Hasty Briefsbeta

All tags

#privacy

903 stories total

Bilingual

Telegram, the FSB, and the Man in the Middle
a year ago
- Telegram, created by Pavel Durov, boasts over a billion monthly active users globally.
- Telegram's reputation for security and privacy is challenged by a new investigation revealing a critical vulnerability linked to Vladimir Vedeneev, a network engineer with significant access to Telegram's infrastructure.
- Vedeneev's companies have ties to Russian security services, including the FSB and a secretive research computing center involved in planning the Ukraine invasion.
- Telegram's default chats are not end-to-end encrypted, leaving metadata vulnerable to tracking, despite the company's assurances of security.
- Investigations show that Vedeneev has had exclusive access to Telegram's servers and has signed contracts on behalf of the company, raising concerns about potential surveillance by Russian authorities.
- Pavel Durov, under investigation in France, has denied Telegram's infrastructure presence in Russia, but evidence suggests otherwise, including his multiple visits to Russia.
- Telegram's growth was fueled by its privacy reputation, attracting users from various political spectrums, but its security features are more nuanced than advertised.
- Experts warn that Telegram's MTProto protocol includes unencrypted elements that can be used to track users, even in end-to-end encrypted chats.
- Vedeneev's involvement with Telegram extends beyond infrastructure, including roles as an informal CFO, highlighting deep but opaque connections.
- GlobalNet, a company linked to Vedeneev, has implemented Deep Packet Inspection (DPI) in line with Russian regulations, further raising surveillance concerns.
"Localhost tracking" explained. It could cost Meta 32B
a year ago
- Meta developed 'localhost tracking' to bypass Android's sandbox protections, tracking users even with VPN, incognito mode, and deleted cookies.
- Meta faces potential fines under GDPR, DSA, and DMA, with a combined theoretical maximum risk of €32 billion.
- The tracking links browser activity to real identities via Facebook/Instagram apps and Meta Pixel scripts, even without user consent.
- 22% of the world's most visited websites are affected, tracking billions of users over years without their knowledge.
- Meta violated GDPR (consent, data minimization), DSA (prohibited personalized ads), and DMA (combining data without consent).
- The technique works by using WebRTC and hidden app services to transmit data between browsers and Meta's servers.
- Users are only unaffected if they use iOS, desktop browsers, or privacy-focused tools like Brave or DuckDuckGo.
Criminalizing Masks at Protests Is Wrong
a year ago
- States and the President are attempting to criminalize wearing face masks at protests.
- Wearing masks at protests is a right to privacy and a fundamental human right.
- Masks help prevent the spread of illnesses, especially for immunocompromised individuals.
- Masks protect against surveillance and retaliation from law enforcement or other actors.
- Anonymity is crucial to prevent chilling effects on free speech and protest participation.
- Technology companies are developing ways to bypass mask protections with facial recognition.
- Law enforcement should not wear masks during arrests to ensure accountability.
- EFF opposes criminalizing mask-wearing at protests, especially during crackdowns on civil liberties.
Bitsight Identifies Security Cameras Accessible on the Internet
a year ago
- Bitsight TRACE found over 40,000 exposed security cameras streaming live on the internet without passwords or protections.
- The United States and Japan have the highest number of exposed cameras, with the U.S. leading at roughly 14,000.
- Accessing these cameras often requires only a web browser and the right IP address, making them easy targets for bad actors.
- Dark web forums show discussions and sales of access to these exposed cameras, indicating active exploitation.
- Exposed cameras include residential, office, factory, and public transportation feeds, risking privacy and security.
- Recommendations for securing cameras include changing default passwords, disabling remote access, and updating firmware.
- Organizations should restrict access via firewalls and VPNs and monitor for unusual activity.
Airlines Don't Want You to Know They Sold Your Flight Data to DHS
a year ago
- A data broker owned by major US airlines (Delta, American Airlines, United, etc.) collected and sold domestic flight records of US travelers to Customs and Border Protection (CBP).
- The data includes passenger names, flight itineraries, and financial details, used by CBP to track individuals of interest.
- The Airlines Reporting Corporation (ARC), the data broker, instructed CBP not to disclose the source of the data.
- ARC is owned by major airlines and provides services like ticket settlement, travel trend analysis, and fraud prevention.
- CBP's contract with ARC, starting in June 2024, allows access to ARC's Travel Intelligence Program (TIP) for law enforcement purposes.
- TIP data includes flight bookings through travel agencies but not direct airline bookings, updated daily with over a billion records.
- Privacy advocates criticize the government's use of data brokers to bypass legal oversight and bulk data collection.
- CBP claims the data is only used for investigations and follows privacy policies, but concerns remain about misuse.
- Senator Ron Wyden and others are pushing for oversight and reform to close the 'data broker loophole.'
- ARC recently introduced multifactor authentication on May 15, as per its website.
Eavesdropping on laptop, smart speaker microphones demonstrated
a year ago
- Researchers discovered that microphones in laptops and smart speakers emit radio signals that can be intercepted, allowing eavesdropping without device tampering.
- The attack involves capturing unintentional radio signals from microphones using simple FM radio receivers and antennas, costing as little as $100.
- Digital MEMS microphones, common in devices like laptops and smart speakers, leak radio signals containing audio data, which can pass through walls.
- Even when not in active use, microphones can pick up and transmit signals if enabled by apps like Spotify, YouTube, or Google Drive.
- Eavesdropping was most effective on laptops due to long wires acting as antennas, amplifying the leaked signals.
- Machine learning tools from companies like OpenAI and Microsoft can clean up intercepted signals and transcribe them to text for keyword searches.
- Simple design changes, such as relocating microphones or tweaking audio processing protocols, could mitigate the vulnerability.
- Researchers have shared their findings with manufacturers, but it's unclear if companies will implement the suggested fixes.
SimpleX – messaging network operating without user identifiers
a year ago
- SimpleX is a messaging platform with no user identifiers, ensuring 100% privacy by design.
- Features include double ratchet end-to-end encryption, mobile apps for Android and iOS, and terminal apps for Linux, MacOS, and Windows.
- Users can connect via one-time invitation links or temporary addresses, ensuring privacy.
- SimpleX stores all user data on client devices, with messages temporarily held on relay servers.
- The platform supports multiple languages and encourages community contributions like translations and donations.
- Groups and developer communities are available for user interaction and development support.
- SimpleX prioritizes privacy and security, with plans for future enhancements like automatic queue rotation and message mixing.
- The platform has undergone security audits and is open-source, with protocols in the public domain.
- Donations are accepted via various cryptocurrencies to support development.
- SimpleX differentiates itself by not using persistent user identifiers, enhancing privacy compared to other platforms.
The high-tech tools behind cops' protest surveillance
a year ago
- Anonymity as a constitutional right is being undermined by advances in surveillance technology.
- Law enforcement uses automated methods for mass deanonymization of protesters.
- Surveillance methods include facial recognition, metadata collection, and location tracking, often without warrants.
- Protesters continuously emit data through social media, phone metadata, and purchases, accessible to law enforcement.
- President Trump may expand the national surveillance state for political purposes.
- Avoiding tracking is nearly impossible, but steps like leaving cell phones behind can help.
- Technologies used for surveillance include Stingrays, geofencing, data brokers, social media monitoring, gait recognition, ALPRs, drones, and biometric identification.
- Stingrays (IMSI catchers) impersonate cell towers to collect SIM card IDs, enabling mass data collection without warrants.
- Geofence warrants collect location data from all devices in a specified area, increasingly used against protesters.
- Data brokers aggregate public and private data, selling comprehensive profiles to law enforcement.
- Social media monitoring tracks protest organization and participant connections, using fake accounts and data analysis.
- Gait recognition technology identifies individuals by their walking patterns, with potential for automated use in the US.
- Automated License Plate Readers (ALPRs) track vehicle movements, with limited options for avoidance.
- Drones, private CCTV, and body cameras enhance surveillance capabilities, with facial recognition on the rise.
- Biometric identification uses tattoos, iris scans, and DNA, with vendors developing advanced recognition algorithms.
My Mac Contacted 63 Different Apple Owned Domains in One Hour – While Not Is Use
a year ago
- A MacBook Air M2 contacted 63 different Apple domains in one hour while not in use.
- 25% of DNS queries from the MacBook Air M2 were to Apple domains, despite blocking Apple's native telemetry.
- A 2019 Intel MacBook Pro with the same DNS settings had less than 3% of DNS queries to Apple domains.
- Apple domains contacted include services like Push Notification, CloudKit, iTunes, Location Services, and more.
- Some domains are already blocked by the user, including Apple News, Apple TV, and Siri-related services.
The Meta AI app is a privacy disaster
a year ago
- Meta AI app users are unknowingly sharing private conversations publicly.
- Shared content includes sensitive information like home addresses and legal details.
- Meta does not clearly indicate privacy settings when users post.
- Public posts range from bizarre questions to serious legal inquiries.
- The app has been downloaded 6.5 million times since its launch.
- Meta's lack of foresight has led to a privacy nightmare.
A Review of Kagi Search
a year ago
- The author recalls the early days of internet search with portals like Yahoo! and Alta Vista before switching to Google.
- Google still dominates search traffic with around 90% market share, despite the rise of ChatGPT.
- Kagi is a new paid search engine with a focus on privacy, no ads, and no tracking.
- Kagi offers excellent search results, adjustable algorithms, and privacy-protecting AI assistant access.
- Additional features include Kagi Maps (using Open Street Map), image search, and News search.
- Pricing starts at $5/month for 300 searches, with a $10/month Professional plan for unlimited searches.
- The author supports Kagi for its privacy focus and sees potential in its upcoming email service (Kagi Mail).
- Kagi Mail could attract individuals and micro-businesses away from Google Workspace if bundled with the search service.
- Kagi is a small team of 40 people but has made significant progress in championing privacy and the small web.
- The author encourages trying Kagi, seeing it as a glimpse into the future of search.
Trump gives data of immigrant Medicaid enrollees to deportation officials
a year ago
- Trump administration shared personal data of immigrant Medicaid enrollees with deportation officials.
- Data includes immigration status, addresses, names, and social security numbers of enrollees in California, Illinois, Washington state, and Washington, D.C.
- Medicaid officials attempted to block the transfer, citing legal and ethical concerns, but were overruled by top health advisors.
- The move could help authorities locate migrants and potentially affect their eligibility for green cards or citizenship.
- California Governor Gavin Newsom expressed concerns over privacy and potential unlawfulness of the data transfer.
- HHS claims the data sharing is legal, aimed at ensuring Medicaid benefits are reserved for eligible individuals.
- DHS stated the initiative is to prevent illegal aliens from receiving Medicaid benefits meant for Americans.
- CMS reviewed Medicaid enrollees in certain states as part of Trump's executive order to end taxpayer subsidies for open borders.
- Legal arguments against the data transfer were dismissed by Trump appointees at HHS.
- The transfer could have a chilling effect on states sharing data with federal programs.
Meta AI searches made public – but do all its users realise
a year ago
- Meta AI searches are being made public without users realizing, potentially exposing sensitive queries.
- Some users' prompts and results are posted on a public feed, traceable to their social media accounts.
- Examples include requests for scantily-clad characters, test answers, and personal gender-related questions.
- Meta states chats are private by default, but users can choose to share posts publicly.
- A warning appears before sharing, but it's unclear if users fully understand the implications.
- The public 'Discover' feed can link searches to users' other social accounts via usernames and profile pictures.
- Users can opt to make searches private in account settings.
- Rachel Tobac, a cybersecurity expert, highlights the mismatch between user expectations and reality as a security problem.
Facial recognition error sees woman accused of theft
a year ago
- Danielle Horan was wrongly accused of shoplifting due to a facial recognition error.
- She was ejected from two Home Bargains stores in Greater Manchester without initial explanation.
- Her profile was added to a facial recognition watchlist falsely linking her to a £10 theft.
- Facewatch, the security firm, acknowledged the distress and stated the retailer conducted additional staff training.
- A review confirmed the items had been paid for, clearing Horan of any wrongdoing.
- Horan faced anxiety and stress, questioning her actions for days after the incidents.
- Big Brother Watch reports over 35 complaints of wrongful placement on facial recognition watchlists.
- Advocates call for a UK government ban on facial recognition technology in retail.
- The UK government states commercial facial recognition must comply with strict data protection laws.
Airlines Don't Want You to Know They Sold Your Flight Data to DHS
a year ago
- A data broker owned by major airlines (Delta, American Airlines, United) collected U.S. travelers' domestic flight records.
- The data included passenger names, full flight itineraries, and financial details.
- Customs and Border Protection (CBP) purchased this data to track people of interest's air travel.
- CBP was instructed by the data broker (Airlines Reporting Corporation - ARC) not to disclose the data source.
- Civil liberties experts are alarmed by this purchase due to privacy concerns.
- This follows similar revelations about ICE purchasing similar flight data.
Fossify – A suite of open-source, ad-free apps
a year ago
- Fossify is a group of privacy-focused, open-source, and ad-free mobile apps.
- It forked from the discontinued SimpleMobileTools to continue its legacy of simple and private tech.
- For issues affecting multiple apps, check general issues.
- Engage in discussions or share ideas at general discussions.
- Contribute by helping with code or translations via a provided link.
- Questions or inquiries can be directed to [email protected] or through discussions.
- Contributions from the community are highly appreciated.
Please add an option to block or disable "AI" · Issue #740 · codecov/feedback
a year ago
- Request to disable 'Codecov AI' feature permanently across all organizations.
- Concerns about potential misuse of code for AI training without consent.
- Desire for a clear, first-party toggle to opt out of AI features.
- Preference for AI features to be opt-in rather than opt-out.
- Skepticism about the value of AI in improving code coverage.
Will OpenAI Train on You Data with Codex CLI and Custom Provider?
a year ago
- The issue is about missing documentation regarding data privacy when using custom providers like Azure OpenAI.
- The user wants assurance that no data, including telemetry, is sent to OpenAI when using their own endpoint.
- Currently, only the 'zero-data-retention-zdr-usage' section is available, which doesn't fully address the concern.
- The user needs this information to get approval for working with the system.
Has Signal usage collapsed? It seems so
a year ago
- Daily communication primarily uses iMessage or WhatsApp, with minimal use of other apps like Keet and Meshtastic.
- WhatsApp's introduction of ads may push some users to switch to Signal, similar to past reactions to negative news about WhatsApp.
- Many WhatsApp users are indifferent to privacy concerns and ads, likely continuing to use the platform regardless.
- A test post on Signal revealed only 1 viewer out of 216 potential contacts, suggesting low engagement on the platform.
- Signal's current usage appears minimal, but this could change if WhatsApp's ad frequency increases significantly.
Websites Are Tracking You via Browser Fingerprinting
a year ago
- Websites use browser fingerprinting to track users across sessions and sites, even when cookies are cleared.
- Browser fingerprinting combines details like screen resolution and device model to create a unique identifier.
- Unlike cookies, fingerprinting is hard to detect or prevent, making it a significant privacy concern.
- Research introduces FPTrace, a framework to measure fingerprinting-based tracking by analyzing ad system responses.
- Fingerprinting affects ad bidding and HTTP records, proving its use in real-time user tracking.
- Users opting out of tracking under GDPR or CCPA may still be tracked via fingerprinting.
- Current privacy tools and policies are insufficient; stronger browser defenses and regulations are needed.
- The study was presented at ACM Web Conference 2025 and involved Texas A&M and Johns Hopkins University.

first prev9next

About|Login

#privacy

Telegram, the FSB, and the Man in the Middle

"Localhost tracking" explained. It could cost Meta 32B

Criminalizing Masks at Protests Is Wrong

Bitsight Identifies Security Cameras Accessible on the Internet

Airlines Don't Want You to Know They Sold Your Flight Data to DHS

Eavesdropping on laptop, smart speaker microphones demonstrated

SimpleX – messaging network operating without user identifiers

The high-tech tools behind cops' protest surveillance

My Mac Contacted 63 Different Apple Owned Domains in One Hour – While Not Is Use

The Meta AI app is a privacy disaster

A Review of Kagi Search

Trump gives data of immigrant Medicaid enrollees to deportation officials

Meta AI searches made public – but do all its users realise

Facial recognition error sees woman accused of theft

Airlines Don't Want You to Know They Sold Your Flight Data to DHS

Fossify – A suite of open-source, ad-free apps

Please add an option to block or disable "AI" · Issue #740 · codecov/feedback

Will OpenAI Train on You Data with Codex CLI and Custom Provider?

Has Signal usage collapsed? It seems so

Websites Are Tracking You via Browser Fingerprinting