Weekly Privacy Roundup #13
"Privacy is not a luxury in America: it is a right - one that we need to defend in the digital realm as much as in the physical realm." - Chelsea Manning
Maine Broadband Privacy Law Passes Early First Amendment Test
When you send an email or browse the web, your Internet Service Provider (ISP) may track what sites you visit and when, as well as any unencrypted information you read or send. So Maine requires ISPs to get their customers’ opt-in consent before using or disclosing this and other personal information. ISPs would rather harvest and monetize your data without restraint, so they filed a poorly conceived First Amendment lawsuit against this Maine law. EFF filed an amicus brief in support of the privacy law, along with ACLU, ACLU of Maine, and CDT.
Popular Gambling App Exposed Millions of Users in Massive Data Leak
Led by Noam Rotem and Ran Locar, vpnMentor’s research team discovered a data breach on casino gambling app Clubillion.
The breach originated in a technical database built on an Elasticsearch engine and was recording the daily activities of millions of Clubillion players around the world.
Aside from leaking activity on the app, the breached database also exposed private user information.
With this information publicly available, Clubillion’s users were vulnerable to fraud and various online attacks with potentially devastating results.
Google bans stalkerware ads
Google announced plans this week to ban ads that promote stalkerware, spyware, and other forms of surveillance technology that can be used to track other persons without their specific consent.
The change was announced this week as part of an upcoming update to Google Ads policies, set to enter into effect next month, on August 11, 2020.
Amazon walks back its order for employees to delete TikTok from their phones
Amazon says its request that its employees delete TikTok from their cellphones on Friday was made in error.
The company’s IT department on Friday morning ordered its employees to delete TikTok from their cellphones in an email sent to staff, saying the popular video app posed “security risks” and that employees would lose mobile access to their work email if they did not comply. By Friday afternoon, the company had walked back that order.
15 Billion Stolen Logins Are Circulating on the Dark Web
After China imposed a restrictive national security law on Hong Kong, tech companies find themselves at a crossroads. Giants like Google and Facebook stopped responding to requests for user data in the city, but may eventually have to pull out altogether.
One marquee name to exit Hong Kong already is TikTok, which remains eager to prove its distance from its China-based parent company. TikTok also found itself embroiled in a confusing episode on Friday, when an internal Amazon email indicated that the company was ordering employees to remove the app from their phones; hours later, Amazon stated that the email was sent in error. Hate it when the drafts go live, especially when they cause an international furor.
Backdoor accounts discovered in 29 FTTH devices from Chinese vendor C-Data
Two security researchers said this week that they found severe vulnerabilities and what appears to be intentional backdoors in the firmware of 29 FTTH OLT devices from popular vendor C-Data.
FTTH stands for Fiber-To-The-Home, while OLT stands for Optical Line Termination.
The term FTTH OLT refers to networking equipment that allows internet service providers to bring fiber optics cables as close to the end-users as possible.
As their name hints, these devices are the termination on a fiber optics network, converting data from an optical line into a classic Ethernet cable connection that's then plugged in a consumer's home, data centers, or business centers.
These devices are located all over an ISP's network, and due to their crucial role, they are also one of today's most widespread types of networking devices, as they need to sit in millions of network termination endpoints all over the globe.
France passes legislation to block adult websites that don’t comply with new age verification framework
France plans to implement an age verification system for pornography and expand website blocking powers to punish non-compliant websites. The new law would grant the French audiovisual authority, CSA, the power to verify that adult websites are properly implementing age verification. Should a website be found not to be out of compliance, court orders could be used to block the website at the French internet service provider (ISP) level. The bill was passed by French Parliament on July 10th, 2020.
What’s really happening here is that the French government is setting the field to create a framework for blocking more and more websites while also potentially creating a database of citizen sexual preferences. France has already blocked websites via court orders in the cases of Sci-Hub and LibGen since 2019. When those blocks happened, Library Genesis posted on Facebook to their users: