USC Data Science Program 529 (DSci 529): Security and Privacy in Informatics - Spring 2021
Lecture Friday - Noon to 3:20PM PM
Clifford Neuman
Current Events for February 19 2021
DNA and Biometrics
Fears over DNA privacy as 23andMe plans to go public in deal with Richard Branson - Kari Paul, The Guardian 2/9/21
It was recently announced that 23andMe is planning a merger with Virgin Acquisition Group, a special purpose acquisition corporation (SPAC), before the company begins trading on the New York Stock Exchange. This merger has raised some questions on the privacy of its customer’s data, as 23andMe has shifted its focus on the health and research market. These concerns include the sharing of customer data to outside companies, security of genetic data, and unauthorized use of the data by 23andMe. – Carol Varkey
Clearview AI’s Facial Recognition App Called Illegal in Canada - Kashmir Hill, New York Times, Feb. 3, 2021
Canadian authorities declared that the company needed citizens’ consent to use their biometric information, and told the firm to delete facial images from its database. What the facial recognition application Clearview AI does in Canada is that large-scale surveillance is illegal. They grabbed more than 3 billion photos from social media networks and other public websites to build a facial recognition application, which is now It has been used by more than 2,400 US law enforcement agencies. – Jinglun Chen
Government Use of Data
Rights group: Cambodia internet gateway will hurt privacy -Heng Sinith, AP 2/18/21
Cambodia plans to set up a new national internet gateway that will help with tax collecting and protecting national security and order according to their Prime MInister. Internet subscriptions in Cambodia reached 20.3 million from 5 million in 2014 and this policy could infringe privacy and rights of free expression. - Sidong Wang
DWP uses excessive surveillance on suspected fraudsters, report finds
- Sarah Marsh, Support the Guardian 2.14, 2021
Suspected benefit fraudsters in the UK are being subjected to excessive surveillance techniques such as being tailed by government officers or identified in CCTV footage, according to a report. BBC, estate agents and the NHS can also be asked to provide information on people who may be under investigation.– Bolong Pan
Amazon says government demands for user data spiked by 800% in 2020 - Zack Whittaker, TechCrunch, February 1, 2021
Amazon processed 27664 government demands for user data in the last six months of 2020, up from 3222 data demands in the first six months of the year, an increase of close to 800%. The latest report shows Germany with 42% of all requests, followed by Spain with 18% and Italy and the U.S. with 11%. The Financial Times reported Ring, the video doorbell startup acquired by Amazon, now has 2000 law enforcement partners across the U.S. - Xihao Zhou
Jamaicas immigration website exposed thousands of travelers data - Zack Whittaker, TechCrunch 2021 Feburary 17
The Jamaican government contracted Amber Group to build a website and app that is used to track COVID numbers, allow residents to self report their symptoms, and also for travelers to upload travel documents such as passport information and COVID tests for approval for travel to the country. A cloud storage server containing such documents was unprotected and did not have a password, from which data was exposed such as travelers' names, birth date, passport numbers, COVID test results, and quarantine orders. No malicious use of exposed data has been reported. – Danielle Sim
Social Media and Other Apps and Privacy
You’ve been invited to Clubhouse. Your privacy hasn’t. - Author(Sara Morrison), Source(Vox) Feb 12, 2021
Clubhouse is an audio-based app that allows users to create and join rooms where all kinds of topics are discussed.
If you didn’t give Clubhouse access to your contacts, Clubhouse still has made it possible for them to know anyway, encourages them to follow you.
It’s not clear why Clubhouse doesn’t have better options for users to manage their privacy or more information for users about how their data might be used or linked to them.
Clubhouse Is Suggesting Users Invite Their Drug Dealers and Therapists - Will Oremus, OneZero 02/11/2021
Clubhouse, a fast-growing, invite-only app on iPhone, seems to be taking users’ contact data further than the norm. The article explained how Clubhouse uses your personal data in a creative and a little creepy way. By uploading your phone’s address book, you will be able to see a list showing you how many “friends on Clubhouse” each of those people already has. – Yilin Zhang
Mozilla Privacy Report V-Day Edition: Multiple Dating Apps and Tech Gadgets singled out for Serious Security Lapses - Jonathan Greig, Tech Republic 2/10/21 Grindr, Hinge and Halo among many other apps and tech gadgets were tagged 'Privacy not Included' label by the report. The report looks through data collection policies and security posture of 24 dating apps including Tinder and Bumble in the V-Day edition. Dating apps, especially Grindr and POF, are deemed as privacy nightmare since they share biometrics and personal information collected with third parties. - Phuong Ngo
Social media helps bring people together, but in this political climate it's tearing us apart
Meghan Lopez, Denver 7, Feb 01, 2021 10:52 PM
To communicate with others, some people turn to social media, while others use the social networks to take a break from their everyday lives or vent their frustrations. Social media is now playing a part in politics more and more. The channels are now used by politicians, advocacy parties, policymakers, and more as a way to communicate with voters and spread their message. -Supreet Randhawa
Instagram Bans Hundreds of Accounts With Stolen User Names - Taylor Lorenz, The New York Times, Feb. 4, 2021 Many O.G. usernames on Instagram are stolen by hacking, extortion, blackmail and harassment and been sold. Instagram is coordinating with Twitter and Tiktok to ban this users who are involved in stealing.– Congrui Li
Social media expose 80 percent oversharing
- Phil Muncaster Infosecurity Magazine 02/02/21
This news tells us about people exposing most of their information over social media making it easier for hackers to do social engineering. The readily available information on social media is being used to do phishing or online fraud. - Aziza Saulebay
Grindr is fined $11.7 million under European privacy law. - Natasha Singer and Aaron Krolik, The New York Times, Jan. 25, 2021
Grindr has been fined by the Norwegian Data Protection Authority for sending location and tracking data to advertising companies without user consent. This not only violates European policy, but has dangerous implications for users in countries where homosexuality is illegal. The sanctions will hopefully emphasize the need for dating apps to acquire consent before sharing sensitive user information. - Brianna Heffernen
Canadian class action over Facebook data scandal dismissed - Christine Dobby, The Standard 02/18/21
An Ontario judge has dismissed one proposed class-action lawsuit against Facebook related to the Cambridge Analytica privacy breach, while a second, broader claim remains outstanding. The data breach came to light in 2018 and exploded into a worldwide scandal, and law firms filed class-action lawsuits, including a handful on behalf of Canadian Facebook users. But justice ruled that the plaintiff had no proof that any Canadian user’s data was shared with the British firm. –Yixiang Cao
WhatsApp shares plans for new privacy policy -Abrar Al-Heeti,(CNET) Date: 18 Feb 2021
WhatsApp shares it's new privacy plan clarifying that it does not share personal chats of people to facebook, businesses have the option to use "secure hosting services from Facebook to manage WhatsApp chats with their customers, answer questions, and send helpful information like purchase receipts. - Pratheek Athreya
WhatsApp Will Re-introduce Controversial New Privacy Policy -
Karissa Bell, Vice February 18, 2021
Facebook plans to have WhatsApp reimplement privacy policy that allows any interaction with businesses on WhatsApp to influence the ads targeted towards you on Facebook. Users have been urged to read the privacy policy since there was miscommunication that Facebook planned to take more data from a user's WhatsApp activity. Rather, they plan on using existing data they have extracted from WhatsApp to generate better ads. Because user's originally believed that it was infringing upon more of their personal data, they began turning towards alternative messaging apps. – Addison Allred
WhatsApp will re-introduce controversial new privacy policy -K.Bell; engadget; date: 18 Feb 2021
Whatsapp claims that it does not have access to its users private communications but they released a new policy in January that needed its users to agree to its new policy to continue using whatsapp. After facing a lot of backlash due to it, they are planning to re-introduce the updated privacy policy in the coming weeks. The new policy will address people's concerns and the role Facebook plays with whatsapp's data. It is still suspicious that Facebook claims that they get no data from whatsapp whatsoever but there is a usual distrust when it comes to Facebook; given its background. - Pratishtha Sing
WhatsApp is having another go at explaining its privacy policy to users - Ian Carlos Campbell - The Verge - Feb 18, 2021
WhatsApp made a new announcement, which explains how users can learn about their privacy policy. The new policy focuses on treating business-user message and user-user message differently. The goal of this new policy is possibly to address the rising concerns of WhatsApp sharing data with its parent company, Facebook. – Zihuan Ran
WhatsApp Chaos: Time for a Comprehensive Data Security and Privacy Law? - Author: Jason Williams, Source: infosecurity magazine, Date:2/8/2021
WhatsApp published its new terms and conditions. And users are obliged to accept this if they wish to continue using WhatsApp after February 8 2021. In this new term, Facebook would be having access to millions of user information from WhatsApp. Some countries such as India have filed a petition against WhatsApp saying it is jeopardizing national security. GDPR applicable countries will receive a privacy policy because GDPR is one of the strictest in the world. Therefore, it is not too late to act, and introduce sound privacy legislation now to ensure that app providers have meaningful, clear terms and conditions that will allay doubts and suspicions in the minds of the user. —— Tingyi Guo
Italy orders Tiktok to block underage users after 10 year-old girl dies doing viral challenge - Euronews, Jan/27/2021
Italy ordered Tiktok to block access to users whose age cannot be confirmed. The temporary ban comes after the death of a young girl will last until 15 February. Italy also asked other social networks for clarification on children policy.– Jia-Yu Lee
Supply Chain Subversion
Data security depends on a secure software-development supply chain - Author: Santiago Torres-Arias, Source: Venture Beat, Date: January 24, 2021
Today, if we want to protect data security and prevent supply-chain attacks, the key challenge is, how can we secure today's ecosystem that is made mostly of open-source and closed-source hybrids? Given the cultural background and approach to open source that is pervasive today, developers need to start injecting infrastructure and convey all of this information to users and consumers so they can make educated decisions. Besides, the lazy factor also causes this problem, using cryptography is inconvenient and not taken seriously. A cryptographic paper trail can provide verifiable information. --Tingyi Guo
Other
How to Identity Proof in an Increasingly Virtualized World - Jonathan McDonald, Entrepreneur January 28, 2021
Businesses are improving identity techniques to keep balance between security and accessibility, so that users can access their services without burdensome steps, but hackings can be detected and prevented. Several digital footprints are involved into intelligence analysis to draw a more complete picture bring more confidence for identity proof. Risks, however, still exist, as fraudsters are innovating hack techniques, and more data are being collected and in risk of exposure. – Lingyu Ge
CES2021: Raising the Bar on Privacy and Trust Online in 2021 -James Coker, INFO Security,Jan. 28th 2021
On the Consumer Electronics Show (CES) 2021, a message of rasing the bar on privacy of those tech companies' online services was brought up due to more customers were using their products for very important interactions. Many Tech companies claimed that they have a duty to help users feel safe online when using their products, and also including transparent privacy controls and data protection rules. In addition. those collections towards user's private datas for artificial intelligence and machine learning purposes were brought up to be concerned. –Zixin Zheng
Tik Tok bug gave access to contact's profile details - Author(Phil Muncaster), Source(Info Security Magazine) Date: 26 Jan 2021
A bug in Tik Tok's find a friend feature was found which allows an attacker to get details to all contacts in a victim's phone book
Since user's sync their phone numbers with their account this allows attackers to bypass https messaging to sign in
An attacker could use this to get private sensitive information and use it for malicious purposes such as phising.
Animals should also have digital privacy Rose Eveleth, 1/31/2020
We humans always care about the terrible outcomes of surveillance of the ubiquitous cameras, animals may have been watched more. Animals cannot choose what information to provide to other individuals. Data that the animals generated can be used to hurt them, for example, poachers in India attempted to hack into data from GPS collar of a tiger.- Chengyuan Zhou
The Pandemic and Privacy
Proposed Bill to Protect Health Related Data - Anuja Vaidya, MedCity News February 2, 2021
One of the main ways that the government has tried to control the spread of COVID-19 is by using technology. Because of this, there has been a large increase in health and medical data recorded for citizens. To ensure that this data is not misused and that an individuals privacy is protected, Democrats have proposed the Public Health Emerging Privacy Act to ensure that companies don't misuse this data for marketing and that the data is prevent from landing in the wrong hands. – Addison Allred
The Better Business Bureau is warning people not to post their Covid-19 vaccination cards on social media
- Alaa Elassar, CNN 2.1, 2021
The Better Business Bureau warns people do not share their covid-19 vaccine cards because they may give their personal info away. Another issue is that it provides convenience to scammers to create imitation cards to sell. The BBB suggests to share vaccine stickers instead of vaccine cards. – Bolong Pan
Scammers Selling Fake #COVID19 Vaccination Cards for Just $20 - Phil Muncaster, Infosecurity Magazine 02/10/2021
13% of Americans saying they won’t take the vaccine, which now emerged a black market regarding the COVID-19 vaccine card. According to DomainTools, scammers copy batch code from people who posted their real card on social media and started to sell them on Shopify-backed online stores. They have reached out to Shopify to monitor this kind of goods– Mingliao Xu
Working From Home Can Be Deadly - Myrle Croasdale, Digital Privacy, 18th February 2021
COVID Pushes Up HIPAA Violations Last Year to Second-Straight Record and soared 26% last year. Two major factors driving this trend are how medical records are considered to be information gold mine for identity thieves and how people in medical fields are less prepared in cybersecurity compared to other sectors - Nana Andriana
The Hot New Covid Tech Is Wearable and Constantly Tracks You - Natasha Singer, New York Times 11/15/2020
The powerful new surveillance systems, wearable devices that continuously monitor users, are being used in many places for different groups and purposes. In Rochester, Mich., Oakland University is preparing to hand out wearable devices to students that log skin temperature once a minute. In Plano, Texas, employees at the headquarters of Rent-A-Center started wearing detectors for virus exposure. And in Knoxville, students on the University of Tennessee football team tuck proximity trackers under their shoulder pads during games - Tian Yang
Privacy Regulation and other Government Regulation
New Ethical Concerns in Online Privacy and Data Security - Joseph Chukwube, InfoSecurity, 02/05/21
The paper yields the ethical concern on the privacy of online technology and hopes to raise user’s awareness of rights regarding internet privacy. The author mentions GDPR which the users have the right to choose how their data is used, controlled, and stored. And the author provides the example of WhatsApp released a controversial new privacy policy that allows it to share data with Facebook and forces users to accept the same. – Yi Lin
Most are concerned about data privacy, but few are willing to change habits -Help Net Security, Feb 4, 2021 People are concerned more about their data privacy, especially during the pandemic. However, they are not protecting their personal information proactivity, some don't even read the terms and conditions. Many people, especially the younger generations, are willing to share their personal information for convenience. – Junbo Sheng
CCPA: Privacy Notices & Access Requests - David A. Zetoony - National Law Review Jan 29, 2020
While CCPA(California Consumer Privacy Act) allows consumers to "institute a civil action" for unauthorised access to their personal information, it does not provide a right of action. CPRA(California Privacy Rights Act), which is based on CCPA, uses the term “right to know” and “right to access” synonymously. A customer can submit request of specific information, which urges companies to give more detailed information than category-level, which was the case before. – Zihuan Ran
Gov. DeSantis slams big tech, proposes data privacy bill -
WFLA8 Staff, WFL8 2-15-21 Earlier this week, Gov. DeSantis proposed a new law to protect data privacy from Floridians from big tech. The proposed law features elements such as allowing users to request that their data be deleted and for them to have the option of opting out of the selling of personal information. Many believe that a source of motivation for such efforts revolves around the fact that platforms such as Twitter, banning Former President Trump. –Resherle Verna
Virginia is about to get a major California-style data privacy law. - Kate Cox, arsTECHNICA 2/11/2021
Virginia is about to become the second state in the country which adopts a comprehensive online data protection law for consumers. The CDPA applies to entities that "control or process" personal information of 100,000 or more Virginia residents in a calendar year or to entities that make 50 percent or more of their gross revenue from the sale of personal data if they hold information about at least 25,000 residents. – Rosy Zhou
New state privacy initiatives turn up heat on Congress - Rebecca Klar and Chris Mills Rodrigo, The Hill 02/10/2021
Virginia will be the second state that passes its state-level data privacy bills after California passed its privacy law in 2018. Many other states also have their plans on data privacy laws pending, while experts believe that different state levels can be troublesome. Experts expect the Biden administration to be more proactive in pushing forward a federal-level data privacy law. – Haonan Xu
Virginia Consumer Data Protection Act
on the horizon — Now what? - Joseph Duball, IAPP, 4 February 2021
Virginia is set to be the next U.S. state with a comprehensive data
privacy law, Consumer Data Protection Act (CDPA). The Senate Bill
passed unanimously by the Virginia Senate on its first and second
readings and is set for the final approval on Feb 5. The bill follows
principles outlined in CCPA and GDPR such as threshold requirements,
definition of personal data, individual rights for VA residents, and
opt-out provisions. More interestingly, it includes a separate
category called "sensitive data" which includes racial or ethnic
origin, religious beliefs, biometric data, and geolocation that can
only be processed with consent. If signed into law, it will go into
effect the same day as CPRA (January 1, 2023). -- Jonathan De Leon
Banks and fintechs battle over financial data - Tomio Geron, Protocol, 4th February 2021
The Consumer Financial Protection Bureau is preparing to change its rules on financial data. In Section 1033 of the Dodd-Frank Act, the changes could have a major impact on how consumers can access and move their financial data between banks, fintechs and other companies — as well as which companies become consumers' go-to source for financial services. – Nana Andriana
Singapore assessing WhatsApp privacy policy change, not 'adversely affected' in SolarWinds breach - Eileen Yu, By The Way 02/02/21
Singapore has yet to see any significant impacts from the SolarWinds security breach on its critical information infrastructures or government systems. But It is looking into concerns related to upcoming privacy policy changes on WhatsApp, which is amongst messaging platforms the government uses to push information to the local population. WhatsApp in recent weeks has begun pushing notifications to users about an update to its privacy statement. –Yixiang Cao
Apple
First Malware Designed for Apple M1 Chip Discovered in the Wild - Ravie Lakshmanan, The Hacker News, 2-18-2021
Despite being only recently released, there is already a piece of malware similar to Pirrit that is able to infect the device. Despite being a natively x86 compatible malware, it has been modified to run on the M1's ARM architecture and allow the download and install of unwanted applications ie the GoSearch22 adware. Although GoSearch22 has had its certificates revoked, it had the ability, when valid, to disguise itself as a legitimate browser and collect browsing data as well as pop up random advertisements and download more malware. This is the first of what is likely to be many compromises of Apple's newly designed CPU. -Vartan Batmazyan
Apple’s New Privacy Labels May Not Always Be Correctly Applied Scott Ikeda, CPO Magazine, 02/12/2021- The privacy labels of some Apple apps were found to not accurately represent the information collected, tested by a number of media sources
- The main issue is due to apple's not checking each and every app submitted to the store for compliance
- It seems like Apple’s new privacy labels may rely strongly on “community policing” to be truly effective, if not properly handled
- Haipeng Yu
iOS 14.4 update fixes iPhone security bugs, so it’s best to install it ASAP - The Verge>New iPhone update fixes actively exploited vulnerability - Mitchell Clark, The Verge January 26 2021
As discussed in lecture, security mechanisms are what realize security policy. In its most recent patch notes, Apple disclosed an 'arbitrary code execution' bug. This kind of flaw allows hackers to bypass security mechanisms and unfortunately it was seen 'actively exploited'. – Francisco Ventura
What We Learned From Apple’s New Privacy Labels - Brian X. Chen, New York Times,Jan. 27, 2021
APPLE store requires application manufacturers to list labels to indicate how the application will use the collected data to process customer information, which will also cause confusion for other applications. How to Read Apple’s Privacy Labels become important.
– Jinglun Chen
Apple and Facebook at odds over privacy move that will hit online ads - Alex Hern, theguardian.com, Jan 28, 2021
Apple decided to release a new feature called App Tracking Transparency(ATT) in "early spring". This will require apps to ask for users' permission in order to track them around the web. Facebook said Apple was pushing for "anti-personalized ads and will take the world back 10 or 20 years", they believe "ATT" will kill small businesses by preventing them from advertising to would-be customers. Also, Facebook targets a number of other features of IOS that are applied unfairly. A new set of "privacy nutrition labels" requires Facebook to list the types of data it collects while apps provided by Apple like iMessage do not display the same info. - Xihao Zhou