USC Data Science Program 529 (DSci 529): Security and Privacy in Informatics - Spring 2021

Lecture Friday - Noon to 3:20PM PM
Clifford Neuman

Current Events for February 26 2021

Many tech companies have accelerated their modernization plans for practical reasons due to the pandemic of covid-19 but it's hard for security to catch up with these cloud services. Most of the companies are facing two problems of data leak and non-compliance which lead to a great security gap between modern acceleration and the security policy. –Zixin Zheng

Government Use of Data

The government of Singapore is rolling out an initiative that aims to ensure all secondary school students in the country have a computer for home learning. However, these student computers will come packed with a potentially unwelcome addition: a monitoring app that allows teachers to view and control the screens remotely. And once the computers are distributed, students using their own devices will be required to install the monitoring app on them as well. -Yueming, Gao

Supply Chain Subversion

Today, if we want to protect data security and prevent supply-chain attacks, the key challenge is, how can we secure today's ecosystem that is made mostly of open-source and closed-source hybrids?
Given the cultural background and approach to open source that is pervasive today, developers need to start injecting infrastructure and convey all of this information to users and consumers so they can make educated decisions.
Besides, the lazy factor also causes this problem, using cryptography is inconvenient and not taken seriously. A cryptographic paper trail can provide verifiable information. --Tingyi Guo

Other

Businesses are improving identity techniques to keep balance between security and accessibility, so that users can access their services without burdensome steps, but hackings can be detected and prevented. Several digital footprints are involved into intelligence analysis to draw a more complete picture bring more confidence for identity proof. Risks, however, still exist, as fraudsters are innovating hack techniques, and more data are being collected and in risk of exposure. – Lingyu Ge

On the Consumer Electronics Show (CES) 2021, a message of rasing the bar on privacy of those tech companies' online services was brought up due to more customers were using their products for very important interactions. Many Tech companies claimed that they have a duty to help users feel safe online when using their products, and also including transparent privacy controls and data protection rules. In addition. those collections towards user's private datas for artificial intelligence and machine learning purposes were brought up to be concerned. –Zixin Zheng

A bug in Tik Tok's find a friend feature was found which allows an attacker to get details to all contacts in a victim's phone book Since user's sync their phone numbers with their account this allows attackers to bypass https messaging to sign in An attacker could use this to get private sensitive information and use it for malicious purposes such as phising.

We humans always care about the terrible outcomes of surveillance of the ubiquitous cameras, animals may have been watched more. Animals cannot choose what information to provide to other individuals. Data that the animals generated can be used to hurt them, for example, poachers in India attempted to hack into data from GPS collar of a tiger.- Chengyuan Zhou

The Pandemic and Privacy

One of the main ways that the government has tried to control the spread of COVID-19 is by using technology. Because of this, there has been a large increase in health and medical data recorded for citizens. To ensure that this data is not misused and that an individuals privacy is protected, Democrats have proposed the Public Health Emerging Privacy Act to ensure that companies don't misuse this data for marketing and that the data is prevent from landing in the wrong hands. – Addison Allred

The Better Business Bureau warns people do not share their covid-19 vaccine cards because they may give their personal info away. Another issue is that it provides convenience to scammers to create imitation cards to sell. The BBB suggests to share vaccine stickers instead of vaccine cards. – Bolong Pan

13% of Americans saying they won’t take the vaccine, which now emerged a black market regarding the COVID-19 vaccine card. According to DomainTools, scammers copy batch code from people who posted their real card on social media and started to sell them on Shopify-backed online stores. They have reached out to Shopify to monitor this kind of goods– Mingliao Xu

COVID Pushes Up HIPAA Violations Last Year to Second-Straight Record and soared 26% last year. Two major factors driving this trend are how medical records are considered to be information gold mine for identity thieves and how people in medical fields are less prepared in cybersecurity compared to other sectors - Nana Andriana

The powerful new surveillance systems, wearable devices that continuously monitor users, are being used in many places for different groups and purposes. In Rochester, Mich., Oakland University is preparing to hand out wearable devices to students that log skin temperature once a minute. In Plano, Texas, employees at the headquarters of Rent-A-Center started wearing detectors for virus exposure. And in Knoxville, students on the University of Tennessee football team tuck proximity trackers under their shoulder pads during games - Tian Yang

Privacy Regulation and other Government Regulation

TikTok has reached a deal that will resolve a class-action complaint over consumer privacy violations via its current app and its predecessor, Musical.ly, and, if approved by the court, the video-sharing social platform will pay $92 million into a settlement fund. In addition to the payout, TikTok also has promised to initiate a new privacy compliance training program to protect users' data. -- Kaifan Lu

TikTok paid $92 million to settle a complaint about privacy violation. TikTok was claimed using facial recognition technology secretly to collect users’ biometric data, including ethnicity, gender and age, and some high-sensitive personal data without user’s permission and selling them to some third- party cooperators. TikTok denied most of the claims, but they agreed not to collect data out of the privacy policy. – Lingyu Ge

This is about economic news. Economists say that data with social value can be combined with standards to protect personal privacy. Governments and technology companies are increasingly collecting large amounts of personal data, which has produced new laws, numerous investigations, and calls for stricter regulations to protect personal privacy. – Yansong Wang

A High Court judge ruled that The Mail, a U.K. tabloid, had violated the privacy of Meghan Markle, the Duchess of Sussex, by publishing a private letter she had sent to her estranged father. The tabloid received a letter from Meghan's father, Thomas Markle, in February 2019 and contended that he was under no legal obligation to keep the contents of the letter private, due to the duchess' role as a public figure. Nevertheless, the judge ruled that Meghan, the Duchess of Sussex, had a reasonable expectation that the contents of the letter would remain private, calling the disclosures from the letter, published by the article, "manifestly excessive and hence unlawful". -- Philana Williams

The paper yields the ethical concern on the privacy of online technology and hopes to raise user’s awareness of rights regarding internet privacy. The author mentions GDPR which the users have the right to choose how their data is used, controlled, and stored. And the author provides the example of WhatsApp released a controversial new privacy policy that allows it to share data with Facebook and forces users to accept the same. – Yi Lin

People are concerned more about their data privacy, especially during the pandemic. However, they are not protecting their personal information proactivity, some don't even read the terms and conditions. Many people, especially the younger generations, are willing to share their personal information for convenience. – Junbo Sheng

While CCPA(California Consumer Privacy Act) allows consumers to "institute a civil action" for unauthorised access to their personal information, it does not provide a right of action. CPRA(California Privacy Rights Act), which is based on CCPA, uses the term “right to know” and “right to access” synonymously. A customer can submit request of specific information, which urges companies to give more detailed information than category-level, which was the case before. – Zihuan Ran

Earlier this week, Gov. DeSantis proposed a new law to protect data privacy from Floridians from big tech. The proposed law features elements such as allowing users to request that their data be deleted and for them to have the option of opting out of the selling of personal information. Many believe that a source of motivation for such efforts revolves around the fact that platforms such as Twitter, banning Former President Trump. –Resherle Verna

Data protection bills in Washington and Virginia come as the coronavirus pandemic pushes life further online, e-commerce, marketing and tech companies must navigate differing state-level privacy laws.There are increasing phenomenon of state-level internet privacy proposals aiming to replace nationwide framework, which could provide new protections for consumers and additional question marks for businesses. Many businesses have warned of a supplement of privacy laws since California passed its landmark statute in 2018, which supercharged other state-level attempts to pass comprehensive data protections in lieu of a federal standard. – Lei Gao

Virginia is about to become the second state in the country which adopts a comprehensive online data protection law for consumers. The CDPA applies to entities that "control or process" personal information of 100,000 or more Virginia residents in a calendar year or to entities that make 50 percent or more of their gross revenue from the sale of personal data if they hold information about at least 25,000 residents. – Rosy Zhou

Virginia will be the second state that passes its state-level data privacy bills after California passed its privacy law in 2018. Many other states also have their plans on data privacy laws pending, while experts believe that different state levels can be troublesome. Experts expect the Biden administration to be more proactive in pushing forward a federal-level data privacy law. – Haonan Xu

Virginia is set to be the next U.S. state with a comprehensive data privacy law, Consumer Data Protection Act (CDPA). The Senate Bill passed unanimously by the Virginia Senate on its first and second readings and is set for the final approval on Feb 5. The bill follows principles outlined in CCPA and GDPR such as threshold requirements, definition of personal data, individual rights for VA residents, and opt-out provisions. More interestingly, it includes a separate category called "sensitive data" which includes racial or ethnic origin, religious beliefs, biometric data, and geolocation that can only be processed with consent. If signed into law, it will go into effect the same day as CPRA (January 1, 2023). -- Jonathan De Leon

The Consumer Financial Protection Bureau is preparing to change its rules on financial data. In Section 1033 of the Dodd-Frank Act, the changes could have a major impact on how consumers can access and move their financial data between banks, fintechs and other companies — as well as which companies become consumers' go-to source for financial services. – Nana Andriana

Singapore has yet to see any significant impacts from the SolarWinds security breach on its critical information infrastructures or government systems. But It is looking into concerns related to upcoming privacy policy changes on WhatsApp, which is amongst messaging platforms the government uses to push information to the local population. WhatsApp in recent weeks has begun pushing notifications to users about an update to its privacy statement. –Yixiang Cao

Apple

Despite being only recently released, there is already a piece of malware similar to Pirrit that is able to infect the device. Despite being a natively x86 compatible malware, it has been modified to run on the M1's ARM architecture and allow the download and install of unwanted applications ie the GoSearch22 adware. Although GoSearch22 has had its certificates revoked, it had the ability, when valid, to disguise itself as a legitimate browser and collect browsing data as well as pop up random advertisements and download more malware. This is the first of what is likely to be many compromises of Apple's newly designed CPU. -Vartan Batmazyan

• The privacy labels of some Apple apps were found to not accurately represent the information collected, tested by a number of media sources
• The main issue is due to apple's not checking each and every app submitted to the store for compliance
• It seems like Apple’s new privacy labels may rely strongly on “community policing” to be truly effective, if not properly handled
• Haipeng Yu

As discussed in lecture, security mechanisms are what realize security policy. In its most recent patch notes, Apple disclosed an 'arbitrary code execution' bug. This kind of flaw allows hackers to bypass security mechanisms and unfortunately it was seen 'actively exploited'. – Francisco Ventura

APPLE store requires application manufacturers to list labels to indicate how the application will use the collected data to process customer information, which will also cause confusion for other applications. How to Read Apple’s Privacy Labels become important. – Jinglun Chen

Apple decided to release a new feature called App Tracking Transparency(ATT) in "early spring". This will require apps to ask for users' permission in order to track them around the web. Facebook said Apple was pushing for "anti-personalized ads and will take the world back 10 or 20 years", they believe "ATT" will kill small businesses by preventing them from advertising to would-be customers. Also, Facebook targets a number of other features of IOS that are applied unfairly. A new set of "privacy nutrition labels" requires Facebook to list the types of data it collects while apps provided by Apple like iMessage do not display the same info. - Xihao Zhou

The new Apple IDFA terms will soon require apps that use ad tracking to notify iPhone and iPad users and obtain consent via a pop-up.That appears to be the tack that Facebook is taking. And Facebook started rolling out the messages to users of the Apple Facebook and Instagram apps on Monday – Hehan Xie

The story explains different views of executives of Apple's big tech buddies on Apple’s new privacy updates which mandate that apps ask for permission to track user behavior. Executives of Facebook and Snap were pretty much down with the privacy, while Twitter claimed the changes could have a modest impact and Google kept silent on it. - Yi Jin

Data Breaches

A Turkish actuarial consultancy which analyzes data to help calculate insurance risk and premiums has inadvertently exposed data on 15,000 cases involving people killed or injured in traffic accidents after a cloud misconfiguration. For each of the 15,000 court cases, the researchers found personally identifiable information (PII) and more details of witnesses, complainants and other parties. Cyber-criminals could also use the data to try and bribe officials and blackmail or threaten individuals, it claimed —— Tingyi Guo

About a half million French people’s sensitive medical data has been stolen and leaked online. DataData can be access from multiple sites, includes many personal information like names, phone number and address. So far these files can be found in seven different places online.— Hehan Xie

Covenant HealthCare's login information was being sold on the dark web in addition to employee email accounts compromised by a password spray attack. Social security numbers, driver's licenses, medical records, and more were accessed by an unauthorized third party. -Michelle Muldoon

A hacker is selling over 500 million Facebook users’ phone numbers through a Telegram bot, which allows matching ID and phone numbers for 533 million Facebook users- Shengwang Zhang

Privacy of 1.6 million Washington state residents was recently compromised. In addition to personal data of people who have filed for unemployment claims, sensitive data held by the Washington state Department of Children, Youth and Families are leaked as well. – Kung-Hsiang (Steeve) Huang

A large-scale cyber attack on a PA law firm potentially exposed health information for ~36,000 patients at the University of Pittsburgh medical center. According to the article, hackers had access to patient sensitive data through employee email accounts. A law firm working with the UPMC confirmed that sensitive data such as names, DOB, SSN, financial account numbers, medical record numbers were all potentially leaked and/or accessed. As of now there is no confirmed evidence that the leaked information was misused and what the blast radius or impact of this breach is, although access to the patient data was indeed confirmed – Tanmay Ghai

Hackers stole the personal information of more than 200,000 patients from Nebraska Medicine using malware. Patient information includes medical records, insurance information, and even social security numbers. The good news is that the leaks haven't yet cost patients anything. – Junbo Sheng

A researcher claims to have hacked into internal systems of major companies including Apple and Microsoft using novel supply chain attack whhich included creating malicious node packages and uploading them to npm registry under unclaimed names and these packages collected information through their preinstallation scripts on th

The presence of web shells is one of the strongest signals of an ongoing cyberattack. The hacker can easily use web shell malware to pull data from billions of emails, applications, endpoints, and identities, but it is difficult for the defender to detect. Microsoft’s security team has reported that the shell malware has nearly doubled since last year, and also they pointed out Internal web applications are often more susceptible to compromise due to lagging patch management or permissive security requirements - Ye Zeng

This could prove to be one of the major privacy-related setbacks of the pandemic. Nebraska Medicine and the University of Nebraska Medical Center have begun notifying patients and employees whose personal information may have been compromised in a data security breach last fall. — Saurabh Jain

Facebook

Facebook forces users to do a Facebook login when they use oculus headsets. Facebook will collect users' data via those headsets, and then use the data to target relevant ads to users. From my point of view, Facebook should show more respect to user privacy. - Jinyu Zhao

Facebook’s Oculus Quest 2 requires a Facebook login, and agreeing to Facebook’s terms of service for the device. Facebook confirmed that users' activity on an Oculus device, such as which apps users use, will be used to target “relevant content” to users, for example ads or Facebook events. -- Kaifan Lu

Social Media and Other Apps and Privacy

While clubhouse has been growing rapidly and gaining more and more users, some privacy and security issues have also emerged. The servers might be monitored by the governments, Clubhouse asks for access to users’ entire contact lists, and many other concerns are associated with the application. – Jiemin Tang

Clubhouse, a recently popular audio-only social network app, raises some concerns about user privacy information. Clubhouse uses an invite-only mechanism to obtain users. It will also grab your contact information for those who aren't members yet. – Yifeng Shi

Clubhouse is an audio-based app that allows users to create and join rooms where all kinds of topics are discussed. If you didn’t give Clubhouse access to your contacts, Clubhouse still has made it possible for them to know anyway, encourages them to follow you. It’s not clear why Clubhouse doesn’t have better options for users to manage their privacy or more information for users about how their data might be used or linked to them.

Clubhouse, a fast-growing, invite-only app on iPhone, seems to be taking users’ contact data further than the norm. The article explained how Clubhouse uses your personal data in a creative and a little creepy way. By uploading your phone’s address book, you will be able to see a list showing you how many “friends on Clubhouse” each of those people already has. – Yilin Zhang

Grindr, Hinge and Halo among many other apps and tech gadgets were tagged 'Privacy not Included' label by the report. The report looks through data collection policies and security posture of 24 dating apps including Tinder and Bumble in the V-Day edition. Dating apps, especially Grindr and POF, are deemed as privacy nightmare since they share biometrics and personal information collected with third parties. - Phuong Ngo

To communicate with others, some people turn to social media, while others use the social networks to take a break from their everyday lives or vent their frustrations. Social media is now playing a part in politics more and more. The channels are now used by politicians, advocacy parties, policymakers, and more as a way to communicate with voters and spread their message. -Supreet Randhawa

Many O.G. usernames on Instagram are stolen by hacking, extortion, blackmail and harassment and been sold. Instagram is coordinating with Twitter and Tiktok to ban this users who are involved in stealing.– Congrui Li

This news tells us about people exposing most of their information over social media making it easier for hackers to do social engineering. The readily available information on social media is being used to do phishing or online fraud. - Aziza Saulebay

Grindr has been fined by the Norwegian Data Protection Authority for sending location and tracking data to advertising companies without user consent. This not only violates European policy, but has dangerous implications for users in countries where homosexuality is illegal. The sanctions will hopefully emphasize the need for dating apps to acquire consent before sharing sensitive user information. - Brianna Heffernen

An Ontario judge has dismissed one proposed class-action lawsuit against Facebook related to the Cambridge Analytica privacy breach, while a second, broader claim remains outstanding. The data breach came to light in 2018 and exploded into a worldwide scandal, and law firms filed class-action lawsuits, including a handful on behalf of Canadian Facebook users. But justice ruled that the plaintiff had no proof that any Canadian user’s data was shared with the British firm. –Yixiang Cao

WhatsApp shares it's new privacy plan clarifying that it does not share personal chats of people to facebook, businesses have the option to use "secure hosting services from Facebook to manage WhatsApp chats with their customers, answer questions, and send helpful information like purchase receipts. - Pratheek Athreya

Facebook plans to have WhatsApp reimplement privacy policy that allows any interaction with businesses on WhatsApp to influence the ads targeted towards you on Facebook. Users have been urged to read the privacy policy since there was miscommunication that Facebook planned to take more data from a user's WhatsApp activity. Rather, they plan on using existing data they have extracted from WhatsApp to generate better ads. Because user's originally believed that it was infringing upon more of their personal data, they began turning towards alternative messaging apps. – Addison Allred

Whatsapp claims that it does not have access to its users private communications but they released a new policy in January that needed its users to agree to its new policy to continue using whatsapp. After facing a lot of backlash due to it, they are planning to re-introduce the updated privacy policy in the coming weeks. The new policy will address people's concerns and the role Facebook plays with whatsapp's data. It is still suspicious that Facebook claims that they get no data from whatsapp whatsoever but there is a usual distrust when it comes to Facebook; given its background. - Pratishtha Sing

WhatsApp made a new announcement, which explains how users can learn about their privacy policy. The new policy focuses on treating business-user message and user-user message differently. The goal of this new policy is possibly to address the rising concerns of WhatsApp sharing data with its parent company, Facebook. – Zihuan Ran

WhatsApp published its new terms and conditions. And users are obliged to accept this if they wish to continue using WhatsApp after February 8 2021. In this new term, Facebook would be having access to millions of user information from WhatsApp. Some countries such as India have filed a petition against WhatsApp saying it is jeopardizing national security. GDPR applicable countries will receive a privacy policy because GDPR is one of the strictest in the world. Therefore, it is not too late to act, and introduce sound privacy legislation now to ensure that app providers have meaningful, clear terms and conditions that will allay doubts and suspicions in the minds of the user. —— Tingyi Guo

Italy ordered Tiktok to block access to users whose age cannot be confirmed. The temporary ban comes after the death of a young girl will last until 15 February. Italy also asked other social networks for clarification on children policy.– Jia-Yu Lee