Weekly Privacy Roundup #3
Here in your mind you have complete privacy. Here there's no difference between what is and what could be – Chuck Palahniuk
EU Commission Recommends a Common Approach to Using Mobile Apps and Location Data to Combat and Exit COVID-19
On April 8, 2020, the European Commission adopted a recommendation to develop a common European approach to using mobile applications and mobile location data in response to the coronavirus pandemic (the “Recommendation”).
The Recommendation sets out a process by which the European Union (“EU”) Member States can adopt a toolbox of practical measures, with a focus on the following priorities:
- A pan-European, coordinated approach to using mobile apps that empower citizens to take effective and more targeted social distancing measures, and aid with warning, preventing and contact tracing to help limit the propagation of COVID-19; and
- A common approach to using anonymized and aggregated mobile location data to model and predict the evolution of COVID-19; monitor the effectiveness of measures to contain the diffusion of the disease, such as social distancing and confinement; andhelp develop a coordinated strategy for going forward, including the easing of containment measures.
ProtonMail Bridge is now open source!
We are one step closer to fully open sourcing all our apps. ProtonMail Bridge joins iOS and the web app as open source software, and it has also passed an independent security audit.
Trust and transparency are core values of ProtonMail. We want you to know who is on our team and how we protect your privacy. Similarly, we want you to be able to see the code that makes up our apps and keeps your data safe. That’s why we have prioritized making all our apps open source.
You can view the code for ProtonMail Bridge for macOS, Windows, and Linux on our GitHub page.
NHS Denies #COVID19 App De-anonymization Plan
The United Kingdom's National Health Service (NHS) has refuted claims that it considered giving ministers the power to de-anonymize users of its planned COVID-19 contact-tracing app.
Plans to roll out the new smartphone app were announced on Sunday, April 12, by health secretary Matt Hancock during a daily UK pandemic briefing. It is hoped that by allowing people who develop COVID-19 symptoms to quickly alert others with whom they have been in proximity, the app will help to stem the spread of the deadly novel coronavirus in the UK.
The new app is currently being developed by the NHSX—the digital innovation branch of the National Health Service—with testing of an early version expected to get under way in the North of England this week.
Explaining how the NHS app would work, Hancock said: “If you become unwell with the symptoms of coronavirus, you can securely tell this new NHS app and the app will then send an alert anonymously to other app users that you’ve been in significant contact with over the past few days, even before you had symptoms, so that they know and can act accordingly.”
500,000 Zoom accounts are being sold on the dark web
Hacked Zoom accounts have become merchandise that's sold en masse on the dark web and through hacker forums, new report claims.
According to BleepingComputer, which spoke to cybersecurity company Cyble, there are currently over 500,000 Zoom account credentials being sold, and while most of them seem to stem from earlier, unrelated hacks, some of them are genuine.
Cyble's experts noticed the influx of Zoom accounts for sale on April 1, and were able to purchase 530,000 of them at a bulk price of $0.002 per account. Some accounts, the report claims, are even being shared for free.
The Challenge of Proximity Apps For COVID-19 Contact Tracing
Around the world, a diverse and growing chorus is calling for the use of smartphone proximity technology to fight COVID-19. In particular, public health experts and others argue that smartphones could provide a solution to an urgent need for rapid, widespread contact tracing—that is, tracking who infected people come in contact with as they move through the world. Proponents of this approach point out that many people already own smartphones, which are frequently used to track users’ movements and interactions in the physical world.
But it is not a given that smartphone tracking will solve this problem, and the risks it poses to individual privacy and civil liberties are considerable. Location tracking—using GPS and cell site information, for example—is not suited to contact tracing because it will not reliably reveal the close physical interactions that experts say are likely to spread the disease. Instead, developers are rapidly coalescing around applications for proximity tracing, which measures Bluetooth signal strength to determine whether two smartphones were close enough together for their users to transmit the virus. In this approach, if one of the users becomes infected, others whose proximity has been logged by the app could find out, self-quarantine, and seek testing. Just today, Apple and Google announced joint application programming interfaces (APIs) using these principles that will be rolled out in iOS and Android in May. A number of similarly designed applications are now available or will launch soon.
Jitsi Meet team is working on end-to-end encryption for video conferencing
Some of the people watching our repos have been asking us what the deal was with this little new HIPS project (which by the way stands for Hidden In Plain Sight). Well, now you know! HIPS is about using a new Chrome WebRTC API called “Insertable Streams” to add a second layer of end-to-end encryption to media streams in a way that would make them inaccessible to the video router.
Let’s take a step back. We would very likely all agree that we need our meetings to be protected and secure.
Deciding how to protect them, who to protect them from and how exactly to do this is a significantly more complex topic, that we believe everyone in our community should be informed about. We have already discussed how Jitsi Meet gives you protection by using ephemeral rooms and passwords, so no one undesirable can join your meetings, and how all information sent on the network is strongly encrypted using DTLS-SRTP, so that no one who happens to intercept it can actually understand it.
The final piece missing in this puzzle comes from the fact that DTLS-SRTP in WebRTC is strictly tied to a PeerConnection which means that, when using a video router (like Jitsi Videobridge) is involved, WebRTC and DTLS-SRTP can only provide hop-by-hop encryption. In such scenarios Jitsi Videobridge (JVB) ends up establishing as many encrypted channels as there are participants. This is what protects all data on the network. In order for media from one participant to reach another however, it needs to be extracted from the sender’s crypto context and re-encrypted with the receiver’s.
Google and Apple Plan to Turn Phones into COVID-19 Contact-Tracking Devices
Tech giants Apple and Google have joined forces to develop an interoperable contract-tracing tool that will help individuals determine if they have come in contact with someone infected with COVID-19.
As part of this new initiative, the companies are expected to release an API that public agencies can integrate into their apps. The next iteration will be a built-in system-level platform that uses Bluetooth low energy (BLE) beacons to allow for contact tracing on an opt-in basis.
The APIs are expected to be available mid-May for Android and iOS, with the broader contact tracing system set to roll out "in the coming months."
"Privacy, transparency, and consent are of utmost importance in this effort, and we look forward to building this functionality in consultation with interested stakeholders," the companies said.
The rare collaboration comes as governments worldwide are increasingly turning to technology such as phone tracking and facial recognition to battle the virus and contain the coronavirus outbreak.
1.1 Million Customers Records of SCUF Gaming Exposed Online
The database of more than 1 million customers was exposed online by 'SCUF Gaming', a subsidiary of Corsair that develops high-end gamepads for Xbox, PS4, and PC. The incident led to the exposure of clients' names, payment info, contact info, repair tickets, order histories, and other sensitive information. Other data belonging to the company's staff and internal API keys were also compromised as a result.
Cloudflare drops Google's reCAPTCHA due to privacy concerns
Cloudflare announced that it has moved from Google's reCAPTCHA to hCaptcha, an independent alternative CAPTCHA provider focused on user privacy.
CAPTCHAs (short for Completely Automated Public Turing Test to Tell Computers and Humans Apart) are so-called "challenges" displayed by Cloudflare to a site's visitors with the end goal of blocking malicious bot activity if the service detects unusual behavior not consistent with human traffic.
Generally, they are prompts asking visitors to enter the same squiggly letters displayed in a box or to various objects such as cars or traffic lights, to differentiate between legitimate and automated web traffic.