Weekly Privacy Roundup #12
"I would rather be without a state than without a voice" - Edward Snowden
TikTok seems to be copying and pasting your clipboard with every keystroke
A new privacy feature in iOS 14 has revealed that TikTok is copying the contents of your clipboard with every keystroke. The new feature – called paste notifications – shows that TikTok is inspecting the clipboard with each new keystroke, and it’s possible that they’re also grabbing the contents and storing it for later to be sent off with the other information that TikTok phones home with.
The value of Tor and anonymous contributions to Wikipedia
Tor users are conscientious about the tools they pick to do what they do online. Often, discussions of controversial topics need a different level of privacy depending on a user's threat models. An activist in the Middle East can provide a different perspective on an article about politics in their own country than a collaborator in northern Europe. And they deserve to add their voices to the conversation safely.
Where everybody knows your name: pubs and data collection
The UK Government has announced that pubs can reopen on 4 July, and in the process asked them to start collecting the personal data of their customers to assist in test and trace. This is clearly going to create some big data protection challenges for pubs across the United Kingdom.
Voluntary measures invite things to go wrong in a number of ways. At one extreme, registers may not be taken by outlets at all.. This risks failing to notify potential Covid-19 patients.
Another version is pubs and restaurants wrongly seeing this as an opportunity to build up some nice marketing lists – ripe for commercial exploitation. This would also be a horrible outcome.
All the outcomes here are heavy on the downsides, from state databases, to more opportunity for commercial exploitation or data breaches through sloppy data handling practices. The only upside being you could enjoy a drink in a pub, but at what cost?
TikTok and 53 other iOS apps still snoop your sensitive clipboard data
In March, researchers uncovered a troubling privacy grab by more than four dozen iOS apps including TikTok, the Chinese-owned social media and video-sharing phenomenon that has taken the Internet by storm. Despite TikTok vowing to curb the practice, it continues to access some of Apple users’ most sensitive data, which can include passwords, cryptocurrency wallet addresses, account-reset links, and personal messages. Another 53 apps identified in March haven't stopped either.
The privacy invasion is the result of the apps repeatedly reading any text that happens to reside in clipboards, which computers and other devices use to store data that has been cut or copied from things like password managers and email programs. With no clear reason for doing so, researchers Talal Haj Bakry and Tommy Mysk found, the apps deliberately called an iOS programming interface that retrieves text from users’ clipboards.
Facial recognition technology banned in another US city
Boston has become the second-largest city in the world after San Francisco to ban the use of facial recognition technology by police and city agencies. The ordinance was passed unanimously on Wednesday and bars city officials from using the technology and from procuring facial surveillance from a third party. The measure earned a veto-proof majority and was been passed to the office of Mayor Martin J. Walsh, which will review it.
Apple adds support for encrypted DNS (DoH and DoT)
In a presentation at its developer conference this week, Apple announced that the upcoming versions of its iOS and macOS operating systems will support the ability to handle encrypted DNS communications.
Apple said that iOS 14 and macOS 11, set to be released this fall, will support both the DNS-over-HTTPS (DoH) and DNS-over-TLS (DoT) protocols.
Apple declined to implement 16 Web APIs in Safari due to privacy concerns
Apple said this week that it declined to implement 16 new web technologies (Web APIs) in Safari because they posed a threat to user privacy by opening new avenues for user fingerprinting.
Technologies that Apple declined to include in Safari because of user fingerprinting concerns include:
Web Bluetooth - Allows websites to connect to nearby Bluetooth LE devices.
Web MIDI API - Allows websites to enumerate, manipulate and access MIDI devices.
Magnetometer API - Allows websites to access data about the local magnetic field around a user, as detected by the device's primary magnetometer sensor.
Web NFC API - Allows websites to communicate with NFC tags through a device's NFC reader.
Device Memory API - Allows websites to receive the approximate amount of device memory in gigabytes.
Network Information API - Provides information about the connection a device is using to communicate with the network and provides a means for scripts to be notified if the connection type changes
Battery Status API - Allows websites to receive information about the battery status of the hosting device.
Web Bluetooth Scanning - Allows websites to scan for nearby Bluetooth LE devices.
Ambient Light Sensor - Lets websites get the current light level or illuminance of the ambient light around the hosting device via the device's native sensors.
HDCP Policy Check extension for EME - Allows websites to check for HDCP policies, used in media streaming/playback.
Proximity Sensor - Allows websites to retrieve data about the distance between a device and an object, as measured by a proximity sensor.
WebHID - Allows websites to retrieve information about locally connected Human Interface Device (HID) devices.
Serial API - Allows websites to write and read data from serial interfaces, used by devices such as microcontrollers, 3D printers, and othes.
Web USB - Lets websites communicate with devices via USB (Universal Serial Bus).
Geolocation Sensor (background geolocation) - A more modern version of the older Geolocation API that lets websites access geolocation data.
User Idle Detection - Lets website know when a user is idle.
How public safety systems can be abused by nation state actors
Open systems, open data, and open-source software provide a means to promote greater transparency, public trust, and user participation. But what happens when adversaries can abuse the same systems?
After all, any system that’s open to everyone is also open to those who wish to use it for malicious intent.
Time and time again, we have seen how the open-source ecosystems like npm or GitHub have been abused to spread malware. We have also seen how public WiFi hotspots can be tempting sites for attackers and reports of Russian actors live streaming webcams that should remain hidden.
Similarly, public safety systems that are designed to protect and safeguard citizens from adversaries have been misused by the very adversaries to do the opposite.
These are common ‘vulnerabilities’ in our societal systems exploited on a smaller scale.
But what about the cases of nation-state actors targeting national security systems, especially if they are open-source, for malicious purposes?