page requests were…
Content type: Examples
It was already known that law enforcement agencies can track phones to within 500 metres if they show service providers a warrant, but in January 2019, it became clear that the same real-time location data was being sold to a wide range of third parties, including car salesmen, property managers, bail bondsmen, and bounty hunters. The latter in turn would track any phone for private individuals for a few hundred dollars. At least one company, Microbilt, is selling these phone geolocation…
Content type: Examples
A vulnerability in Amadeus, the customer reservation system used by 144 of the world's airlines, was only superficially patched after a team reported the vulnerability in 2018. As a result, an attacker could alter online strangers' Passenger Name Records, which contain all the details of the passengers and flights, and are used by government security agencies to check against the no-fly list. Bug hunter Noam Rotem discovered that a web script hosted by individual airlines accepts passengers'…
Content type: Examples
In 2016, Jamie Siminoff, the CEO of the miniature security camera company Ring, emailed his employees information them that the company would adopt a new mission to fight crime by using consumer electronics. The company, which Amazon acquired in 2018, sells its cameras with a social app, "Neighbors", which allows customers to watch their own property and share information about alleged criminality and suspicious individuals with the rest of the people on their block. Ring's hyper-connected…
Content type: Examples
In January 2019, the security researcher Justin Paine discovered that the California-based voice over IP provider Voipo had left exposed an unprotected database containing tens of gigabytes of call logs, other internal documents, and customer text messages, including password resets and two-factor authentication codes, all dated between May 2015 and January 8, 2019. The material could have given an attacker deep access to the company's systems. When Paine contacted the company's chief…
Content type: Examples
The miniature security camera maker Ring, which was acquired by Amazon in 2017 for a reported $1 billion, has a history of inadequate oversight of the data collected by those cameras on behalf of its customers. In 2016, it reportedly granted virtually unlimited access to its Ukraine-based research and development team to a folder on Amazon's S3 cloud service that held, unencrypted, every video Ring cameras around the world had recorded in order to compensate for weaknesses in its facial and…
Content type: Examples
In December 2018, the security researchers at 0DayAllDay discovered that the encryption keys hard-coded into the firmware inside the Guardzilla indoor wireless security system were protected by a ten-year-old, easily cracked algorithm. Because all the devices used the same keys, anyone could use the keys to log into the company's Amazon-hosted storage service and gain access to the customer data uploaded there. Although the researchers had notified the company in September, they had received no…
Content type: Examples
In December 2018, a hacker made more than 50,000 internet-connected printers worldwide print out flyers asking everyone to subscribe to the YouTube channel belonging to PewDiePie, whose real name is Felix Kjellberg. PewDiePie, who has had the most subscribers on YouTube since 2013, was in danger of losing his top ranking to the channel belonging to Bollywood record label T-Series. His fan TheHackerGiraffe used the IoT search engine Shodan to find open printers using the open source Printer…
Content type: Examples
In December 2018 Facebook revealed that over a 12-day period in September a software bug may have wrongly allowed about 1,500 third-party apps to access 6.8 million users' photos, including some that people began uploading to the social network but didn't go on to finish posting. EPIC executive director Marc Rotenberg said the incident offered more evidence that Facebook has violated the terms of its 2011 agreement with the US Federal Trade Commission. In May, Facebook suspended some 200 games…
Content type: Examples
In November 2018, a security researcher found that the location-tracking children's watch MiSafe's Kid Watcher Plus, originally released in 2015, neither encrypted nor secured the children's accounts, allowing him to track their movements, secretly listen in to their activities, and spoof calls to the watch from their parents. The watches include a GPS system and a 2G mobile data connection so parents can monitor, via a smartphone app, their children's whereabouts and be alerted if the child…
Content type: Examples
In February 2019, the cybersecurity company Trend Micro found that at least 29 beauty and photo editing apps that had been downloaded more than 4 million times from Google's Play Store included code that pushed full-screen ads for fraudulent or pornography content or that directed users to phishing sites by making them believe they had won a contest. A second group of camera apps that claimed to improve photos actually uploaded them to a remote server controlled by the app developer and then…