Archiv der Kategorie: Security

Apple wants to protect privacy — Facebook wants to ‚inflict pain‘

Facebook, Mark Zuckerberg, literally wants to inflict pain on Apple, on Tim Cook. To make them hurt. To lobby the government against them, to claim anti-trust, to do everything they can to paint Apple dirty. Why? Because Apple wants to give us, the customers, the users, the ability to choose whether or not Facebook gets to track us outside their own apps, across other apps, even across the web. Apple considers this simple level of privacy and dignity a fundamental human right. And… Facebook… well, Facebook seems intent on seeing it as an existential threat.

App Tracking Transparency

Starting in iOS 14.5, if an app wants to track your activities in other apps and on the web — well, it absolutely still can; it just has to ask your permission first. That’s it.

It’s called App Tracking Transparency, and it means that, if you’re in the Facebook app, and you’re in your favorite knitting group or whatever, talking about all the knitting, all the knitting, Facebook can serve you personalized ads about knitting, because they know you’re more likely to click on that than on… something random. And that’s all fine. That’s all 1st-party, meaning all happening in the same app, and nothing about that is changing. Not at all.

If you leave the Facebook app, and then go to Lego.com and then jeep.com, open a journaling app, your to-do list, play a couple of games, and then go back to Facebook, well, normally, Facebook tries to follow you across all those apps and websites as well, across anything that uses any of their software plugins or social hooks, so that they can serve you ads based on what you do in those apps and sites as well. And this is what’s changing, at least a very tiny little bit. This 3rd-party tracking. And all that’s changing is that Apple wants Facebook — or any app for that matter — to ask your permission before tracking you. That’s literally it.

Any app that wants to share your data with another app or service, or sell your activity to a data broker, can still do it. They simply have to ask you first.

1st vs. 3rd Party Tracking

Facebook Ios 14 Tracking PromptSource: MacRumors

It doesn’t even apply to other apps the same company owns. So Facebook can still 1st party track us across the big blue app and Facebook.com, Instagram, WhatsApp, Oculus, Messenger, any other app or website they own. Which is like half the social web at this point. It’s only if they want to track us across apps and websites they don’t own that they have to ask.

It’s no different than what other apps have had to ask before they access our photos or contacts or camera, or our physical location; all this means is that they now have to ask us before they can monitor our digital location as well.

Because, just like we’re concerned an app might steal our private photos, spam our contacts, listen in or spy on us with the camera or mic, or stalk us and sell our location in the real world, we’re increasingly concerned about apps stalking us in the digital world.

It’s why we see so many conspiracy theories about apps like Facebook or Instagram using the mic to listen in to our conversations — because they’re so damn good at serving us targeted ads that we think they must be all up in our brainstems to do it.

But they’re not. They’re just… that… damn… good… That damn good at profiling us based on our behavior so they can target us with those ads. And again, Apple isn’t saying they can’t do that anymore, that they can’t track our digital activity. Just like Apple isn’t saying, apps can’t edit our photos or find our friends or transmit our voices or faces across the internet or give us turn-by-turn traffic directions. All Apple’s saying is… like with all those other apps — they simply have to ask us first.

Some people will be fine with it. We’re getting the ads anyway, so they may prefer those ads be as personalized as possible. Others won’t. They’ll find it creepy and demand it stop. And now, for the first time, we’ll all get what we want.

Except for Facebook, which seems to think giving us a choice is wrong. Probably because they’re worried if we’re given a choice, we’ll choose to block them. To say no.

Make the case

FacebookSource: iMore

Rather than making a case for us to say yes, to argue the value they can deliver, Facebook is taking out ads in newspapers, lobbying governments, claiming anti-trust violations, saying this will hurt small apps and small business — as if any of them, from the biggest tech companies to the smallest online merchants own our data and have a greater right to it than we do. As if it belongs to them, not us. By divine right.

Now, some people are confusing and conflating how App Tracking Transparency applies to Apple’s own apps. Intentionally or accidentally spreading disinformation about Apple having a double standard, not playing fair, giving themselves a separate setting. And… they’re actually right. But not really. Apple’s standard here isn’t double — it’s higher.

That separate setting doesn’t stop Apple from doing 3rd-party tracking or serving personalized ads based on your activity elsewhere because Apple doesn’t do that… at all… to begin with. Not any of it. What that second setting does is stop Apple from serving 1st-party ads. Like, suggested apps in the App Store. The equivalent of Facebook serving you that knitting ad while you’re in the Facebook knitting group.

And that’s the reason it’s a second, separate setting. Because it’s legacy, but also because the new one applies to all apps. The old one, sadly, at this point, only to Apple. And conflating 3rd and 1st party tracking in the same interface panel — well, that’s what would be really confusing.

Other people are saying the wording on the popup is unfair. That „Allow Facebook to Track Your Activities Across Other companies Apps and Websites“ is scary and chilling. That it should be something closer to „Allow Facebook to Serve You Personalized Ads.“

Which is such a steaming pile of poop emojis. And everyone knows it. Because personalizing ads isn’t all they can do with that permission. It’s not all they can do with the access, far from it. And everyone knows that as well. It’s like… a giant Facebook Thirst Trap, and they think we’re all going to fall for it.

Asked and answered

Mark Zuckerberg in front of the Facebook logoSource: iMore

See, Photo apps don’t get to ask for permission to apply filters, contacts apps to find friends, conferencing apps to place video calls, location services for turn-by-turn. They have to ask for full access. For blanket permissions. Because that’s what they get. And once they have it, they can steal our photos, spam our contacts, record what we’re doing, or sell our location to collection agents because that’s the access we’ve given them. So they don’t get to lie about the limitations, cherry-pick the most benign use cases, diminish or try and dismiss the very real risk of an app not just serving us personalized ads but selling our online activity to data brokers. We get to know the full scope, so we get to make the most informed decision.

Even then, Apple’s not stopping any of that anyway. All they’re doing is requiring Facebook and any other app to ask us first and then to respect our decision.

Apple can’t stop all of it anyway. All they can do is block the iOS-specific ad identifier. Not all of Facebook or any other service’s software plugins or web hooks. All they can do is hope Facebook and others honor our choice and cut that stuff out — out of their own accord. Based on the honor system.

Even that — the honor system — seems to be too much for Facebook. Because it’s not ending Facebook or any small apps or businesses, like at all. That’s absurd. They’re too busy doing that themselves with Cambridge Analytica, Onavo VPN, algorithmic malfeasance, betraying WhatsApp and Oculus login promises, and the list goes on and on. If anything, Apple is prompting them to clean up their act. Encouraging them to do the most minimally decent, user-centric thing imaginable so they can start regaining our trust.

Source: https://www.imore.com/apple-wants-protect-privacy-facebook-wants-inflict-pain

The mass surveillance of society has made companies extremely wealthy

The Facebook news ban revealed how problematic it is to rely on corporations to provide fundamental public services

By business reporter Gareth Hutchens

Graphic shows two people on laptops in front of the Facebook logo.
Facebook harvests our personal data in unimaginable quantities, Gareth Hutchens writes.(Reuters: Dado Ruvic)

The fog lifted for a moment.

Last week, when Facebook blocked Australians from viewing and sharing „news content“ on its platform, we saw what role it plays in Australian society.

Community groups, charities, sport clubs, arts centres, unions and emergency services all rely on the social media giant.

Its platform plays the role of an important public messaging board.

But in a country with so little civil society infrastructure, our heavy reliance on a corporation to provide such a fundamental public service is deeply problematic.

Facebook, Inc. doesn’t care about your fundraiser or political protest.

It couldn’t care less about your art exhibition.

What it cares about is your personal data, which it harvests in unimaginable quantities.

And the methods it uses to keep its 2.7 billion monthly active users „engaged“ on its website (so it can keep learning more about them) are also deeply problematic.

Jaron Lanier, one of the founders of the field of virtual reality, has been warning about social media and tech giants for years.

„Everyone has been placed under a level of dystopian surveillance straight out of a dystopian science fiction novel,“ he wrote in 2018 about the technological architecture created by these companies.

„Spying is accomplished mostly through connected personal devices — especially, for now, smartphones — that people keep practically glued to their bodies.

„Data is gathered about each person’s communications, interests, movements, contact with others, emotional reactions to circumstances, facial expressions, purchases, vital signs: an ever-growing, boundless variety of data.“

Mr Lanier says the ocean of personal data these companies extract from the internet is turned into behavioural data that allows them to predict and manipulate our behaviour.

 
Play Video. Duration: 57 seconds
„Facebook was wrong“: Josh Frydenberg criticises restrictions on Australian news.

„[These] platforms have proudly reported on experimenting with making people sad, changing voter turnout, and reinforcing brand loyalty,“ he said.

Just one example: in 2014, Facebook executives apologised after a scientific paper revealed the company had conducted secret psychological tests on 700,000 users, without its users‘ knowledge, in which it tried to manipulate its users‘ emotions to see what effect it would have on the status updates they posted or how they would use Facebook’s „like“ button.

Surveillance capitalism

It’s worth remembering what Facebook is.

It is a member of a group of companies that are engaged in something called „surveillance capitalism“.

According to Professor Shoshana Zuboff, the author who coined the term, surveillance capitalism refers to the „new economic order“ that has emerged in the age of the internet and smartphone.

She says the companies that practice it lay claim to our personal information, our „data“, as „free raw material“ to be aggressively harvested.

Some of the data they collect are used for product or service improvement, but the rest is considered as a proprietary „behavioural surplus“.

That surplus data is then fed into machine intelligence which turns the data into „prediction products“ that „anticipate what you will do now, soon and later“.

According to Professor Zuboff, social media companies trade those „prediction products“ in a new kind of marketplace for behavioural predictions which she calls „behavioural futures markets“.

„Surveillance capitalists have grown immensely wealthy from these trading operations, for many companies are eager to lay bets on our future behaviour,“ she wrote in her 2019 book, The Age of Surveillance Capitalism: The Fight for a Human Future at the New Frontier of Power.

„The competitive dynamics of these new markets drive surveillance capitalists to acquire ever-more-predictive sources of behavioural surplus: our voices, personalities, and emotions.

„Surveillance capitalists discovered that the most-predictive behavioural data come from intervening in the state of play in order to nudge, coax, tune, and herd behaviour towards profitable outcomes.

It has become difficult to escape this bold market project, whose tentacles reach from the gentle herding of innocent Pokemon Go players to eat, drink, and purchase in the restaurants, bars, fast-food joints, and shops that pay to play in its behavioural futures markets to the ruthless expropriation of surplus from Facebook profiles for the purposes of shaping individual behaviour, whether it’s buying pimple cream at 5:45pm on a Friday, clicking ‚yes‘ on an offer of new running shoes as the endorphins race through your brain after your long Sunday morning run, or voting next week.

„Just as industrial capitalism was driven to the continuous intensification of the means of production, so surveillance capitalists and their market players are not locked into the continuous intensification of the means of behavioural modification and the gathering might of instrumentarian power.“

Facebook CEO Mark Zuckerberg gestures with his arms and smiles as he speaks.
Mark Zuckerberg’s Facebook is a member of a group of companies engaged in „surveillance capitalism“.(AP: Trent Nelson via The Salt Lake Tribune)

Google invented surveillance capitalism

Professor Zuboff says Google invented and perfected surveillance capitalism in the early 2000s „in much the same way that a century ago General Motors invented and perfected managerial capitalism“.

„Google was the pioneer of surveillance capitalism in thought and practice, the deep pocket research and development, and the trailblazer in experimentation and implementation, but it is no longer the only actor on this path,“ she wrote.

„Surveillance capitalism quickly spread to Facebook and later to Microsoft. Evidence suggests that Amazon has veered in this direction, and it is a constant challenge to Apple, both as an external threat and as a source of internal debate and conflict.“

She published those words in 2019.

A little later that year, the Guardian described the book as an „epoch-defining international bestseller, drawing comparisons to Rachel Carson’s Silent Spring“.

The mass surveillance of society has made companies extremely wealthy

One of the points Professor Zuboff has repeatedly made about surveillance capitalism is how profitable it is for the companies that practice it.

The ocean of personal data they hoover up is turned into unimaginable wealth and power, making the companies more powerful than nation-states.

It helps to explain why those tech companies have come to dominate stock markets.

A screenshot of the ABC News page on Facebook showing no posts
News organisations including the ABC have been impacted, along with community groups, charities, sport clubs, arts centres, unions, emergency services and more.(Supplied)

Last year, when researchers at the International Monetary Fund tried to figure out why there seemed to be a large disconnect between stock markets and the real world during one of the worst global recessions in memory, one thesis they considered was that the outsize influence of the big five tech companies — Google, Facebook, Microsoft, Amazon and Apple, which accounted for 22 per cent of the market capitalisation on US stock markets — was making US financial markets appear healthier than they were.

At any rate, it comes back to the question of what type of organisation should be running a country’s quasi-public messaging board.

Are we happy to leave it to surveillance capitalists to run a „public good“ of that kind?

Source: https://www.abc.net.au/news/2021-02-21/when-facebook-banned-news-australia-we-saw-role-it-plays/13175698

Facebook’s devastating display of defiance is vintage Zuckerberg

Facebook’s decision to ban legitimate news from being shared in the middle of a global pandemic is a breathtaking display of defiance. It is also entirely consistent with the social media behemoth’s belligerent corporate character.

The move – which inadvertently resulted in Facebook pages of health departments in Queensland, WA and ACT being wiped just before a critical vaccine rollout begins – shocked the Australian media and political establishment. But, in hindsight, nobody should have been surprised. This was vintage Zuckerberg. You don’t blitzscale your way from Harvard dorm room to trillion-dollar titan in the space of a few years without putting lots of noses out of joint.

Facebook CEO Mark Zuckerberg arrives to testify before a joint hearing of Congress.
Facebook CEO Mark Zuckerberg arrives to testify before a joint hearing of Congress.Credit:AP

The Australian government’s media bargaining code, which is at the centre of the dispute, has been endlessly debated over the past year. Media companies say they should be paid for producing journalism that benefits the platforms, but they lack the bargaining power to extract any value for it. Tech giants claim they do not really benefit from the existence of news, that news represents a small part of the overall activity on their platforms, and since they actually send these news organisations free traffic they shouldn’t be paying them anything.

There are merits to both sides of the argument.

Yet there is little doubt stronger regulation of Google and Facebook is urgently needed. The two companies have scarily dominant positions in their respective markets of search and social media, and also an entrenched duopoly in digital advertising. Meanwhile, their ascent has coincided with a host of societal problems ranging from rising misinformation and fake news, to a troubling surge in online conspiracy theories and growing internet addiction.

The media bargaining code attempts to revolve the digital duopoly’s market dominance by using the threat of arbitration to force Google and Facebook to strike commercial deals with media companies. Could there have been a more straightforward solution? A digital platform tax or levy may have been cleaner and simpler and has existing parallels elsewhere in the economy.

There are already taxes on addictive and harmful products (think cigarette excise), and levies on disruptive new market entrants that are used to compensate legacy incumbents also exist (for example, the levies on Uber rides that are distributed to taxi licence holders).

Regardless, the debate about the merits of the media bargaining code in Australia has now become moot. The bill to bring the code into law has sailed through the lower house of Parliament and is all but certain to be passed by the Senate. Facebook is effectively saying that the overwhelming majority of elected officials in a sovereign parliament are wrong.

It is possible that a news-free Facebook could be positive for society and the media industry in the medium term. But at this fragile moment in history – a once in a century health crisis coupled with a fake news epidemic – for the primary gateway to information for millions of people to block critical information from being shared was chillingly irresponsible.

Throughout its relatively short history, Facebook has pursued a win at all costs, take no prisoners approach to business. It has also shown little regard for the wreckage it has left behind. For many years its official corporate mantra was “move fast and break things”.

When a potential competitor emerges, Facebook either buys it (as it did with WhatsApp and Instagram) or copies its key features (as it has done with Snapchat and Tiktok).

Facebook has pursued a win at all costs, take no prisoners approach to business.
Facebook has pursued a win at all costs, take no prisoners approach to business.Credit:Bloomberg

It has repeatedly abused the privacy of its users and demonstrated a shocking ineptitude at thwarting the misinformation and conspiracy theories that have flourished on its platform, which are now demonstrably weakening democracies.

The spat over the media bargaining code highlights the fiendishly complex task governments face in regulating digital giants with operations that span the globe, billions of users and perhaps unrivalled power.

Tech proponents argue Australia’s regulation is deeply flawed – and to an extent they may have a point. But there is flawed regulation all across the economy. Most wildly profitable and dominant companies (even Google) begrudgingly accept these kinds of impositions as part of their social licence to operate, a cost of doing business. Not Facebook.

Mark Zuckerberg’s middle finger to the Australian government has been noticed all around the world. Already Canada is signaling it will copy the media code, while Europe (which has tried repeatedly to force the digital giants to pay news organisations, with much less success than Australia) is likely to follow.

Facebook has repeatedly shown it does not mind a scrap. But this may be its biggest fight yet, and it is only just beginning.

Source: https://www.smh.com.au/business/companies/facebook-s-devastating-display-of-defiance-is-vintage-zuckerberg-20210219-p5741b.html

How you farewell a Facebook account. And what you can do next

If the lack of news is a deal-breaker for your use of Facebook, how can you delete your account – and what are the consequences?

 

With Facebook blocking all news pages and links from its Australian service, some people will be weighing up how they’ll continue to use the social media platform.

Facebook is ubiquitous, and for many of us serves as a link to our friends, family, events, photos and memories. After Facebook’s snap decision on Thursday to block Australians from seeing news articles on its platform, some users began experimenting with loopholes to continuing sharing news, even resorting to breaking up the text in creative ways or using pictures of cats when posting news stories, to throw Facebook off the scent. But in the hours since, those loopholes appear to have been closed.

Is the lack of news a deal-breaker for your use of Facebook? If so, how will you go about deleting your account – and what are the consequences? And are there good alternatives for services that serve news to you?

How will I get my news?

If you previously relied mostly on Facebook for news it’s time to find an alternative, and the service(s) you choose will depend on how you like to consume your content.

If you’re moving to a new social media network, Twitter is an obvious choice. On Twitter, as with Facebook, you get to pick your friends, companies, personalities and outlets, and see their updates in a feed. A lot of news outlets post the same stories to Facebook and Twitter, and may even be more active on the latter now Facebook is out. One advantage of Twitter is you can follow a wide variety of news without crowding your feed too much. For example, you can save curated lists of people and outlets, say, by topic or friend group, to keep things separated. Or you can save specific searches so you’re always up to date on a specific topic or hashtag (those little phrases starting with # that people use to categorise comments, like #auspol for Australian politics).

 

You could also try Reddit or Discord, if you’re more into discussing the news with a like-minded community.

If you’re sticking with Facebook to keep up with friends, you might just want a straight news service or aggregator to get the latest headlines. Google News is available on every type of device and is good for either skimming the headlines or diving deep into a topic. It has curated “top stories”, suggestions based on your tastes, and you can save favourite sources and topics to a custom feed. On mobile phones, a News Showcase feature lets you read some usually paywalled stories for free. Apple News is similar if you solely use Apple devices, though its premium offering Apple News+ is more curated and you need to pay for it.

For a more DIY option you can collect things called RSS Feeds, which show you every article published on a given website, but they can be messy. Some more advanced RSS reading services, like Feedly, make it easier to create your own news service.

Finally, you can always go directly to the outlets you like. Bookmark the topic pages on websites you’re interested in, or many news outlets also offer newsletters, podcasts and apps to make accessing news more convenient.

What happens to my photos and posts if I delete Facebook?

If you’ve been on the social network for years you might wonder what the repercussions would be if you deleted that app and nuked your account. And the truth is, depending on how you’ve used it, there can be consequences.

 

Completely deleting your Facebook account will delete all the posts and photos you’ve shared on the service, and remove you from conversations and posts on other people’s Facebook feeds. You will no longer be able to use Facebook Messenger or access any conversations you had there.

If you used Facebook to sign up to other services, such as Spotify or Instagram, you may find it difficult to access them once your account is deleted. Facebook hardware products, such as Portal smart displays and Oculus VR (virtual reality) headsets, require a Facebook account for most functions. In the case of Oculus, you could lose any games you paid for if you delete Facebook.

After 30 days your Facebook account data becomes unrecoverable, although Facebook says it may take 90 days until all your data is gone from its servers.

So how do I do it without losing all my stuff?

For a less nuclear option you can “deactivate” your account; in which case the company keeps your data and you can still use Messenger. Other apps and websites can still log you in with Facebook, and you can reinstate your account in the future.

So if you’re removing yourself from Facebook, you first have to decide whether you’d like the option to come back later. If you do, you should choose a deactivation. If not, you want a deletion. Either way you will go to the same place.

How do you delete or deactivate a Facebook account?

On a computer:

  1. Log in to Facebook and hit the triangle at the top right of the page.
  2. Click on Settings and Privacy, and then Settings.
  3. Click on Your Facebook Information, and then Deactivation or Deletion.

On the mobile app:

  1. Tap the three horizontal lines at the bottom (iPhone) or top (Android) right of the screen.
  2. Scroll down and tap Settings and Privacy, and then Settings.
  3. Scroll down and tap Account Ownership and Control, then Deactivation and Deletion. See below for how to recoup your old posts, including photos.

Deactivation is as simple as entering your password and confirming a few times, but if you’re deleting your account and want to keep your stuff there are a few loose ends to tie up first.

When leaving Facebook, you have a choice of a deactivation where Facebook keeps all your data, or a total deletion that locks you out for good.

When leaving Facebook, you have a choice of a deactivation where Facebook keeps all your data, or a total deletion that locks you out for good.

Facebook can send your photos and videos directly to another service, such as Dropbox or Google Photos. Or, alternatively, you can download and store any or all information from your Facebook account. This can take some time if you want to keep everything, as it might include years of posts, photos, videos, comments, messages, event details and group discussions, marketplace listings, location information and advertising data. To do either of these things, follow the steps above but at step three choose Transfer a Copy of Your Photos, or Download Your Information.

How do you access Instagram if you’ve ditched Facebook?

Next, you’ll want to make sure you can still access other services. You can keep using Instagram after a Facebook deletion but you may need to make some changes. Before deleting Facebook go to Instagram’s settings, hit Accounts Center, then Logging in Across Accounts, and make sure it’s turned off. If you originally signed up to Instagram via Facebook, this will prompt you to create a password. Now your Instagram and Facebook accounts are separated – but be aware they are the same company and do share your data.

 

As for non-Facebook apps and services you used Facebook to sign up for, most will have an option in their settings to choose a different login or unlink from Facebook. If you’re unsure if this applies to any services you use, go to Facebook’s settings and hit Apps and Websites to see a list of services you’ve linked to Facebook.

What are some other services for sharing photos?

Google Photos and Apple iCloud are services you may already be using to back up pics from your phone. But you can also use them to share pictures with others, tag people and make comments. If you’re specifically wanting to share photos of the kids you can set up shared folders in Google Photos that do this automatically. Tinybeans is another good app specifically made for sharing photos of kids with family members and friends.

If you’re deleting Facebook entirely and want a Messenger replacement, Signal is probably closest since it’s secure and has seamless integration between mobile and web. You could say the same for WhatsApp, but if you’re completely expunging Facebook from your life that’s a no-go. If you need all the goofy stickers and video chat features, your phone’s default iMessage or Android Messenger is as good as you may get.

Groups and events are the hardest Facebook features to replace, as it can feel like you’re going to miss out if you’re not on Facebook. But there are alternatives, just make sure you have a phone number and/or active email for each of your friends before you leave. Paperless Post is a good service that lets you create events, send invites and track RSVPs, and you can always create a group chat on your messaging platform of choice.

Source: https://www.smh.com.au/technology/how-you-farewell-a-facebook-account-and-what-you-can-do-next-20210219-p573wy.html

It’s time to unfriend Facebook when it resorts to starving us of news

 

If there was ever any doubt about Facebook’s cavalier attitude to the network of users it has created, this news blackout is definitive. To Facebook, we are all merely pieces of data to be observed, exploited and monetised. As citizens we are worthless.

Australians need to respond with our mouses. We need to unfriend Facebook and find alternative places to connect and collaborate, free of its surveillance models and reckless self-interest.

 

The 30 per cent of Australians who rely on Facebook as their primary source of news will have to find it elsewhere or live a fact-free life following the Big Tech behemoth’s decision on Thursday to purge journalism from its site.

Overnight, Facebook has removed access to its users from any site that smells like news: not only local major mastheads such as The Sydney Morning Herald and The Age, but also specialist sites like The Conversation and global leaders such as The New York Times.

News blackout ... Facebook is ignoring the public interest while acting in self-interest.

News blackout … Facebook is ignoring the public interest while acting in self-interest. Credit:iStock

It also seems Fire and Rescue NSW, the Bureau of Meteorology, MS Research Australia, Doctors without Borders and state health departments are among many placed on the blacklist, showing the scope of the Mark Zuckerberg edict from Silicon Valley.

This is an arrogant and reckless move that will be dangerous for all Australians who are relying on an evidence-based response to a global pandemic, but also self-destructive to Facebook. While Facebook argues it does not make much money from news in its network, it is wilfully turning a blind eye to its value. News provides the facts and evidence to anchor what it claims is a ubiquitous digital experience.

If there was ever any doubt about Facebook’s cavalier attitude to the network of users it has created, this news blackout is definitive. To Facebook, we are all merely pieces of data to be observed, exploited and monetised. As citizens we are worthless.

By rejecting the decisions of our elected representatives to implement the findings of the Australian Competition and Consumer Commission’s review of its monopoly power, Facebook is asserting its commercial interests should prevail over the public interest. Indeed, Facebook seems more comfortable with its networks supporting despots and dictatorships by algorithmically fomenting division than respecting a government working in support of democracy.

This decision was made hours after our elected leaders from across the political spectrum endorsed the work of experts to deliver a significant reform that will make our democracy stronger.

The News Media Bargaining Code, the brainchild of the ACCC and its chairman Rod Sims, was a systemic response to the monopoly power that Google and Facebook exert over advertising and its impact on public interest journalism.

 

Under Australian law there is now a legal mechanism to place a value on fact-based news within the digital platforms that have come to dominate our online world with their algorithmically powered engines of division, distortion and denial.

The spectre of the code – with its global precedence – has already begun to do its job. Google has rushed to finalise premium-content deals with media organisations. These deals will not only make the Australian media, which has shed more than 5000 jobs in the past decade, stronger; it will help address the built-in weaknesses of digital platforms that refuse to discriminate fact from fiction.

And they were only the first step in the program of digital platform reform that the ACCC has laid out to address the power of the Google/Facebook monopoly.

 

A review of privacy laws is currently under way, looking at the way Australians’ personal information is collected and monetised by online platforms with a view to designing consumer rights and protections. A separate process is focussing on the responsibilities social media should have to address harmful misinformation and disinformation, dispelling for good the myth that they are platforms with no broader social obligations for the harm they cause.

There’s also a review of the creepy world of ad-tech, where automated, virtual trading floors are running real-time auctions for our attention every time we visit a news page.

But this sort of expression on democratic reform is a red line for Facebook, which believes its network is stronger than our public institutions.

Australians need to respond with our mouses. We need to unfriend Facebook and find alternative places to connect and collaborate, free of its surveillance models and reckless self-interest.

Peter Lewis is the director of the Centre for Responsible Technology.

Source: https://www.smh.com.au/national/it-s-time-to-unfriend-facebook-when-it-resorts-to-starving-us-of-news-20210218-p573lt.html

 

Is it time to leave WhatsApp – and is Signal the answer!

 

The Facebook-owned messaging service has been hit by a global backlash over privacy. Many users are migrating to Signal or Telegram. Should you join them?

Whatsapp, Signal and Telegram app icons  on a smartphone screen
WhatsApp, Signal and Telegram: three leading choices for messaging services. Photograph: Rafael Henrique/Sopa Images/RexShutterstock
 

Earlier this month, WhatsApp issued a new privacy policy along with an ultimatum: accept these new terms, or delete WhatsApp from your smartphone. But the new privacy policy wasn’t particularly clear, and it was widely misinterpreted to mean WhatsApp would be sharing more sensitive personal data with its parent company Facebook. Unsurprisingly, it prompted a fierce backlash, with many users threatening to stop using the service.

WhatsApp soon issued a clarification, explaining that the new policy only affects the way users’ accounts interact with businesses (ie not with their friends) and does not mandate any new data collection. The messaging app also delayed the introduction of the policy by three months. Crucially, WhatsApp said, the new policy doesn’t affect the content of your chats, which remain protected by end-to-end encryption – the “gold standard” of security that means no one can view the content of messages, even WhatsApp, Facebook, or the authorities.

 

But the damage had already been done. The bungled communication attempts have raised awareness that WhatsApp does collect a lot of data, and some of this could be shared with Facebook. The BBC reported that Signal was downloaded 246,000 times worldwide in the week before WhatsApp announced the change on 4 January, and 8.8m times the week after.

WhatsApp does share some data with Facebook, including phone numbers and profile name, but this has been happening for years. WhatsApp has stated that in the UK and EU the update does not share further data with Facebook – because of strict privacy regulation, known as the general update to data protection regulation (GDPR). The messaging app doesn’t gather the content of your chats, but it does collect the metadata attached to them – such as the sender, the time a message was sent and who it was sent to. This can be shared with “Facebook companies”.

Facebook’s highly criticised data collection ethos has eroded trust in the social network. Its practices can put vulnerable people at risk, says Emily Overton, a data protection expert and managing director of RMGirl. She cites the example of Facebook’s “people you may know” algorithm exposing sex workers’ real names to their clients – despite both parties taking care to set up fake identities. “The more data they profile, the more they put people in vulnerable positions at risk.”

And the social network isn’t known for keeping promises. When Facebook bought WhatsApp in 2014, it pledged to keep the two services separate. Yet only a few years later, Facebook announced aims to integrate the messaging systems of Facebook, Instagram and WhatsApp. This appears to have stalled owing to technical and regulatory difficulties around encryption, but it’s still the long-term plan.


Why are people choosing Signal over Telegram?

Signal, a secure messaging app recommended by authorities such as the Electronic Frontier Foundation and Edward Snowden, has been the main beneficiary of the WhatsApp exodus. Another messaging app, Telegram, has also experienced an uptick in downloads, but Signal has been topping the charts on the Apple and Android app stores.

Signal benefits from being the most similar to WhatsApp in terms of features, while Telegram has had problems as a secure and private messaging app, with its live location feature recently coming under fire for privacy infringements. Crucially, Telegram is not end-to-end encrypted by default, instead storing your data in the cloud. Signal is end-to-end encrypted, collects less data than Telegram and stores messages on your device rather than in the cloud.


Does Signal have all the features I am used to and why is it more private?

Yes, Signal has most of the features you are used to on WhatsApp, such as stickers and emojis. You can set up and name groups, and it’s easy to send a message: just bring up the pen sign in the right-hand corner.

Signal has a desktop app, and you can voice and video chat with up to eight people. Like WhatsApp, Signal uses your phone number as your identity, something that has concerned some privacy and security advocates. However, the company has introduced pin codes in the hope of moving to a more secure and private way of identifying users in the future.

As well as being end-to-end encrypted, both WhatsApp and Signal have a “disappearing messages” feature for additional privacy. The major difference is how each app is funded. WhatsApp is owned by Facebook, whose business model is based on advertising. Signal is privacy focused and has no desire to analyse, share or profit from users’ private information, says Jake Moore, cybersecurity specialist at ESET.

Signal is supported by the non-profit Signal Foundation, set up in 2018 by WhatsApp founder Brian Acton and security researcher (and Signal Messenger CEO) Moxie Marlinspike, who created an encryption protocol that is used by several messaging services, including WhatsApp and Skype as well as Signal itself. Acton, who left Facebook in 2017 after expressing concerns over how the company operated, donated an initial $50m to Signal, and the open-source app is now funded by the community. Essentially that means developers across the world will continually work on it and fix security issues as part of a collaborative effort, making the app arguably more secure.

But there are concerns over whether Signal can maintain this free model as its user base increases to the tens, or potentially in the future, hundreds of millions. Signal is adamant it can continue to offer its service for free. “As a non-profit, we simply need to break even,” says Aruna Harder, the app’s COO.

Signal is exclusively supported by grants and donations, says Acton. “We believe that millions of people value privacy enough to sustain it, and we’re here to demonstrate that there is an alternative to the ad-based business models that exploit user privacy.”


I want to move to Signal. How do you persuade WhatsApp groups to switch?

The momentum away from WhatsApp does appear to be building, and you may find more of your friends have switched to Signal already. But persuading a larger contact group can be more challenging.

Overton has been using Signal for several years and says all her regular contacts use the app. “Even when dating online, I ask the person I want to go on a date with to download Signal, or they don’t get my number.”

Some Signal advocates have already begun to migrate their groups over from WhatsApp. Jim Creese, a security expert, is moving a neighbourhood text group of 100 people to Signal. He is starting with a smaller sub-group of 20, some of whom struggle with technology. Creese says most are ambivalent about switching “as long as the new method isn’t more difficult”.

He advises anyone who’s moving groups across apps to focus on the “why” first. “Explain the reasons for the change, how it is likely to affect them, and the benefits. Don’t rush the process. While WhatsApp might not be where you want to be today, there’s no emergency requiring an immediate move.”

Moore thinks the shift away from WhatsApp will continue to gain momentum, but he says it will take time to move everyone across. Until then, it’s likely you will need to keep both WhatsApp and Signal on your phone.

Moore is in the process of moving a family chat to Signal, for the second time. “When I originally tried, one family member didn’t understand my concerns and thought I was being overcautious.

“However, the recent news has helped him understand the potential issues and why moving isn’t such a bad idea. The next hurdle will be getting my mother to download a new app and use it for the first time without me physically assisting her.”

Source: https://www.theguardian.com/technology/2021/jan/24/is-it-time-to-leave-whatsapp-and-is-signal-the-answer

The Messenger Alternatives

Some use the internet, some function without servers, some are paid and others are free, but all these apps claim to have one thing in common—respect for user privacy

alternate apps_bgImage: Jaap Arriens/NurPhoto via Getty Images

Ever since WhatsApp announced an update in its privacy policy, thousands of people rushed to download messenger alternatives such as Signal and Telegram. While these two have been in the news for their security features that are tighter than the messaging giant’s, there are other applications that have been around, used for both facilitating consumer-to-consumer messaging and within enterprises for their internal communication.While some of these alternative apps need the internet, others don’t. Some function without servers with peer-to-peer technology, and are on a subscription model, while others are free to use. But they all claim to have one thing in common–respect for users’ privacy.

Although security and privacy-related technologies are constantly evolving making it difficult to lay down a clear benchmark for which app is completely secure, there are a few things users should be aware of to ensure their privacy is not compromised, say technology and privacy experts.First, says Divij Joshi, technology policy fellow at Mozilla Foundation, a global non-profit, “It’s definitely important to have a communications protocol based on end-to-end encryption.”End-to-end encryption refers to a system of communication wherein only the sender and receiver can read the messages and see the content shared.However, Joseph Aloysius, a Singapore-based student researcher in surveillance studies, says, “Even with encryption it is important that it is device-based end-to-end encryption, and not cloud-based. In addition, the encryption setting should be a default setting, not optional as seen in Telegram.”Another point to keep in mind is to ensure that technologies collect as little metadata–information not related to the message content but things like quantum or location of messages–as possible, adds Joshi.Second, they should be open source and left open for public auditing. “Ideally, it’s best if companies leave the server code open as Signal has done,” says Aloysius.Both Joshi and Aloysius are of the view that it is also necessary to ensure that the corporate practices of the application are clear and fair. “For instance, terms of use, the privacy policy, so they can’t alter the technology or data collection practices arbitrarily,” says Joshi.Although there has been an uproar about the latest changes to the privacy policy, WhatsApp continues to remain popular primarily due to its ease of use and convenience, say experts. “For some, it may also be a cost concern. There may also be a false sense of security since nothing apparent has gone wrong and there have been no consequences to date for them using the app for business purposes,” explains Heidi Shey, principal analyst, security and risk, Forrester.However, if you are a user who is concerned about privacy, here is a lowdown on alternatives to WhatsApp and the features they offer.Wickr

wickr

The San Francisco-based app, founded in 2012, is used by some of the biggest players in the federal space including the U.S. Department of Defense. It has also been validated by the National Security Agency as the, “most secure collaboration tool in the world,” says co-founder and CTO of Wickr, Chris Howell. He adds, “Our government and enterprise customers choose Wickr because we have the most secure, end-to-end encrypted platform on the market that enables sensitive mission and business communications without compromising compliance.”Wickr’s largest user base is in the US, followed by Europe, India and Australia, but it has seen an uptick in both their consumer and commercial platforms ever since WhatsApp announced plans to update its privacy policy, says Howell.While the app can be deployed by organisations in highly regulated industries such as banking, energy, healthcare and the federal government, one of its versions, Wickr Me, is more suitable for one-on-one conversations with family and friends. Wickr cannot identify owners because it doesn’t have access to any personal information. The data is encrypted and not accessible to the company. All the messages are stored on the user’s device and for a brief period on Wickr’s servers, but get deleted upon delivery. Since messages are end-to-end encrypted, even when messages are on the server, they are not available to the company.With Wickr Me, users can share files, photos, videos and voice messages, and also do video and audio conferencing. The messages are ephemeral, meaning they only exist for a limited amount of time and get permanently deleted from the sending as well as the receiving device after a while. Therefore, if the recipient doesn’t check Wickr frequently, the messages may never get delivered. “Wickr’s security architecture and proprietary encryption methodology is designed to ensure that only users can gain access to their message content. Users’ content is encrypted locally on their device and is accessible only to intended recipients,” explains Howell.Jami

jami

An open-source service, Jami doesn’t store users’ personal information on a central server, guaranteeing users full anonymity and privacy. Around since 2013, Christophe Villemer, advocacy vice-president of the Canada-based messenger app, says, “We really are a newcomer in the market, we estimate there are around 100,000 users around the globe but our community is growing every day.” He says Jami is peer-to-peer, which means it doesn’t require a server for relaying data between users. Therefore, users don’t have to worry about a third party conserving their video or data on its servers. With features such as HD video calling, instant and voice messaging, and file sharing, the service is free to use. All the connections are end-to-end encrypted. “At Jami, we think that privacy is a primary right on the internet. Everybody should be free not to give their data to corporations to benefit from an essential service on the internet,” says Villemer. “Also, we think that our solution, as it’s peer-to-peer, is globally better for the environment because it does not rely on huge server farms or data-centers,” he adds. Users of the service have no restrictions in terms of the size of the files they share, nor speed, bandwidth, features, number of accounts or storage. In addition, if users are on the same local network, they can communicate using Jami even if they are disconnected from the internet. “There will never be advertising on Jami,” says Villemer.Briar

briar

Briar Messenger is a not-for-profit organisation that started off as a project by Michael Rogers in an attempt to support freedom of expression, freedom of association, and the right to privacy. In India, Briar is extremely popular in Kashmir. Reason? It can work without the internet via Wi-Fi or Bluetooth. Launched in 2018, this application uses direct, encrypted connections to prevent surveillance and censorship. Briar allows users to form private groups (with one admin that can invite others), write blogs, and also create public discussion forums. The application doesn’t rely on central servers and sends across messages without leaking metadata.Torsten Grote, senior developer, Briar Messenger, says, “Briar is for users who have higher security requirements such as not wanting to reveal who their contacts are (think journalist and source) or for users who need to keep the communication going when the internet is not available, be it because of natural disasters or deliberate shutdowns.” So far, Briar has around 200,000 downloads on Google Play and around 100,000 downloads from their website. The application is also available on F-Droid and other independent stores, which don’t track downloads. However, “thanks to the WhatsApp policy change,” says Grote, “we are seeing 7x the usual number of downloads.”Threema

threema

In 2012, three young software developers from Switzerland decided to create a secure instant messenger that would prevent the misuse of user data by companies and surveillance by governments. After Facebook bought WhatsApp in early 2014, the number of users climbed to 2 million in just a few weeks. “In Threema, all communication is protected in the best possible way by end-to-end encryption. Since Threema is open source, users can independently verify that Threema doesn’t have access to any user data that could be handed over to third parties,” says Roman Flepp, head of marketing and sales, Threema.One of Threema’s guiding principles is “metadata restraint”, which means if there is no data, no data can be misused, either by corporations, hackers or surveillance authorities. Currently, the messenger has over 9 million users. In the light of the recent WhatsApp privacy issue, Flepp claims the daily download numbers have increased significantly, by a factor of 10. This growth has been consistently high since the policy change was announced. He adds, “This whole controversy could be a game changer. Now more and more people are looking around for a more private and secure messaging solution.”The application can be used not only by individual users, but also businesses. Threema has various business solutions such as Threema Work and Threema Education. “Especially in the business environment, it is crucial that a secure and privacy-compliant solution is used for work-related communication. We see a great demand, more than 5,000 companies are already using our business solution Threema Work,” says Flepp. Currently, the team is working on creating a multi-device solution that will allow users to use Threema on multiple devices.****While a bunch of these applications are great options for secure peer-to-peer messaging, it is not a very sustainable revenue model for most of these companies. Hence, a few of them have moved to offer enterprise solutions. “For business use, a consumer-focused messaging app [like WhatsApp] is insufficient because it isn’t designed with business requirements for security, privacy, and compliance in mind,” says Shey.Post the recent announcement about the policy changes, a lot of government organisations and companies banned the use of applications like WhatsApp on company-issued devices and for work. We take a look at some applications that offer paid messaging solutions to businesses.Wire

wire

Though the idea for Wire was conceived in 2012, the product was only launched in 2014 and initially for consumers. However, in 2017, the Germany-based company decided to focus mainly on enterprises. This was because, says Morten Brøgger, CEO of Wire, “We were against giants like Facebook, and consumers were not willing to understand the importance of privacy and pay for it.” This was also around the same time that the General Data Protection Regulation (EU GDPR) was coming up, and privacy was becoming a major concern for organisations. “Hence, we felt the solution we built would be extremely compelling to enterprise consumers,” he adds.Currently, Wire has close to 1,800 paid customers, which mainly include governments and large enterprises, whereas, for the general free solution, they have about half a million monthly active users. Most of their paid customers are in Germany, North America, Australia, the Middle East, and some European countries.Most of the traditional enterprise SaaS solutions have a few risk points, including “man in the middle vulnerability” since the cloud provider is in the middle, which means all the processing and storage happens on the cloud. The main weakness here is that the cloud provider can technically access the encryption key, which means the cloud provider can technically read and listen to all your content. However, Wire has a very different architecture, wherein there is no man in the middle. “All the data resides in the application on your device. There is some storage on the cloud, for bigger files, and these are secured with individual encryption keys. But the encryption keys only exist on the devices of our users, there’s no copy of the keys on the cloud,” Brøgger says.Another USP of this open-source application is that every time you send or receive a message—be it a text message, call, video conference or screen share—the encryption key updates, hence giving each individual message a unique encryption key. Says Brøgger, “We don’t know who the users are, what they are using it for and we barely collect any metadata, whatever little is collected to help synchronise different devices is also anonymised.”Currently, the company is going at 400 percent revenue growth year-on-year. “We saw a great spike in the paid clients at the beginning of the pandemic, and now [due to the WhatsApp privacy policy issue] since enterprises are becoming more aware of the importance of privacy.”Troop

troop_messenger

Troop Messenger was launched in mid-2018 as an internal messaging app for enterprises. “It is a home-grown, made in India, robust and a secured business messaging platform,” says CEO and founder Sudhir Naidu. A single platform, it enables internal teams to chat, make audio and video calls, convert them into conferencing, share screens, and create groups. It also features a self-destructible chat window to exchange secured information, and will shortly introduce an email client so users can both send e-mails and messages. “We have pledged that we would not sell any kind of user data to any third-party organisations. We assess and track all kinds of intrusions and attacks and follow the policy of honestly disclosing to clients if there is a breach which involves a threat to their data,” says Naidu. Additionally, Troop follows a stringent and comprehensive internal security framework and policy, in terms of development, testing and release.Besides Indian enterprises, Troop Messenger has been seeing good traction from the US, UK and the Middle East, informs Naidu. “We see three times the usual daily registrations for our platform, since the [WhatsApp] policy came out,” he says. “Businesses that were using WhatsApp before are actively looking out for much safer and business-oriented platforms such as ours,” he adds.Arattai

arattai

Zoho Corp, which has products like Zoho Mail and Zoho Business Suite, released a beta version of its messaging application Arattai, meaning chit-chat in Tamil, in the middle of the pandemic in 2020. “More than 70,000 users have already downloaded Arattai and we didn’t advertise at all,” says Praval Singh, VP, marketing at Zoho Corp. “The final application is close to being launched,” he adds. As a privately held company, Singh says, their focus is on user privacy. “We have retained that we’ve held that stance in many ways for our enterprise and business users. And we would like to take it forward with consumer applications as well. For example, we don’t use our own application or data of users to share with third parties, either as a monetisation strategy or for any other reason. So, data that sits on an application doesn’t go to a third party,” he says. In fact, they own their data centers. Therefore, they are not dependent on any third party or public clouds for storage. Spike

spike

Initially released in October 2018, Spike is a conversational and collaborative email application that turns legacy email into a synchronic chat-like experience, adding tasks, collaborative notes and multimedia to create a single feed for work.Instead of using another application, Spike turns an individual’s email address inbox into a hub for chatting with co-workers, friends, and family–as well as a place to work on documents, manage tasks, and share files. Unlike WhatsApp groups, says Dvir Ben-Aroya, co-founder and CEO of Spike, “Spike groups provide a real-time collaborative tool for businesses, without switching between separate team messenger apps.” The application promises to store minimum data to provide fast communication and ensure privacy. Currently, Spike has over 100,000 active teams using this application.“We’ve seen a drastic uptick in users after the WhatsApp announcement, but since we track minimal user data, we cannot access specific data or directly attribute these users’ behaviour with correlation to using WhatsApp,” he says. Its highest user base is in the US, Germany, the UK, and it is very popular in India, especially among students and educators.(With inputs from Namrata Sahoo)

Source: https://www.forbesindia.com/article/take-one-big-story-of-the-day/whatsalt-the-messenger-alternatives/65909/1

More Hacking Attacks Found as Officials Warn of ‘Grave Risk’ to U.S. Government

WASHINGTON — Federal officials issued an urgent warning on Thursday that hackers who American intelligence agencies believed were working for the Kremlin used a far wider variety of tools than previously known to penetrate government systems, and said that the cyberoffensive was “a grave risk to the federal government.”The discovery suggests that the scope of the hacking, which appears to extend beyond nuclear laboratories and Pentagon, Treasury and Commerce Department systems, complicates the challenge for federal investigators as they try to assess the damage and understand what had been stolen.Minutes after the statement from the cybersecurity arm of the Department of Homeland Security, President-elect Joseph R. Biden Jr. warned that his administration would impose “substantial costs” on those responsible.“A good defense isn’t enough; we need to disrupt and deter our adversaries from undertaking significant cyberattacks in the first place,” Mr. Biden said, adding, “I will not stand idly by in the face of cyberassaults on our nation.”

President Trump has yet to say anything about the attack.Echoing the government’s warning, Microsoft said Thursday that it had identified 40 companies, government agencies and think tanks that the suspected Russian hackers, at a minimum, had infiltrated. Nearly half are private technology firms, Microsoft said, many of them cybersecurity firms, like FireEye, that are charged with securing vast sections of the public and private sector.

  • Thanks for reading The Times.
Subscribe to The Times
 

“It’s still early days, but we have already identified 40 victims — more than anyone else has stated so far — and believe that number should rise substantially,” Brad Smith, Microsoft’s president, said in an interview on Thursday. “There are more nongovernmental victims than there are governmental victims, with a big focus on I.T. companies, especially in the security industry.”The Energy Department and its National Nuclear Security Administration, which maintains the American nuclear stockpile, were compromised as part of the larger attack, but its investigation found the hack did not affect “mission-essential national security functions,” Shaylyn Hynes, a Department of Energy spokeswoman, said in a statement.“At this point, the investigation has found that the malware has been isolated to business networks only,” Ms. Hynes said. The hack of the nuclear agency was reported earlier by Politico.Officials have yet to publicly name the attacker responsible, but intelligence agencies have told Congress that they believe it was carried out by the S.V.R., an elite Russian intelligence agency. A Microsoft “heat map” of infections shows that the vast majority — 80 percent — are in the United States, while Russia shows no infections at all.

The government warning, issued by the Cybersecurity and Infrastructure Security Agency, did not detail the new ways that the hackers got into the government systems. But it confirmed suspicions expressed this week by FireEye, a cybersecurity firm, that there were almost certainly other routes that the attackers had found to get into networks on which the day-to-day business of the United States depend.

Dealbook: An examination of the major business and policy headlines and the power brokers who shape them.

FireEye was the first to inform the government that the suspected Russian hackers had, since at least March, infected the periodic software updates issued by a company called SolarWinds, which makes critical network monitoring software used by the government, hundreds of Fortune 500 companies and firms that oversee critical infrastructure, including the power grid.Investigators and other officials say they believe the goal of the Russian attack was traditional espionage, the sort the National Security Agency and other agencies regularly conduct on foreign networks. But the extent and depth of the hacking raise concerns that hackers could ultimately use their access to shutter American systems, corrupt or destroy data, or take command of computer systems that run industrial processes. So far, though, there has been no evidence of that happening.The alert was a clear sign of a new realization of urgency by the government. After playing down the episode — in addition to Mr. Trump’s silence, Secretary of State Mike Pompeo has deflected the hacking as one of the many daily attacks on the federal government, suggesting China was the biggest offender — the government’s new alert left no doubt the assessment had changed.“This adversary has demonstrated an ability to exploit software supply chains and shown significant knowledge of Windows networks,” the alert said.“It is likely that the adversary has additional initial access vectors and tactics, techniques and procedures,” which, it said, “have not yet been discovered.”Investigators say it could take months to unravel the extent to which American networks and the technology supply chain are compromised.

In an interview on Thursday, Mr. Smith, of Microsoft, said the supply-chain element made the attack perhaps the gravest cyberattack against the United States in years.“Governments have long spied on each other but there is a growing and critical recognition that there needs to be a clear set of rules that put certain techniques off limits,” Mr. Smith said. “One of the things that needs to be off limits is a broad supply chain attack that creates a vulnerability for the world that other forms of traditional espionage do not.”Reuters reported Thursday that Microsoft was itself compromised in the attack, a claim that Mr. Smith emphatically denied Thursday. “We have no indication of that,” he said.Officials say that with only one month left in its tenure, the Trump administration is planning to simply hand off what appears to be the biggest cybersecurity breach of federal networks in more than two decades.Mr. Biden’s statement said he had instructed his transition team to learn as much as possible about “what appears to be a massive cybersecurity breach affecting potentially thousands of victims.”“I want to be clear: My administration will make cybersecurity a top priority at every level of government — and we will make dealing with this breach a top priority from the moment we take office,” Mr. Biden said, adding that he plans to impose “substantial costs on those responsible.”The Cybersecurity and Infrastructure Security Agency’s warning came days after Microsoft took emergency action along with FireEye to halt the communication between the SolarWinds network management software and a command-and-control center that the Russians were using to send instructions to their malware using a so-called kill switch.

That shut off further penetration. But it is of no help to organizations that have already been penetrated by an attacker who has been planting back doors in their systems since March. And the key line in the warning said that the SolarWinds “supply chain compromise is not the only initial infection vector” that was used to get into federal systems. That suggests other software, also used by the government, has been infected and used for access by foreign spies.Across federal agencies, the private sector and the utility companies that oversee the power grid, forensic investigators were still trying to unravel the extent of the compromise. But security teams say the relief some felt that they did not use the compromised systems turned to panic on Thursday, as they learned other third-party applications may have been compromised.Inside federal agencies and the private sector, investigators say they have been stymied by classifications and siloed approach to information sharing.“We have forgotten the lessons of 9/11,” Mr. Smith said. “It has not been a great week for information sharing and it turns companies like Microsoft into a sheep dog trying to get these federal agencies to come together into a single place and share what they know.”

Source: https://www.nytimes.com/2020/12/17/us/politics/russia-cyber-hack-trump.html?auth=login-email&login=email

Edward Snowden Hails Launch of Signal’s Encrypted Group Calls

Encrypted messaging app Signal has added group video calls, and the famed NSA whistleblower says it’s a long time coming.

  • Signal has added encrypted group video calls to its iOS and Android messaging app.
  • NSA whistleblower Edward Snowden, an avowed Signal user, tweeted about the news.
  • Up to five people can now take part in an end-to-end encrypted video call.

Famed National Security Agency (NSA) whistleblower Edward Snowden knows a thing or two about the need for safe, secure communication, given his flight from the United States in 2013 following extensive leaks of classified information and his ongoing asylum in Russia.

Unsurprisingly, he’s a big fan of encrypted messaging app Signal, and the app’s website quotes him (“I use Signal everyday”) above all other testimonials. Today, Signal rolled out the ability to hold group encrypted video calls, and Snowden has already weighed in on the new addition: “I have been waiting for this for a very long time,” he tweeted.

Luckily, you don’t have to be a notorious fugitive to use Signal’s group encrypted video call feature, which lets up to five people join in for a shared chat. Group calls are encrypted end-to-end, “like everything else on Signal,” notes a blog post, and you can opt between viewing a grid of the up to four other participants or have the app focus on whoever is speaking at any given time.The feature is available now on both iOS and Android, and only in “new style Signal groups.”

Older groups on the app will automatically be updated to the new format in the coming weeks. According to the post, Signal is working to expand the number of participants beyond five, but there’s no ETA on when that might happen.

The addition of group video calls comes amidst the ongoing COVID-19 pandemic, during which video chat services such as Zoom have become immensely popular. With many people working from home these days, schools doing remote e-learning, and gatherings of all sorts canceled, the ability to now hold those group video calls via Signal may provide some with additional peace of mind given the end-to-end encryption.“2020 has seen its fair number of challenges and changes,” reads the post. “We’ve all adapted to new ways of staying in touch, getting work done, celebrating birthdays and weddings, and even exercising. As more and more of our critical and personal moments move online, we want to continue to provide you with new ways to share and connect privately.”

Demand for Signal has also surged this year due to protests, such as those following the murder of George Floyd by Minneapolis police. Downloads of the app soared in the United States in late May, and in early June, the app added the ability to censor faces in shared photos to avoid potential police surveillance.

Source: https://decrypt.co/51563/edward-snowden-signal-encrypted-group-calls

one of the key things that set SIGNAL MESSENGER apart—that it collects almost no information about its users, appears to be changing.

https://www.vice.com/en_us/article/pkyzek/signal-new-pin-feature-worries-cybersecurity-experts

Signal’s New PIN Feature Worries Cybersecurity Experts

The popular encrypted app is now going to store your contacts in the cloud. Experts are worried this compromises users’ privacy.

by Lorenzo Franceschi-Bicchierai
July 10, 2020, 2:33pm

Ever since NSA leaker Edward Snowden said “use Signal, use Tor,” the end-to-end encrypted chat app has been a favorite of people—including Motherboard—who care about privacy and need a chat and calling app that is hard to spy on.

One of the reasons security experts recommended Signal is because the app’s developers collected—and thus retained—almost no information about its users. This means that, if subpoenaed by law enforcement, Signal would have essentially nothing to turn over. Signal demonstrated this in 2016, when it was subpoenaed by a court in Virginia. „We’ve designed the Signal service to minimize the data we retain about Signal users, so the only information we can produce in response to a request like this is the date and time a user registered with Signal and the last date of a user’s connectivity to the Signal service,“ Signal wrote at the time.

But a newly added feature that allows users to recover certain data, such as contacts, profile information, settings, and blocked users, has led some high-profile security experts to criticize the app’s developers and threaten to stop using it. Signal will store that data on servers the company owns, protected by a PIN that the app has initially been asking users to add, and then forced them to.

The purpose of using a PIN is, in the near future, to allow Signal users to be identified by a username, as opposed to their phone number, as Signal founder Moxie Marlinspike explained on Twitter (as we’ve written before, this is a laudable goal; tying Signal to a phone number has its own privacy and security implications).

”Make the networks dumb and the clients smart.”
But this also means that unlike in the past, Signal now retains certain user data, something that many cybersecurity and cryptography experts see as too dangerous.

Matthew Green, a cryptographer and computer science professor at Johns Hopkins University, said that this was “the wrong decision,” and that forcing users to create a PIN and use this feature would force him to stop using the app.

“The problem with that is that most people pick weak PIN codes. To harden this and make the system more secure, Signal has a system that uses Intel SGX enclaves on their server,”Green said in an email to Motherboard, referring to a technology made by Intel to encrypt and isolate certain data on a cloud server. “SGX seems like a good choice, but it really can’t stand up against a serious attacker. This means anyone with the right resources (at least as good as, say, Daniel Genkin’s group and U. Mich) could potentially compromise those servers and get most of this information.”

“I don’t care that much about my contact lists, honestly. But I also don’t like the idea that I’m going to be forced into uploading them to a server, when the whole reason I use Signal is because it’s designed not to do things like this. Also, I’m scared that in the future, Moxie will design a feature to upload message content, and that won’t be ‚opt in‘ either,“ Green said.

Have you ever tried to hack Signal or look for vulnerabilities in the app? We’d love to hear from you. Using a non-work phone or computer, you can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, OTR chat at lorenzofb@jabber.ccc.de, or email lorenzofb@vice.com
The Grugq, a well-known cybersecurity expert, agreed that this approach isn’t secure, because SGX enclaves are “a sort of wet paper bag for clustering sensitive info.”

Technical issues aside, it’s the philosophy behind it that bothers people like Green and The Grugq. Before this new feature, Signal claimed—and had proved—to provide a communication app that was designed not to store almost any information about its users.

„Notably, things we don’t have stored include anything about a user’s contacts (such as the contacts themselves, a hash of the contacts, any other derivative contact information), anything about a user’s groups (such as how many groups a user is in, which groups a user is in, the membership lists of a user’s groups), or any records of who a user has been communicating with,“ Signal wrote in 2016.

That, according to critics, has now changed.

“They should have a dumb network that knows nothing because it can’t be compromised then,” The Grugq told Motherboard. “[Having contacts] is a lot. It isn’t messages, sure. But I don’t like it. I don’t want them to have anything. Make the networks dumb and the clients smart.”

Marlinspike defended the decision to enable PINs and give users a way to migrate to a new device and keep certain data, and will increase the security of users’ metadata, “new features Signal users have been asking for.”

“The purpose of PINs is to enable upcoming features like communicating without sharing your phone number. When that is released, your Signal contacts won’t be able to live in the address book on your phone anymore, since they may not have phone numbers associated with them,” Marlinspike told Motherboard. “For most users, this also increases the security of their metadata. Most people’s address book is syncing with Google or Apple, so this change will prevent Google and Apple from having access to your Signal contacts.”

Following Green’s and others critiques, Marlinspike said on Twitter, and then confirmed with us, that Signal will add the ability to disable PINs “for some advanced users.’ Marlinspike warned that doing that “would mean that every time you re-install Signal you will lose all your Signal contacts.”

In recent weeks, Signal has introduced more features that make it more user friendly to people who may not have extremely paranoid threat models. For example, it’s now possible to migrate all Signal data, including message history, from one phone to another, using a feature that does not rely on cloud servers and is also encrypted, according to Signal. This is a different feature than the one that relies on PINs, but both of these are likely aimed at people who may be reluctant to use Signal, and prefer other apps such as WhatsApp.

The changes Signal has made show how there can be a tension between messenger usability and feature set and security. It’s too early to say whether you should stop using the messenger. For most users‘ threat models, it’s still one of the best options. But one of the key things that set Signal apart—that it collects almost no information about its users, appears to be changing.