Are Google and Facebook Surveilling Their Own Employees? (theguardian.com) 46

The Guardian just ran an article titled " 'They'll squash you like a bug': how Silicon Valley keeps a lid on leakers," which begins with the story of an employee confronted by Facebook's secretive "rat-catching" team: They had records of a screenshot he'd taken, links he had clicked or hovered over, and they strongly indicated they had accessed chats between him and the journalist, dating back to before he joined the company. "It's horrifying how much they know," he told the Guardian, on the condition of anonymity... "You get on their bad side and all of a sudden you are face to face with Mark Zuckerberg's secret police"... One European Facebook content moderator signed a contract, seen by the Guardian, which granted the company the right to monitor and record his social media activities, including his personal Facebook account, as well as emails, phone calls and internet use. He also agreed to random personal searches of his belongings including bags, briefcases and car while on company premises. Refusal to allow such searches would be treated as gross misconduct...

Some employees switch their phones off or hide them out of fear that their location is being tracked. One current Facebook employee who recently spoke to Wired asked the reporter to turn off his phone so the company would have a harder time tracking if it had been near the phones of anyone from Facebook. Two security researchers confirmed that this would be technically simple for Facebook to do if both people had the Facebook app on their phone and location services switched on. Even if location services aren't switched on, Facebook can infer someone's location from wifi access points.

The article cites a 2012 report that Microsoft read a French blogger's Hotmail account to identify a former employee who had leaked trade secrets. And it also reports that tech companies hire external agencies to surveil their employees. "One such firm, Pinkerton, counts Google and Facebook among its clients." Though Facebook and Google both deny this, "Among other services, Pinkerton offers to send investigators to coffee shops or restaurants near a company's campus to eavesdrop on employees' conversations...

Al Gidari, consulting director of privacy at the Stanford Center for Internet and Society, says that these tools "are common, widespread, intrusive and legal."

Did Cambridge Analytica Harvest 50 Million Facebook Profiles? (theguardian.com) 96

Slashdot reader umafuckit shared this article from The Guardian: The data analytics firm that worked with Donald Trump's election team and the winning Brexit campaign harvested millions of Facebook profiles of U.S. voters, in one of the tech giant's biggest ever data breaches, and used them to build a powerful software program to predict and influence choices at the ballot box... Christopher Wylie, who worked with a Cambridge University academic to obtain the data, told the Observer: "We exploited Facebook to harvest millions of people's profiles. And built models to exploit what we knew about them and target their inner demons. That was the basis the entire company was built on."

Documents seen by the Observer, and confirmed by a Facebook statement, show that by late 2015 the company had found out that information had been harvested on an unprecedented scale. However, at the time it failed to alert users and took only limited steps to recover and secure the private information of more than 50 million individuals... On Friday, four days after the Observer sought comment for this story, but more than two years after the data breach was first reported, Facebook announced that it was suspending Cambridge Analytica and Kogan from the platform, pending further information over misuse of data. Separately, Facebook's external lawyers warned the Observer on Friday it was making "false and defamatory" allegations, and reserved Facebook's legal position...

The evidence Wylie supplied to U.K. and U.S. authorities includes a letter from Facebook's own lawyers sent to him in August 2016, asking him to destroy any data he held that had been collected by GSR, the company set up by Kogan to harvest the profiles... Facebook did not pursue a response when the letter initially went unanswered for weeks because Wylie was travelling, nor did it follow up with forensic checks on his computers or storage, he said. "That to me was the most astonishing thing. They waited two years and did absolutely nothing to check that the data was deleted. All they asked me to do was tick a box on a form and post it back."

Wylie worked with Aleksandr Kogan, the creator of the "thisisyourdigitallife" app, "who has previously unreported links to a Russian university and took Russian grants for research," according to the article. Kogan "had a licence from Facebook to collect profile data, but it was for research purposes only. So when he hoovered up information for the commercial venture, he was violating the company's terms...

"At the time, more than 50 million profiles represented around a third of active North American Facebook users, and nearly a quarter of potential U.S. voters."
United States

DIY Explosives Experimenter Blows Self Up, Contaminates Building (fdlreporter.com) 271

Long-time Slashdot reader hey! writes: Benjamin D. Morrison of Beaver Dam Wisconsin was killed on March 5 while synthesizing explosives in his apartment... The accident has left the apartment building so contaminated that it will be demolished in a controlled burn, and residents are not being allowed in to retrieve any of their belongings.
It was just five years ago that Morrison graduated from Pensacola Christian College in Florida with a degree in pre-pharmacy and minors in chemistry and math. Though a local reverend believes 28-year-old Morrison was "not a bomb maker," USA Today's site FDL Reporter notes that "Officials assume he was making bombs that accidentally exploded and killed him... They have not publicly disclosed what chemicals were in apartment 11 where Morrow lived, only describing them as 'extremely volatile and unstable explosives.'"
Electronic Frontier Foundation

North Carolina Police Obtained Warrants Demanding All Google Users Near Four Crime Scenes (wral.com) 184

An anonymous reader quotes the public records reporter from North Carolina TV station WRAL: In at least four investigations last year -- cases of murder, sexual battery and even possible arson at the massive downtown fire in March 2017 -- Raleigh police used search warrants to demand Google accounts not of specific suspects, but from any mobile devices that veered too close to the scene of a crime, according to a WRAL News review of court records... The demands Raleigh police issued for Google data [in two homicide cases] described a 17-acre area that included both homes and businesses... The account IDs aren't limited to electronics running Android. The warrant includes any device running location-enabled Google apps, according to Raleigh Police Department spokeswoman Laura Hourigan...

On March 16, 2017, a five-alarm fire ripped through the unfinished Metropolitan apartment building on West Jones Street... About two months later, Raleigh police obtained a search warrant for Google account IDs that showed up near the block of the Metropolitan between 7:30 and 10 p.m. the night of the fire... In addition to anonymized numerical identifiers, the warrant calls on Google to release time stamped location coordinates for every device that passed through the area. Detectives wrote that they'd narrow down that list and send it back to the company, demanding "contextual data points with points of travel outside of the geographical area" during an expanded timeframe. Another review would further cull the list, which police would use to request user names, birth dates and other identifying information of the phones' owners.

"Do people understand that in sharing that information with Google, they're also potentially sharing it with law enforcement?" asks a former Durham prosecutor who directs the North Carolina Open Government Coalition at Elon University. And Stephanie Lacambra, criminal defense staff attorney at the Electronic Frontier Foundation, also criticized the procedure. "To just say, 'Criminals commit crimes, and we know that most people have cell phones,' that should not be enough to get the geo-location on anyone that happened to be in the vicinity of a particular incident during a particular time." She believes that without probable cause the police department is "trying to use technology as a hack for their job... It does not have to be that we have to give up our privacy rights in order to participate in the digital revolution."

Nathan Freed Wessler, staff attorney with the ACLU's Speech, Privacy and Technology Project, put it succinctly. "At the end of the day, this tactic unavoidably risks getting information about totally innocent people."

Facebook Suspends Donald Trump's Data Operations Team For Misusing People's Personal Information (theverge.com) 180

An anonymous reader quotes a report from The Verge: Facebook said late Friday that it had suspended Strategic Communication Laboratories (SCL), along with its political data analytics firm, Cambridge Analytica, for violating its policies around data collection and retention. The companies, which ran data operations for Donald Trump's 2016 presidential election campaign, are widely credited with helping Trump more effectively target voters on Facebook than his rival, Hillary Clinton. While the exact nature of their role remains somewhat mysterious, Facebook's disclosure suggests that the company improperly obtained user data that could have given it an unfair advantage in reaching voters. Facebook said it cannot determine whether or how the data in question could have been used in conjunction with election ad campaigns.

In a blog post, Facebook deputy general counsel Paul Grewal laid out how SCL came into possession of the user data. In 2015, Aleksandr Kogan, a psychology professor at the University of Cambridge, created an app named "thisisyourdigitallife" that promised to predict aspects of users' personalities. About 270,000 people downloaded it and logged in through Facebook, giving Kogan access to information about their city of residence, Facebook content they had liked, and information about their friends. Kogan passed the data to SCL and a man named Christopher Wylie from a data harvesting firm known as Eunoia Technologies, in violation of Facebook rules that prevent app developers from giving away or selling users' personal information. Facebook learned of the violation that year and removed his app from Facebook. It also asked Kogan and his associates to certify that they had destroyed the improperly collected data. Everyone said that they did. The suspension is not permanent, a Facebook spokesman said. But the suspended users would need to take unspecified steps to certify that they would comply with Facebook's terms of service.

The Courts

Entire Broadband Industry Will Help FCC Defend Net Neutrality Repeal (arstechnica.com) 84

The biggest lobby groups representing broadband providers will help the FCC defend the repeal of net neutrality rules in court. Ars Technica reports: Yesterday, three trade groups that collectively represent every major home Internet and mobile broadband provider in the U.S. filed motions to intervene in the case on behalf of the FCC. The motions for leave to intervene were filed by NCTA--The Internet & Television Association, CTIA--The Wireless Association, and USTelecom--The Broadband Association. NCTA represents cable companies such as Comcast, Charter, Cox, and Altice. CTIA represents the biggest mobile carriers, such as AT&T, Verizon Wireless, T-Mobile, and Sprint. USTelecom represents wireline telcos with copper and fiber networks, such as AT&T and Verizon. All three groups also represent a range of smaller ISPs.

As intervenors in the case, the groups will file briefs in support of the net neutrality repeal order and may play a role in oral arguments. NCTA's motion noted that its members would once again be subject to "common-carriage regulation under Title II of the Communications Act" if the FCC were to lose the case. CTIA said that its members "would be adversely affected if the [net neutrality] Order were set aside and the prior Title II Order classification and rules were reinstated."


Facial Scanning Now Arriving At US Airports (npr.org) 71

According to a report via NPR, a Geneva-based company called SITA that develops information technology for the world's airlines has installed facial scanning cameras at Orlando International Airport. "Britain-bound passengers -- some wearing Mickey Mouse T-shirts and other Disney paraphernalia -- lined up at Gate 80 recently for the evening British Airways flight to London's Gatwick Airport," reports NPR. "It looks like any other airport departure area, except for the two small gates with what look like small boxes on posts next to them. Those boxes are actually cameras." From the report: Sherry Stein, a senior manager at SITA, says the cameras are triggered when passengers step onto designated footprints. "We collect a photo, send it to CBP, who checks to make sure that person is booked on the manifest and matches the photo that they already have on file." If everything matches, Stein says, "we open the doors and give them the OK to board." All that happens, she says, "in three to five seconds." If things don't match, the traveler's passport is scanned manually by a gate agent. CBP is testing biometric scanning at a dozen or so U.S. international airports to ensure that people leaving the country are who they say they are, and to prevent visa overstays. The Transportation Security Administration, another agency within the Department of Homeland Security, is testing similar devices at security check-in lines.

Sierra Leone Records World's First Blockchain-Powered Election (techcrunch.com) 64

The citizens of Sierra Leone went to the polls on March 7 but this time something was different: the country recorded votes at 70% of the polling to the blockchain using a technology that is the first of its kind in actual practice. The tech, created by Leonardo Gammar of Agora, anonymously stored votes in an immutable ledger, thereby offering instant access to the election results. TechCrunch reports: "Anonymized votes/ballots are being recorded on Agora's blockchain, which will be publicly available for any interested party to review, count and validate," said Gammar. "This is the first time a government election is using blockchain technology." "Sierra Leone wishes to create an environment of trust with the voters in a contentious election, especially looking at how the election will be publicly viewed post-election. By using blockchain as a means to immutably record ballots and results, the country hopes to create legitimacy around the election and reduce fall-out from opposition parties," he said.

Why is this interesting? While this is little more than a proof of concept -- it is not a complete voting record but instead captured a seemingly acceptable plurality of votes -- it's fascinating to see the technology be implemented in Sierra Leone, a country of about 7.4 million people. The goal ultimately is to reduce voting costs by cutting out paper ballots as well as reducing corruption in the voting process.

The Courts

Man Fined For Implanting NFC Train Ticket In Hand (cnet.com) 102

Unhappy Windows User writes: An Australian man, when checked by a ticket inspector, claimed his smart travel card was implanted in his hand. He took the case to court and lost; the fine and legal fees add up to AU$1220 (USD $950). The man, who self-identifies as a biohacker and is a member of the Science Party, accepts the ruling but states that it won't discourage him from further biohacking. He claimed he was ahead of the law. The prosecution argued that, by cutting the chip out of the card, the ticket was invalidated. It is not clear from the article whether the NFC chip was working correctly and could be read by the inspector, or not. Further reading: BuzzFeed News

China To Bar People With Bad 'Social Credit' From Planes, Trains (reuters.com) 166

China says it will begin applying its so-called social credit system to flights and trains and stop people who have committed misdeeds from taking such transport for up to a year. From a report: People who would be put on the restricted lists included those found to have committed acts like spreading false information about terrorism and causing trouble on flights, as well as those who used expired tickets or smoked on trains, according to two statements issued on the National Development and Reform Commission's website on Friday. Those found to have committed financial wrongdoings, such as employers who failed to pay social insurance or people who have failed to pay fines, would also face these restrictions, said the statements which were dated March 2. It added that the rules would come into effect on May 1.
The Internet

Tumblr Has a Massive Creepshots Problem (vice.com) 121

After Reddit famously banned the creepshots sub-reddit, which shared non-consensual, revealing photos of women, Tumblr now has a slew of users pushing out similar photos across at least dozens of dedicated blogs, a Motherboard investigation has found. From the report: Simply typing 'creepshot' or related terms into Tumblr's built-in search function returns a steady stream of tagged posts, and Google queries easily reveal links to relevant Tumblr blogs. Motherboard found just under 70 Tumblr blogs focused on sharing creepshots, most with a bevy of content. In some cases, the Tumblrs also host 'upskirt' photos or videos, where a camera is deliberately, and stealthily, positioned to look up an unsuspecting person's skirt. Some of the subjects of these images, as well as many of the clothed creepshots, appear to be young, possibly teenagers.

"This is only the tip of the iceberg, there are probably hundreds of these accounts filming in high schools, college campuses, in malls, and on the streets. And Tumblr seems to not care at all about the problem," an anonymous tipster, who first alerted Motherboard to the issue, wrote in an email. One of the most popular creepshot Tumblrs has some 11,000 followers, and one of its posts has over 53,000 interactions linked to it, including reblogs, where the video or picture then appears on the user's own Tumblr, spreading the content further.


Yet Again, Google Tricked Into Serving Scam Amazon Ads (zdnet.com) 49

Zack Whittaker, reporting for ZDNet: For hours on Thursday, the top Google search result for "Amazon" was pointed to a scam site. The bad ad appeared at the very top of the search result for anyone searching for the internet retail giant -- even above the legitimate search result for Amazon.com. Anyone who clicked on the ad was sent to a page that tried to trick the user into calling a number for fear that their computer was infected with malware -- and not sent to Amazon.com as they would have hoped.

The page presents itself as an official Apple or Windows support page, depending on the type of computer you're visiting the page from. An analysis of the webpage's code showed that anyone trying to dismiss the popup box on the page would likely trigger the browser expanding to full-screen, giving the appearance of ransomware. A one-off event would be forgivable. But this isn't the first time this has happened. It's at least the second time in two years that Google has served up a malicious ad under Amazon's name.


The 600+ Companies PayPal Shares Your Data With (schneier.com) 48

AmiMoJo shares a report from Schneier on Security: One of the effects of GDPR -- the new EU General Data Protection Regulation -- is that we're all going to be learning a lot more about who collects our data and what they do with it. Consider PayPal, that just released a list of over 600 companies they share customer data with. Here's a good visualization of that data. Is 600 companies unusual? Is it more than average? Less? We'll soon know.

Walmart Whistleblower Claims Cheating In Race With Amazon (bloomberg.com) 35

An anonymous reader quotes a report from Bloomberg: In its race to catch Amazon.com in online retailing, Walmart issued misleading e-commerce results and fired an executive who complained the company was breaking the law, according to a whistle-blower lawsuit. Tri Huynh, a former director of business development at Walmart, claims he was terminated "under false pretenses" after repeatedly raising concerns about the company's "overly aggressive push to show meteoric growth in its e-commerce business by any means possible -- even, illegitimate ones." Under Chief Executive Officer Doug McMillon, Walmart has invested billions to catch up with Amazon in e-commerce over the past few years, and last year enjoyed quarterly online sales growth rates surpassing 50 percent, well above peers that include Target and Best Buy Huynh claims Walmart mislabeled products so that some third-party vendors received lower commissions, failed to process customer returns, and allowed offensive items onto the site. Huynh's dismissal in January 2017 -- just a day after a retail-industry publication singled him out as one of the sector's rising stars -- was in retaliation for warning senior executives about the misdeeds, he said in the lawsuit, filed Thursday by employment litigation attorney David M. deRubertis in San Francisco federal court.
United States

US Says Russia Hacked Energy Grid, Punishes 19 for Meddling (apnews.com) 219

Associated Press: Pushing back harder on Russia, the Trump administration accused Moscow on Thursday of a concerted hacking operation targeting the U.S. energy grid, aviation systems and other infrastructure, and also imposed sanctions on Russians for alleged interference in the 2016 election. It was the strongest action to date against Russia by the administration, which has long been accused of being too soft on the Kremlin, and the first punishments for election meddling since President Donald Trump took office. The sanctions list included the 13 Russians indicted last month by special counsel Robert Mueller, whose Russia investigation the president has repeatedly sought to discredit. U.S. national security officials said the FBI, Department of Homeland Security and intelligence agencies had determined that Russian intelligence and others were behind a broad range of cyberattacks beginning a year ago that have infiltrated the energy, nuclear, commercial, water, aviation and manufacturing sectors. Further reading: Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors (US-Cert); U.S. blames Russia for cyber attacks on energy grid, other sectors (Reuters); U.S. says Russian hackers targeted American energy grid (Politico); Trump administration finally announces Russia sanctions over election meddling (CNN); U.S. sanctions on Russia cite 2016 election interference -- but remain largely symbolic (USA Today); U.S. Sanctions Russians Charged by Mueller for Election Meddling (Bloomberg); and Trump Administration Sanctions Russians for Election Meddling and Cyberattacks (The New York Times).

Encrypted Email Service ProtonMail is Being Blocked in Turkey (protonmail.com) 35

ProtonMail: We have confirmed that Internet service providers in Turkey have been blocking ProtonMail this week. Our support team first became aware of connectivity problems for Turkish ProtonMail users starting on Tuesday. After further investigation, we determined that protonmail.com was unreachable for both Vodafone Turkey mobile and fixed line users. Since then, we have also received some sporadic reports from users of other Turkish ISPs. At one point, the issue was prevalent in every single major city in Turkey. After investigating the issue along with members of the ProtonMail community in Turkey, we have confirmed this is a government-ordered block rather than a technical glitch. Internet censorship in Turkey tends to be fluid so the situation is constantly evolving. Sometimes ProtonMail is accessible, and sometimes it is unreachable. For the first time ever though, we have confirmed that ProtonMail was subject to a block, and could face further issues in the future. In the post, ProtonMail has also outlined ways to bypass the block.
Electronic Frontier Foundation

New Bill In Congress Would Bypass the Fourth Amendment, Hand Your Data To Police (medium.com) 245

An anonymous reader quotes a report from Medium: Lawmakers behind a new anti-privacy bill are trying to sneak it through Congress by attaching it to the must-pass government spending bill. The CLOUD Act would hand police in the U.S., and other countries, extreme new powers to obtain and monitor data directly from tech companies instead of requiring a warrant and judicial review. Congressional leadership will decide whether the CLOUD Act gets attached to the omnibus government spending bill sometime this week, potentially as early as tomorrow... If passed, this bill would give law enforcement the power to go directly to tech companies, no matter where they or their servers are, to obtain our data. They wouldn't need a warrant or court oversight, and we'll be left with no protections to ensure law enforcement isn't violating our rights. A recent report from the Electronic Frontier Foundation explains how the CLOUD Act circumvents the Fourth Amendment. "This new backdoor for cross-border data mirrors another backdoor under Section 702 of the FISA Amendments Act, an invasive NSA surveillance authority for foreign intelligence gathering," reports the EFF. "That law, recently reauthorized and expanded by Congress for another six years, gives U.S. intelligence agencies, including the NSA, FBI, and CIA, the ability to search, read, and share our private electronic messages without first obtaining a warrant. The new backdoor in the CLOUD Act operates much in the same way. U.S. police could obtain Americans' data, and use it against them, without complying with the Fourth Amendment."

Jewelry Site Leaks Personal Details, Plaintext Passwords of 1.3 Million Users (thenextweb.com) 37

Chicago-based MBM Company's jewelry brand Limoges Jewelry has accidentally leaked the personal information for over 1.3 million people. This includes addresses, zip-codes, e-mail addresses, and IP addresses. The Germany security firm Kromtech Security, which found the leak via an unsecured Amazon S3 storage bucket, also claims the database contained plaintext passwords. The Next Web reports: In a press release, Kromtech Security's head of communicationis, Bob Diachenko, said: "Passwords were stored in the plain text, which is great negligence [sic], taking into account the problem with many users re-using passwords for multiple accounts, including email accounts." The [MSSQL database] backup file was named "MBMWEB_backup_2018_01_13_003008_2864410.bak," which suggests the file was created on January 13, 2018. It's believed to contain current information about the company's customers. Records held in the database have dates reaching as far back as 2000. The latest records are from the start of this year. Other records held in the database include internal mailing lists, promo-codes, and item orders, which leads Kromtech to believe that this could be the primary customer database for the company. Diachenko says there's no evidence a malicious third-party has accessed the dump, but that "that does not mean that nobody [has] accessed the data."

Toys R Us To Close All 800 of Its US Stores (washingtonpost.com) 194

Toy store chain Toys R Us is reportedly planning to sell or close all 800 of its U.S. stores (Warning: source may be paywalled; alternative source), affecting as many as 33,000 jobs as the company winds down its operations after six decades. The Washington Post reports: The news comes six months after the retailer filed for bankruptcy. The company has struggled to pay down nearly $8 billion in debt -- much of it dating back to a 2005 leveraged buyout -- and has had trouble finding a buyer. There were reports earlier this week that Toys R Us had stopped paying its suppliers, which include the country's largest toy makers. On Wednesday, the company announced it would close all 100 of its U.K. stores. In the United States, the company told employees closures would likely occur over time, and not all at once, according to the source, who spoke on the condition of anonymity because they were not authorized to discuss internal deliberations.

Sri Lanka Accuses Facebook of Failing To Control Hate Speech That Contributed To Deadly Riots (theguardian.com) 73

The Sri Lankan government is accusing Facebook of failing to control rampant hate speech that it says contributed to anti-Muslim riots last week that left three people dead and the country under a state of emergency. The accusations come after the country blocked Facebook and several other platforms last week in an effort to prevent the spread of hate speech. The Guardian reports: On Thursday Fernando, along with the Sri Lankan prime minister, Ranil Wickremesinghe, and communications officials, will meet a Facebook team that has flown to Colombo. The Sri Lankans will demand a new, faster system for taking down posts flagged as a national security risk by agencies in the country. "Facebook is not reacting as fast as we have wanted it to react," Fernando said. "In the past it has taken various number of days to review [flagged posts] or even to take down the pages." On Tuesday he highlighted a tweet from a user who claimed to have reported a Facebook post in the Sinhala language that read "Kill all Muslims, don't even let an infant of the dogs escape." The user claimed he received a reply six days later saying the post did not contravene a specific Facebook community standard. The extremist leader Amith Weerasinghe, who was arrested last week in Kandy after being accused of helping to instigate the violence, had amassed nearly 150,000 followers on his Facebook page before it was taken down last week.

Slashdot Top Deals