USC Data Science Program 529 (DSci 529): Security and Privacy in Informatics - Spring 2021

Lecture Friday - Noon to 3:20PM PM
Clifford Neuman

Current Events for March 5th 2021

Internet of Things

The New York Police Department has been testing Digidog, which it says can be deployed in dangerous situations and keep officers safer, but some fear it could become an aggressive surveillance tool. Jay Stanley, a senior policy analyst with the American Civil Liberties Union, said empowering a robot to do police work could have implications for bias, mobile surveillance, hacking and privacy. There is also concern that the robot could be paired with other technology and be weaponized. -Yueming, Gao

The New York Police Department has been testing Digidog, which can be deployed in dangerous situations, thereby avoiding direct confrontation between police officers and murderers, such as playing a role in hostage-taking incidents. But the police did not release the specific details of this technology. Some people worry that it will become an offensive surveillance tool and invade people’s privacy – Jinglun Chen

The New York Police Department’s Digidog, a new model robot functions as a surveillance tool within the emergency service unit and bomb squad. But this new model has raised concerns in terms of its unregulated use potentially causing biases and being weaponized via hacking. The recently passed Public Oversight of Surveillance Technology Act provides some requirements on these types of surveillance technologies, such as Digidog for more transparency to the communities it serves. – Carol Varkey

Digidog, which is a 70-pound robotic dog, has been deployed by the NYPD to save lives in hostage situations and hazmat incidents. However, the cameras, two-way communication system, along with other features assembled on the Digidog had caused concerns in the public. People are demanding transparency and openness on those surveillance tools used by the police. – Jiemin Tang

The New York Police Department has been testing Digidog, which it says can be deployed in dangerous situations and keep officers safer, but some fear it could become an aggressive surveillance tool. The City Council passed the Public Oversight of Surveillance Technology Act last June that requires the Police Department to be more transparent about its surveillance and technology tools, including Digidog. -Gan Xin

A general overview of what the field of IoT needs to do both from a developer's side as well as a consumer's side in reference to the IoT Cybersecurity Improvement Act. Also this article discussed what the government expects from industry and academia going forward. -Emily Christiansen

Google

The U.S. government is asking Google to release granular data corresponding to user data in two different time periods (in 2015 & in 2020). In addition, Google is being asked to share data in how users searched in those time periods and what revenue they received via ads displayed to those users. All of this data is required within the next 30 days and the DOJ is also investigating whether Google is in violation of the Sherman Act (w.r.t. monopolization) – Tanmay Ghai

Google has protected users’ info very well and almost none is exposed to public during these years. Google abandon tracking third-party cookies while shifting to a privacy-focused first-party data model. As consumer expectations for privacy rises, Google believes solutions that use personal identifiers are not a sustainable lone-term investment.– Bolong Pan

Google claims that it won’t use any new identifiers made by third parties. The company is working on protect anonymity while still delivering results for advertisers and publishers. This new ad policies reflect a changing industry -- and a potential move to sidestep government regulation. – Rosy Zhou

Google is striving to implement stricter policies in regards to their users' privacy due to the backlash and lawsuits that have been filed against them. Google wants to make their data that they collect be more anonymous, and release lease personal level data to advertisers. Google will also no longer try and support as many cookies as they currently do during the second quarter of the fiscal year. – Addison Allred

Other, e.g. Security Technologies

Non-fungible tokens, built on the Ethereum blockchain, are a way to prove ownership of digital art and collectibles. But what happens when the file, storage solution, or issuing organization is taken offline? How does the NFT prove ownership if the location of the asset changed? This article calls for a standard on how NFT media is permanently persisted to resolve data ownership.

A website MyHeritage launched a “Deep Nostalgia” tool to create realistic deepfake animations from images. The tool is designed for getting an idea of what a person might have been as a living human being from an old photo. However, using this tool may also cause exposure to data privacy. – Haonan Xu

The Pandemic and Privacy

As campuses around the US are reopening, hundreds of colleges and universities are adopting technologies such as fever scanners, symptom checkers, wearable heart-rate monitors and other new Covid-screening technologies. These tools often cost less than frequent virus testing of all students. Even though these technologies help colleges in showcasing their pandemic safety efforts, their usefulness in identifying possible cases and their effectiveness in preventing the spread are in question. - Arzu Karaer

A viral video shows a doctor accusing the U.S. government of testing out COVID-19 vaccines on the general population and involuntarily entering recipients into a tracking system. The article fact checks the claims made by the doctor and gives proof of how invalid this claim is and what the actual story is. -Supreet Randhawa

Vaccine-related phishing jumped 26% in a recent three-month period. It shows that criminals adjusted and intensified their campaigns according to real-world news events and public awareness. What's more, they also improved their email tactics to bypass gateways and spam filters. -zheyu ren

Privacy Regulation and other Government Regulation

The post points out Virginia has become the second state that enacts comprehensive privacy legislation after Governor Ralph Northam signed the Virginia Consumer Data Protection Act (VCDPA). This post takes a look at the VCDPA provisions that are novel and require close attention by companies. The new ground of the bill is that it includes a category called "sensitive data" which can only be processed with users' consent. - Yi Jin

Virginia Gov. Ralph Northam (D) signed the Consumer Data Protection Act on Tuesday, making Virginia the second state in the U.S. to pass a comprehensive data privacy law. The bill will give consumers the right to opt out of having their personal data processed for targeted advertising and the right to confirm if their data is being processed. Other states are also considering data privacy proposals. –Yixiang Cao

Massachusetts is one of the first states to put legislative guardrails around the use of facial recognition technology in criminal investigations. The state managed to strike a balance on regulating the technology, allowing law enforcement to harness the benefits of the tool, while building in protections that might prevent the false arrests that have happened before. - Aziza Saulebay

Apple

Despite being only recently released, there is already a piece of malware similar to Pirrit that is able to infect the device. Despite being a natively x86 compatible malware, it has been modified to run on the M1's ARM architecture and allow the download and install of unwanted applications ie the GoSearch22 adware. Although GoSearch22 has had its certificates revoked, it had the ability, when valid, to disguise itself as a legitimate browser and collect browsing data as well as pop up random advertisements and download more malware. This is the first of what is likely to be many compromises of Apple's newly designed CPU. -Vartan Batmazyan

• The privacy labels of some Apple apps were found to not accurately represent the information collected, tested by a number of media sources
• The main issue is due to apple's not checking each and every app submitted to the store for compliance
• It seems like Apple’s new privacy labels may rely strongly on “community policing” to be truly effective, if not properly handled
• Haipeng Yu

As discussed in lecture, security mechanisms are what realize security policy. In its most recent patch notes, Apple disclosed an 'arbitrary code execution' bug. This kind of flaw allows hackers to bypass security mechanisms and unfortunately it was seen 'actively exploited'. – Francisco Ventura

APPLE store requires application manufacturers to list labels to indicate how the application will use the collected data to process customer information, which will also cause confusion for other applications. How to Read Apple’s Privacy Labels become important. – Jinglun Chen

Apple decided to release a new feature called App Tracking Transparency(ATT) in "early spring". This will require apps to ask for users' permission in order to track them around the web. Facebook said Apple was pushing for "anti-personalized ads and will take the world back 10 or 20 years", they believe "ATT" will kill small businesses by preventing them from advertising to would-be customers. Also, Facebook targets a number of other features of IOS that are applied unfairly. A new set of "privacy nutrition labels" requires Facebook to list the types of data it collects while apps provided by Apple like iMessage do not display the same info. - Xihao Zhou

The new Apple IDFA terms will soon require apps that use ad tracking to notify iPhone and iPad users and obtain consent via a pop-up.That appears to be the tack that Facebook is taking. And Facebook started rolling out the messages to users of the Apple Facebook and Instagram apps on Monday – Hehan Xie

The story explains different views of executives of Apple's big tech buddies on Apple’s new privacy updates which mandate that apps ask for permission to track user behavior. Executives of Facebook and Snap were pretty much down with the privacy, while Twitter claimed the changes could have a modest impact and Google kept silent on it. - Yi Jin

This is a follow-up of my last news about Apple's App Tracking Transparency(ATT). Facebook will display a new pop-up screen to encourage users to agree with their data tracking policy. Apple will allow users to control what data each app collects and switch it on and off at will. - Xihao Zhou

Data Breaches and Vulnerabilities

Two researchers carried out the first extensive field study to shed light on the issue and to identify exactly which information is being collected when users grant permissions to apps. Thanks to machine learning techniques, these data provide sensitive information such as the place where users live, their habits, interests, demographics, and information about users' personalities. Other information included ones about health, socio-economic status, ethnicity and religion. – Danielle Sim

Simple setting errors became the main factor in cloud exposure. The company or organization does not explicitly restrict who can access the information stored in the cloud but often sets the wrong configuration. The discovery of these vulnerabilities by a mobile security company also makes problems for iOS and Android applications. – Yansong Wang

Apple might be amping up their security and privacy measures for iOS but they can’t control how third parties are storing their user data. Research by Zimperium just shows that nearly 11877 Android apps and 6608 iOS apps use public cloud service like AWS, Azure or Google Cloud with misconfiguration that could potentially, or already expose personal information, passwords and even medical information. These data are just available to anyone because of how the developers didn’t take proper steps to configure the cloud storage. Some companies have been made aware of the problems but not much has change. - Phuong Ngo

Most dating apps/websites have open sourced data available. Open user data provided by online dating sites can be a blessing and a curse. With more people turning to them during lockdown, the risks to privacy are being exacerbated. — Saurabh Jain

A researcher found five similar vulnerabilities in the kernel of Linux operating systems that can allow an attacker to escalate local privileges on a victim’s network. These flaws could allow an attacker to potentially steal data, run administrative commands or install malware on operating systems or server applications. Not just privilege escalation, but also remote code execution are two types of vulnerabilities that can significantly increase the risk to an organization.- Ye Zeng

A new Ponemon Institute and WhiteSource report on application security indicates that most large enterprise-scale organizations feel that their portfolio of applications has become more vulnerable recently.- Shengwang Zhang

Singapore Airline, the second carrier that reported a data breach. It’s not a direct customer of SITA, an air transport communications and IT vendor that originally met the cyber security attack. However, as a member of Star Alliance, a part of restricted data was shared to Star Alliance group, which involved membership number and tier status.– Mingliao Xu

A Turkish actuarial consultancy which analyzes data to help calculate insurance risk and premiums has inadvertently exposed data on 15,000 cases involving people killed or injured in traffic accidents after a cloud misconfiguration. For each of the 15,000 court cases, the researchers found personally identifiable information (PII) and more details of witnesses, complainants and other parties. Cyber-criminals could also use the data to try and bribe officials and blackmail or threaten individuals, it claimed —— Tingyi Guo

About a half million French people’s sensitive medical data has been stolen and leaked online. DataData can be access from multiple sites, includes many personal information like names, phone number and address. So far these files can be found in seven different places online.— Hehan Xie

Covenant HealthCare's login information was being sold on the dark web in addition to employee email accounts compromised by a password spray attack. Social security numbers, driver's licenses, medical records, and more were accessed by an unauthorized third party. -Michelle Muldoon

A hacker is selling over 500 million Facebook users’ phone numbers through a Telegram bot, which allows matching ID and phone numbers for 533 million Facebook users- Shengwang Zhang

Privacy of 1.6 million Washington state residents was recently compromised. In addition to personal data of people who have filed for unemployment claims, sensitive data held by the Washington state Department of Children, Youth and Families are leaked as well. – Kung-Hsiang (Steeve) Huang

A large-scale cyber attack on a PA law firm potentially exposed health information for ~36,000 patients at the University of Pittsburgh medical center. According to the article, hackers had access to patient sensitive data through employee email accounts. A law firm working with the UPMC confirmed that sensitive data such as names, DOB, SSN, financial account numbers, medical record numbers were all potentially leaked and/or accessed. As of now there is no confirmed evidence that the leaked information was misused and what the blast radius or impact of this breach is, although access to the patient data was indeed confirmed – Tanmay Ghai

Hackers stole the personal information of more than 200,000 patients from Nebraska Medicine using malware. Patient information includes medical records, insurance information, and even social security numbers. The good news is that the leaks haven't yet cost patients anything. – Junbo Sheng

A researcher claims to have hacked into internal systems of major companies including Apple and Microsoft using novel supply chain attack whhich included creating malicious node packages and uploading them to npm registry under unclaimed names and these packages collected information through their preinstallation scripts on th

The presence of web shells is one of the strongest signals of an ongoing cyberattack. The hacker can easily use web shell malware to pull data from billions of emails, applications, endpoints, and identities, but it is difficult for the defender to detect. Microsoft’s security team has reported that the shell malware has nearly doubled since last year, and also they pointed out Internal web applications are often more susceptible to compromise due to lagging patch management or permissive security requirements - Ye Zeng

This could prove to be one of the major privacy-related setbacks of the pandemic. Nebraska Medicine and the University of Nebraska Medical Center have begun notifying patients and employees whose personal information may have been compromised in a data security breach last fall. — Saurabh Jain

Facebook

Facebook forces users to do a Facebook login when they use oculus headsets. Facebook will collect users' data via those headsets, and then use the data to target relevant ads to users. From my point of view, Facebook should show more respect to user privacy. - Jinyu Zhao

Facebook’s Oculus Quest 2 requires a Facebook login, and agreeing to Facebook’s terms of service for the device. Facebook confirmed that users' activity on an Oculus device, such as which apps users use, will be used to target “relevant content” to users, for example ads or Facebook events. -- Kaifan Lu

Social Media and Other Apps and Privacy

As a fast-growing social media platform, there are still many concerns about Clubhouse, including mishandling user data, the uncontrolled purpose for audio rooms, etc. – Congrui Li

With the explosive growth of the audio-based social media app Clubhouse, privacy concerns also merges with it. Including transmitting users' identifiers and identity numbers unencrypted, further revelations followed that Clubhouse discussions were being scraped for an unaffiliated Android app, allowing Android users to listen along in real-time. Researcher also believe that Clubhouse hasn't given adequate thoughts to its security issue because it does not offer end-to-end encryption to its users.- Chengyuan Zhou

While clubhouse has been growing rapidly and gaining more and more users, some privacy and security issues have also emerged. The servers might be monitored by the governments, Clubhouse asks for access to users’ entire contact lists, and many other concerns are associated with the application. – Jiemin Tang

Clubhouse, a recently popular audio-only social network app, raises some concerns about user privacy information. Clubhouse uses an invite-only mechanism to obtain users. It will also grab your contact information for those who aren't members yet. – Yifeng Shi

Clubhouse is an audio-based app that allows users to create and join rooms where all kinds of topics are discussed. If you didn’t give Clubhouse access to your contacts, Clubhouse still has made it possible for them to know anyway, encourages them to follow you. It’s not clear why Clubhouse doesn’t have better options for users to manage their privacy or more information for users about how their data might be used or linked to them.

Clubhouse, a fast-growing, invite-only app on iPhone, seems to be taking users’ contact data further than the norm. The article explained how Clubhouse uses your personal data in a creative and a little creepy way. By uploading your phone’s address book, you will be able to see a list showing you how many “friends on Clubhouse” each of those people already has. – Yilin Zhang

Grindr, Hinge and Halo among many other apps and tech gadgets were tagged 'Privacy not Included' label by the report. The report looks through data collection policies and security posture of 24 dating apps including Tinder and Bumble in the V-Day edition. Dating apps, especially Grindr and POF, are deemed as privacy nightmare since they share biometrics and personal information collected with third parties. - Phuong Ngo

To communicate with others, some people turn to social media, while others use the social networks to take a break from their everyday lives or vent their frustrations. Social media is now playing a part in politics more and more. The channels are now used by politicians, advocacy parties, policymakers, and more as a way to communicate with voters and spread their message. -Supreet Randhawa

Many O.G. usernames on Instagram are stolen by hacking, extortion, blackmail and harassment and been sold. Instagram is coordinating with Twitter and Tiktok to ban this users who are involved in stealing.– Congrui Li

This news tells us about people exposing most of their information over social media making it easier for hackers to do social engineering. The readily available information on social media is being used to do phishing or online fraud. - Aziza Saulebay

Grindr has been fined by the Norwegian Data Protection Authority for sending location and tracking data to advertising companies without user consent. This not only violates European policy, but has dangerous implications for users in countries where homosexuality is illegal. The sanctions will hopefully emphasize the need for dating apps to acquire consent before sharing sensitive user information. - Brianna Heffernen

An Ontario judge has dismissed one proposed class-action lawsuit against Facebook related to the Cambridge Analytica privacy breach, while a second, broader claim remains outstanding. The data breach came to light in 2018 and exploded into a worldwide scandal, and law firms filed class-action lawsuits, including a handful on behalf of Canadian Facebook users. But justice ruled that the plaintiff had no proof that any Canadian user’s data was shared with the British firm. –Yixiang Cao

WhatsApp shares it's new privacy plan clarifying that it does not share personal chats of people to facebook, businesses have the option to use "secure hosting services from Facebook to manage WhatsApp chats with their customers, answer questions, and send helpful information like purchase receipts. - Pratheek Athreya

Facebook plans to have WhatsApp reimplement privacy policy that allows any interaction with businesses on WhatsApp to influence the ads targeted towards you on Facebook. Users have been urged to read the privacy policy since there was miscommunication that Facebook planned to take more data from a user's WhatsApp activity. Rather, they plan on using existing data they have extracted from WhatsApp to generate better ads. Because user's originally believed that it was infringing upon more of their personal data, they began turning towards alternative messaging apps. – Addison Allred

Whatsapp claims that it does not have access to its users private communications but they released a new policy in January that needed its users to agree to its new policy to continue using whatsapp. After facing a lot of backlash due to it, they are planning to re-introduce the updated privacy policy in the coming weeks. The new policy will address people's concerns and the role Facebook plays with whatsapp's data. It is still suspicious that Facebook claims that they get no data from whatsapp whatsoever but there is a usual distrust when it comes to Facebook; given its background. - Pratishtha Sing

WhatsApp made a new announcement, which explains how users can learn about their privacy policy. The new policy focuses on treating business-user message and user-user message differently. The goal of this new policy is possibly to address the rising concerns of WhatsApp sharing data with its parent company, Facebook. – Zihuan Ran

WhatsApp published its new terms and conditions. And users are obliged to accept this if they wish to continue using WhatsApp after February 8 2021. In this new term, Facebook would be having access to millions of user information from WhatsApp. Some countries such as India have filed a petition against WhatsApp saying it is jeopardizing national security. GDPR applicable countries will receive a privacy policy because GDPR is one of the strictest in the world. Therefore, it is not too late to act, and introduce sound privacy legislation now to ensure that app providers have meaningful, clear terms and conditions that will allay doubts and suspicions in the minds of the user. —— Tingyi Guo

Italy ordered Tiktok to block access to users whose age cannot be confirmed. The temporary ban comes after the death of a young girl will last until 15 February. Italy also asked other social networks for clarification on children policy.– Jia-Yu Lee