Television

Should Plex Stop Allowing Users To Opt Out of Data Collection? (www.plex.tv) 75

Slashdot reader bigdogpete writes: Many users of Plex got an email that said they were changing their privacy policy which goes into effect on 20 September 2017. While most of the things are pretty standard, users found it odd that they were now not going to allow users to opt-out of data collection. Here is the part from their website explaining the upcoming changes.

"In order to understand the usage across the Plex ecosystem and how we need to improve, Plex will continue to collect usage statistics, such as device type, duration, bit rate, media format, resolution, and media type (music, photos, videos, etc.). We will no longer allow the option to opt out of this statistics collection, but we do not sell or share your personally identifiable statistics. Again, we will not collect any information that identifies libraries, files, file names, and/or the specific content stored on your privately hosted Plex Media Servers. The only exception to this is when, and only to the extent, you use Plex with third-party services such as Sonos, Alexa, webhooks, and Last.fm."

What do you all think?

Communications

Tech Companies Urge Supreme Court To Boost Cellphone Privacy (reuters.com) 29

More than a dozen high technology companies and the biggest wireless operator in the United States, Verizon, have called on the U.S. Supreme Court to make it harder for government officials to access individuals' sensitive cellphone data. From a report: The companies filed a 44-page brief with the court on Monday night in a high-profile dispute over whether police should have to get a warrant before obtaining data that could reveal a cellphone user's whereabouts. Signed by some of Silicon Valley's biggest names, including Apple, Facebook, Twitter, Snap and Alphabet's Google, the brief said that as individuals' data is increasingly collected through digital devices, greater privacy protections are needed under the law. "That users rely on technology companies to process their data for limited purposes does not mean that they expect their intimate data to be monitored by the government without a warrant," the brief said.
Crime

UK Wants To Criminalize Re-Identification of Anonymized User Data (bleepingcomputer.com) 120

An anonymous reader writes: European countries are currently implementing new data protection laws. Recently, despite leaving the European Union, the United Kingdom has expressed intent to implement the law called General Data Protection Regulation. As an extension, the UK wants to to ban re-identification (with a penalty of unlimited fines), the method of reversing anonymization, or pointing out the weakness of the used anonymisation process. One famous example was research re-identifying Netflix users from published datasets. By banning re-identification, UK follows the lead of Australia which is considering enacting similarly controversial law that can lead to making privacy research difficult or impossible. Privacy researchers express concerns about the effectiveness of the law that could even complicate security, a view shared by privacy advocates.
Privacy

Disney Sued For Allegedly Spying On Children Through 42 Gaming Apps (washingtonpost.com) 40

schwit1 shares a report from The Washington Post (Warning: may be paywalled; alternative source): The Walt Disney Co. secretly collects personal information on some of their youngest customers and shares that data illegally with advertisers without parental consent, according to a federal lawsuit filed late last week in California. The class-action suit targets Disney and three other software companies -- Upsight, Unity and Kochava -- alleging that the mobile apps they built together violate the law by gathering insights about app users across the Internet, including those under the age of 13, in ways that facilitate "commercial exploitation."

The plaintiffs argue that Disney and its partners violated COPPA, the Children's Online Privacy Protection Act, a federal law designed to protect the privacy of children on the Web. The lawsuit, filed in U.S. District Court for the District of Northern California, seeks an injunction barring the companies from collecting and disclosing the data without parental consent, as well as punitive damages and legal fees. The lawsuit alleges that Disney allowed the software companies to embed trackers in apps such as "Disney Princess Palace Pets" and "Where's My Water? 2." Once installed, tracking software can then "exfiltrate that information off the smart device for advertising and other commercial purposes," according to the suit. Disney should not be using those software development companies, said Jeffrey Chester, the executive director of the Center for Digital Democracy. "These are heavy-duty technologies, industrial-strength data and analytic companies whose role is to track and monetize individuals," Chester said. "These should not be in little children's apps."
Disney responded to the lawsuit, saying: "Disney has a robust COPPA compliance program, and we maintain strict data collection and use policies for Disney apps created for children and families. The complaint is based on a fundamental misunderstanding of COPPA principles, and we look forward to defending this action in court."
Businesses

Top VPN Provider Accused of Sharing Customer Traffic With Online Advertisers (bleepingcomputer.com) 55

Catalin Cimpanu, reporting for BleepingComputer: On Monday, the Center for Democracy & Technology (CDT) -- a US-based privacy group -- filed a complaint with the US Federal Trade Commission (FTC) accusing one of today's largest VPN providers of deceptive trade practices. In a 14-page complaint, the CDT accuses AnchorFree -- the company behind the Hotspot Shield VPN -- of breaking promises it made to its users by sharing their private web traffic with online advertisers for the purpose of improving the ads shown to its users. In its complaint to the FTC, the CDT is not accusing Anchor Free of secretly injecting ads, as users are well aware of this practice, but of not respecting promises made to its customers. More specifically, the CDT says that AnchorFree does not respect a pledge made in marketing materials that it won't track or sell customer information.
Cellphones

Ask Slashdot: Are My Drone Apps Phoning Home? 132

Slashdot reader bitwraith noticed something suspicious after flying "a few cheap, ready-to-fly quadcopters" with their smartphone apps, including drones from Odyssey and Eachine. I often turn off my phone's Wi-Fi support before plugging it in to charge at night, only to discover it has mysteriously turned on in the morning. After checking the Wi-Fi Control History on my S7, it appears as though the various cookie-cutter apps for these drones wake up to phone home in the night after they are opened, while the phone is charging. I tried contacting the publisher of the Odyssey VR app, with no reply.

I would uninstall the app, but then how would I fly my drone? Why did Google grant permission to control Wi-Fi state implicitly to all apps, including these abusers? Are the apps phoning home to report my flight history?

The original submission asks about similar experiences from other drone-owning Slashdot users -- so leave your best answers in the comments. What's making this phone wake up in the night?

Are the drone apps phoning home?
The Military

A US Spy Plane Has Been Flying Circles Over Seattle For Days (thedrive.com) 232

turkeydance shares Thursday's report from The Drive: A very unique U.S. Air Force surveillance aircraft has been flying highly defined circles over Seattle and its various suburbs for nine days now... The aircraft, which goes by the callsign "SPUD21" and wears a nondescript flat gray paint job with the only visible markings being a U.S. Air Force serial on its tail, is a CASA CN-235-300 transport aircraft that has been extensively modified... It is covered in a dizzying array of blisters, protrusions, humps and bumps. These include missile approach warning detectors and large fairings on its empennage for buckets of forward-firing decoy flares, as well as both microwave -- the dome antenna behind the wing and flat antenna modification in front of the wing -- and ultra high-frequency satellite communications -- the platter-like antenna behind the dome antenna. A communications intelligence suite also appears to be installed on the aircraft, with the antenna farm on the bottom of its fuselage being a clear indication of such a capability. But what's most interesting is the aircraft's apparent visual intelligence gathering installation...

This particular CN-235, with the serial 96-6042, is one of six that researchers commonly associated with the Air Force's top secret 427th Special Operations Squadron... The 427th occupies the same space with a host of other "black" U.S. military aviation elements, most of which are affiliated to some degree with Joint Special Operations Command and the Intelligence Community... [I]f the military placed the aircraft under civilian control to some degree and with an appropriate legal justification, the U.S. military could possibly fly it in support of a domestic operation or one focused on a foreign suspect or organization operating within the United States... It's also entirely possible, if not probable, that the aircraft could be involved in a realistic training exercise rather than an actual operation... The area could have simply provided a suitable urban area to test existing or new surveillance technologies, too, though this could spark serious privacy concerns if true.

Friday an Air Force Special Operations Command public affairs officer confirmed that the plane was one of theirs, describing its activity as "just a training mission," according to Russia Today.
Chrome

Browser Extensions Are Undermining Privacy (vortex.com) 82

pizzutz writes: Chrome's popular Web Developer plugin was briefly hijacked on Wednesday when an attacker gained control of the author's Google account and released a new version (0.49) which injected ads into web pages of more than a million users who downloaded the update. The version was quickly replaced with an uncompromised version (0.5) and all users are urged to update immediately.
Lauren Weinstein has a broader warning: While the browser firms work extensively to build top-notch security and privacy controls into the browsers themselves, the unfortunate fact is that these can be undermined by add-ons, some of which are downright crooked, many more of which are sloppily written and poorly maintained. Ironically, some of these add-on extensions and apps claim to be providing more security, while actually undermining the intrinsic security of the browsers themselves. Others (and this is an extremely common scenario) claim to be providing additional search or shopping functionalities, while actually only existing to silently collect and sell user browsing activity data of all sorts.
Lauren also warns about sites that "push users very hard to install these privacy-invasive, data sucking extensions" -- and believes requests for permissions aren't a sufficient safeguard for most users. "Expecting them to really understand what these permissions mean is ludicrous. We're the software engineers and computer scientists -- most users aren't either of these. They have busy lives -- they expect our stuff to just work, and not to screw them over."
Android

BLU Claims Innocence, Gets Phones Reinstated On Amazon (slashgear.com) 43

Earlier this week, Amazon suspended budget phone maker BLU from selling its phones on the site, citing a "potential security issue." A few days have passed and BLU has made its defense. SlashGear reports: AdUps, the Chinese company that provides affordable firmware update software to countless budget Android phones, is not spyware and not even Kryptowire, the security firm that broke the news last year, called it that, insists BLU. To be fair, Kryptowire really didn't. In its 2016 report, it simply described AdUps' OTA software as "FIRMWARE THAT TRANSMITTED PERSONALLY IDENTIFIABLE INFORMATION (PII) WITHOUT USER CONSENT OR DISCLOSURE." Curiously, that is more or less how the FTC defines spyware (PDF). In its 2017 follow-up, it did drop the second part of that phrase and simply reported on "mobile devices for Personally Identifiable Information (PII) collection and transmission to third parties." While BLU, and a few other OEMs, was caught unaware by the first report, it's insisting on its innocence in this second instance. Its defense stems from the argument that it is doing nothing that violates its Privacy Policy and, therefore, doesn't constitute any wrongdoing. Yes, that privacy policy that barely anyone reads, which can't legally be blamed on manufacturers anyway.

In other words, when you agreed to use BLU's devices, you basically agreed that such PII could possibly be transmitted to a third party outside the US. In this particular case, that does apply to the situation with AdUps. Interestingly, the policy's copyright dates back to 2016, when the AdUps issue first came up. The Internet Archives doesn't seem to have any version of that page before April this year. And so we come to BLU's second arguments: everybody's doing it. The data that AdUps collects is the same or even just a fraction of what other OEMs are collecting. Google is hardly the bastion of privacy and other OEMs are also collecting such data and sending it to servers in China, as is the case with Huawei and ZTE. Finally, BLU says that Kryptowire's new report really only identifies the Cubot X16S, from a Chinese OEM, as the only smartphone really spying on its users.
UPDATE: BLU has confirmed that its devices "are now back up for sale on Amazon."
Mozilla

Inside Mozilla's Fight To Make Firefox Relevant Again (cnet.com) 276

News outlet CNET has a big profile on Firefox today, for which it has spoken with several Mozilla executives. Mozilla hopes to fight back Chrome, which owns more than half of the desktop market share, with Firefox 57, a massive overhaul due November 14. From the report: "It's going to add up to be a big bang," Mozilla Chief Executive Chris Beard promises, speaking at the company's Mountain View, California, headquarters. "We're going to win back a lot of people." "Some of the stuff they're doing from a technology perspective is amazing," says Andreas Gal, who became CEO of startup Silk Labs after leaving the Mozilla chief technology officer job in 2015. "I just don't think it makes a difference." [...] You may not care which browser you use, but the popularity of Firefox has helped keep browsers competitive and build the web into a foundation for online innovations over the last decade. Are you a fan of Google Maps, Facebook, Twitter or YouTube? That's partly thanks to Firefox. Mozilla's mission is to keep the web vibrant enough for the next big innovation even as companies offer mobile apps instead of websites, dump privacy-invading ads on you or try to confine your activity to their own walled gardens. [...] To Mozilla, each tap or click on a webpage in Firefox is more than you browsing the internet. It's a statement that you'd prefer a more open future where online services can start up on their own. The alternative, as Mozilla sees it, is a future where everyone kowtows to Apple's app store, Google's search results, Facebook's news feed or Amazon's Prime video streaming. That's why Mozilla bought billboard ads saying "Browse against the machine" and "Big browser is watching you," a jab at Google. [...] Improvements within a project called Quantum are responsible for much of the difference. One part, Stylo, accelerates formatting operations. Quantum Flow squashes dozens of small slowdown bugs. Quantum Compositor speeds website display. And Firefox 57 also will lay the groundwork for WebRender, which uses a computing device's graphics chip to draw webpages on the screen faster. "You can do user interface and animation and interactive content that you simply can't do in any other browser," says Firefox chief Mayo, speaking from his office in Toronto -- over video chat technology Firefox helped make possible. It all adds up to a very different engine at the core of Firefox. That kind of speedup can really excite web developers -- an influential community key to Firefox's success in taking on IE back in 2004.
Android

Amazon Suspends Sales of Blu Android Phones Due To Privacy Concerns (cnet.com) 66

CNET reports: Amazon just put budget phone maker Blu in the penalty box. The online retailing giant told CNET that it was suspending sales of phones from Blu, known for making ultra-cheap Android handsets, due to a "potential security issue." The move comes after security firm Kryptowire demonstrated last week how software in Blu's phones collected data and sent it to servers in China without alerting people. Blu defended the software, created by a Chinese company called Shanghai Adups Technology, and denied any wrongdoing. A company spokeswoman said at the time it "has several policies in place which take customer privacy and security seriously." She added there had been no breaches. Blu said it was in a process of review to reinstate the phones at Amazon.
Google

Privacy Watchdog Asks FTC To Look Into Google's Offline Shopping Tracker (arstechnica.com) 26

An anonymous reader quotes a report from Ars Technica: A privacy advocacy group has filed a formal legal complaint with the Federal Trade Commission, asking the agency to begin an investigation "into Google's in-store tracking algorithm to determine whether it adequately protects the privacy of millions of American consumers." In the Monday filing, the Electronic Privacy Information Center (EPIC) said it is concerned with Google's new Store Sales Management program, which debuted in May. The system allows the company to extend its online tracking capabilities into the physical world. The idea is to combine credit card and other financial data acquired from data brokers to create a singular profile as a way to illustrate to companies what goods and services are being searched for online, which result in actual in-person sales. Because the algorithm that Google uses is secret, EPIC says, there is no way to determine how well Google's claimed anonymization feature -- to mask names, credit card numbers, location, and other potentially private data -- actually works. While Google has been cagey about exactly how it does this, the company has previously revealed that the technique is based on CryptDB.
Facebook

Facebook Funds 'Defending Digital Democracy' Initiative At Harvard (diginomica.com) 90

An anonymous reader quotes Diginomica: A fresh initiative aimed at information sharing about election threats and dubbed Defending Digital Democracy has the financial support of Facebook and the academic muscle of Harvard behind it. Will the project succeed where similar initiatives have failed...? On 19 July and backed by a $500,000 initial grant from Facebook, the Belfer Center for Science and International Affairs at Harvard Kennedy School launched a new, bipartisan initiative called the Defending Digital Democracy Project. The project will be co-led by Robby Mook, Democrat Hillary Clinton's 2016 presidential campaign manager, and Matt Rhoades, Republican Mitt Romney's 2012 campaign manager. The hope is that creating a unique and bipartisan team comprised of top-notch political operatives and leaders in the cyber and national security world, the project will be able to to identify and recommend strategies, tools, and technology to protect democratic processes and systems from cyber and information attacks.
The group will also assess new technologies (including blockchain) to secure elections, and wants to create an information sharing infrastructure modeled "on similar efforts within the tech industry to share tech intelligence." The article says Facebook's chief security officer "hopes that election officials who are wary of cooperating with the federal government will be more receptive to working with an independent group tied to Harvard and the tech industy," and the group also includes Google's director for Information Security and Privacy.

"Facebook plans to host state and local election officials at its D.C. office later this year to discuss the information sharing organization, and launch the organization in early 2018."
The Internet

O'Reilly Media Asks: Is It Time To Build A New Internet? (oreilly.com) 305

An anonymous reader shares an article from O'Reilly Media's VP of content strategy: It's high time to build the internet that we wanted all along: a network designed to respect privacy, a network designed to be secure, and a network designed to impose reasonable controls on behavior. And a network with few barriers to entry -- in particular, the certainty of ISP extortion as new services pay to get into the "fast lane." Is it time to start over from scratch, with new protocols that were designed with security, privacy, and maybe even accountability in mind? Is it time to pull the plug on the abusive old internet, with its entrenched monopolistic carriers, its pervasive advertising, and its spam? Could we start over again?

That would be painful, but not impossible... In his deliciously weird novel Someone Comes To Town, Someone Leaves Town, Cory Doctorow writes about an alternative network built from open WiFi access points. It sounds similar to Google's Project Fi, but built and maintained by a hacker underground. Could Doctorow's vision be our future backboneless backbone? A network of completely distributed municipal networks, with long haul segments over some public network, but with low-level protocols designed for security? We'd have to invent some new technology to build that new network, but that's already started.

The article cites the increasing popularity of peer-to-peer functionality everywhere from Bitcoin and Blockchain to the Beaker browser, the Federated Wiki, and even proposals for new file-sharing protocols like IPFS and Upspin. "Can we build a network that can't be monopolized by monopolists? Yes, we can..."

"It's time to build the network we want, and not just curse the network we have."
Google

Will 'Smart Cities' Violate Our Privacy? (computerworld.com) 108

An anonymous reader quotes Computerworld's article on the implications of New York City's plan to blanket the city with "smart" kiosks offering ultrafast Wi-Fi. The existence of smart-city implementations like Intersection's LinkNYC means that New Yorkers won't actually need mobile contracts anymore. Most who would otherwise pay for them will no doubt continue to do so for the convenience. But those who could not afford a phone contract in the past will have ubiquitous fast connectivity in the future. This strongly erodes the digital divide within smart cities. A 2015 study conducted by New York City found that more than a quarter of city households had no internet connectivity at home, and more than half a million people didn't own their own computer...

Over the next 15 years, the city will go through the other two phases, where sensor data will be processed by artificial intelligence to gain unprecedented insights about traffic, environment and human behavior and eventually use it to intelligently re-direct traffic and shape other city functions... And as autonomous cars gradually roll out, New York will be well positioned to be one of the first cities to legalize them, because they'll be safer thanks to 5G, sensors and data from all those kiosks.

Intersection, a Google-backed startup, has already installed 1,000 of the kiosks in New York, and is planning to install 7,000 more. The sides of the kiosk have screens which show alerts and other public information -- as well as advertisements, which cover all the costs of the installations and even bring extra money into the city coffers.

New York's move "puts pressure on other U.S. cities to follow suit," the article also points out, adding that privacy policies "are negotiated agreements between the company and the city. So if a city wants to use those cameras and sensors for surveillance, it can."
Open Source

OpenMoko: Ten Years After (vanille.de) 48

Michael Lauer, member of the core team at OpenMoko, a project that sought to create a family of open source mobile phones -- which included the hardware specs and the Linux-based OS -- has shared the inside story of what the project wanted to do and why it failed. From his blog post: For the 10th anniversary since the legendary OpenMoko announcement at the "Open Source in Mobile" (7th of November 2006 in Amsterdam), I've been meaning to write an anthology or -- as Paul Fertser suggested on #openmoko-cdevel -- an obituary. I've been thinking about objectively describing the motivation, the momentum, how it all began and -- sadly -- ended. I did even plan to include interviews with Sean, Harald, Werner, and some of the other veterans. But as with oh so many projects of (too) wide scope this would probably never be completed. As November 2016 passed without any progress, I decided to do something different instead. Something way more limited in scope, but something I can actually finish. My subjective view of the project, my participation, and what I think is left behind: My story, as OpenMoko employee #2. On top of that you will see a bunch of previously unreleased photos (bear with me, I'm not a good photographer and the camera sucked as well). [....] Right now my main occupation is writing software for Apple's platforms -- and while it's nice to work on apps using a massive set of luxury frameworks and APIs, you're locked and sandboxed within the software layers Apple allows you. I'd love to be able to work on an open source Linux-based middleware again. However, the sad truth is that it looks like there is no business case anymore for a truly open platform based on custom-designed hardware, since people refuse to spend extra money for tweakability, freedom, and security. Despite us living in times where privacy is massively endangered.
Privacy

CNET Warns 'Everything Looks Like A Hack' At DEFCON (cnet.com) 45

From a CNET report:The hacker convention, which is in its 25th year in Las Vegas, typically has hotels on alert for its three days of Sin City talk, demos and mischief. Guests are encouraged not to pick up any flash drives lying around, and employees are trained to be wary of social engineering -- that is, bad guys pretending to be someone innocent and in need of just a little help. Small acts of vandalism pop up around town. At Caesars Palace, where Defcon is happening, the casino's UPS store told guests it was not accepting any print requests from USB drives or links, and only printing from email attachments. Hackers who saw this laughed, considering that emails are hardly immune from malware. But the message is clear: During these next few days, hackers are going to have their fun, whether it's through a compromised Wi-Fi network or an open-to-tinkering website.
NOTE: CNET also originally reported that the Wet Republic web site "had two images vandalized" with digital graffiti. But their reporter now writes that "my paranoia finally got the best of me, and it turned out to be an ad campaign."
Privacy

German Court Rules Bosses Can't Use Keyboard-Tracking Software To Spy On Workers (thelocal.de) 72

An anonymous reader quotes a report from The Local: The Federal Labour Court ruled on Thursday that evidence collected by a company through keystroke-tracking software could not be used to fire an employee, explaining that such surveillance violates workers' personal rights. The complainant had been working as a web developer at a media agency in North Rhine-Westphalia since 2011 when the company sent an email out in April 2015 explaining that employees' complete "internet traffic" and use of the company computer systems would be logged and permanently saved. Company policy forbade private use of the computers. The firm then installed keylogger software on company PCs to monitor keyboard strokes and regularly take screenshots. Less than a month later, the complainant was called in to speak with his boss about what the company had discovered through the spying software. Based on their findings, they accused him of working for another company while at work, and of developing a computer game for them. [...] So the programmer took his case to court, arguing that the evidence used against him had been collected illegally. The Federal Labour Court agreed with this argument, stating in the ruling that the keylogger software was an unlawful way to control employees. The judges added that using such software could be legitimate if there was a concrete suspicion beforehand of a criminal offense or serious breach of work duties.
Crime

Feds Crack Trump Protesters' Phones To Charge Them With Felony Rioting (thedailybeast.com) 465

An anonymous reader quotes a report from The Daily Beast: Officials seized Trump protesters' cell phones, cracked their passwords, and are now attempting to use the contents to convict them of conspiracy to riot at the presidential inauguration. Prosecutors have indicted over 200 people on felony riot charges for protests in Washington, D.C. on January 20 that broke windows and damaged vehicles. Some defendants face up to 75 years in prison, despite little evidence against them. But a new court filing reveals that investigators have been able to crack into at least eight defendants' locked cell phones. Now prosecutors want to use the internet history, communications, and pictures they extracted from the phones as evidence against the defendants in court. [A] July 21 court document shows that investigators were successful in opening the locked phones. The July 21 filing moved to enter evidence from eight seized phones, six of which were "encrypted" and two of which were not encrypted. A Department of Justice representative confirmed that "encrypted" meant additional privacy settings beyond a lock screen. For the six encrypted phones, investigators were able to compile "a short data report which identifies the phone number associated with the cell phone and limited other information about the phone itself," the filing says. But investigators appear to have bypassed the lock on the two remaining phones to access the entirety of their contents.
Government

Travelers' Electronics At US Airports To Get Enhanced Screening, TSA Says (arstechnica.com) 151

An anonymous reader quotes a report from Ars Technica: Aviation security officials will begin enhanced screening measures of passengers' electronics at US airports, the Transportation Security Administration announced Wednesday. Travelers must remove electronics larger than a mobile phone from their carry-on bags and "place them in a bin with nothing on top or below, similar to how laptops have been screened for years. This simple step helps TSA officers obtain a clearer X-ray image," the TSA announced amid growing fears that electronic devices can pose as homemade bombs. The TSA was quick to point out that the revised security measures do not apply to passengers enrolled in the TSA Precheck program.

"Whether you're flying to, from, or within the United States, TSA is committed to raising the baseline for aviation security by strengthening the overall security of our commercial aviation network to keep flying as a safe option for everyone," TSA Acting Administrator Huban A. Gowadia said. "It is critical for TSA to constantly enhance and adjust security screening procedures to stay ahead of evolving threats and keep passengers safe. By separating personal electronic items such as laptops, tablets, e-readers and handheld game consoles for screening, TSA officers can more closely focus on resolving alarms and stopping terror threats."

Slashdot Top Deals