USC Data Science Program 529 (DSci 529): Security and Privacy in Informatics - Spring 2021

Lecture Friday - Noon to 3:20PM PM
Clifford Neuman

Current Events for March 19th 2021

Social Media

Facebook, Google, and Twitter CEOs will appear in front of a US House Subcommittee to face questions regarding the spread of misinformation surrounding COVID-19 and the 2020 Election. Walter Isaacson, who wrote Steve Jobs biography, has said that social media algorithms and their advertising platforms are built to "spin users out of control" and incentivize sharing and viewing extremist and misinformation posts. Facebook and Instagram are under harsh criticism for recommending false content regarding COVID-19 and the 2020 election, with advertisers boycotting Facebook as a result. – Danielle Sim

After Twitter first updated its 2FA in December 2020, on March 15 Twitter announced that it has updated its two-factor authentication to allow users to enroll and login with more than one physical key on both mobile and web. While until March 15, it only allowed one key for per account. Furthermore, twitter explained users will also soon have the option to add and use security keys as their only authentication method. – Hehan Xie

The newly discovered steganography method could be exploited by threat actors to obscure nefarious activity inside photos hosted on Twitter. The reason why this method was successful is that while Twitter strips unnecessary data from PNG uploads, they don’t remove trailing data from the DEFLATE stream inside the IDAT chunk if the overall image file meets the requirements to avoid being re-encoded. – Yilin Zhang

Data Breaches and Vulnerabilities

A joint advisory between the FBI and CISA has issued a caution report against Trickbot. Trickbot is one of the most powerful forms of malware and it may spread through your emails now. – Sharad Narayan Sharma

60,000 organizations have been compromised by the latest Microsoft Exchange hack, and roughly 250,000 servers are vulnerable. The attacks allow unparalleled access, and in some cases result in backdoor super-admin accounts which mean changing passwords is no longer enough. The servers are accessible via the internet, which makes this incredibly dire and difficult to handle. - Griffin Weinhold

The hacks against the government and industrial targets in the United States started internally and went undetected by the intelligence agencies. They were eventually detected by private computer firms. This failure in detection is driving the Biden administration and the Congress to reconsider the way the nation protects itself from cyberthreats. One approach is for government agencies to work with the private companies to set up a real-time threat sharing arrangement where the private companies send the data to a central database and government agencies pair it with intelligence data for earlier warning. - Arzu Karaer

Verkada, a company that collects data from security cameras, was recently under cybersecurity attacks. Footage of prisons, schools, police departments, and many other public places are exposed. Companies that uses Verkada's service, such as Tesla and Cloudflare, are also subject to the attack. – Kung-Hsiang (Steeve) Huang

A tech company called Verkada Inc that specializes in video security has been hacked recently. As a result, the hackers could access to live feeds of 150,000 surveillance cameras. This incident may hasten the process of state and federal legislation to better regulate IoT devices. – Junbo Sheng

Mobile security firm Zimperium found that 14 percent of over 18000 Android and IOS apps were exposing user's personal information and even medical and financial data due to setup errors and misconfiguration. Though cloud providers like AWS are making an effort to detect possible misconfiguration, reaching the right person within the organization is a big obstacle. These apps include the mobile wallet of a Fortune 500 company and a transportation app from a large city. - Sidong Wang

There have been increased cyber-attacks in the healthcare industry. Part of the reason is that medical records contain a lot of information about the patient, and the value of such records has grown on the dark web markets. Among the attacks, ransomware attacks account for more than half of the healthcare data breaches in 2020. – Jiemin Tang

Molson Coors, America's second largest beer producer, had to stop operations due to a cybersecurity breach. The hack impacted operations technology systems such a shipping and the brewery production. Underscores the point that companies big and small within information technology or not, are all targets of intrusion – Francisco Ventura

Two researchers carried out the first extensive field study to shed light on the issue and to identify exactly which information is being collected when users grant permissions to apps. Thanks to machine learning techniques, these data provide sensitive information such as the place where users live, their habits, interests, demographics, and information about users' personalities. Other information included ones about health, socio-economic status, ethnicity and religion. – Danielle Sim

Simple setting errors became the main factor in cloud exposure. The company or organization does not explicitly restrict who can access the information stored in the cloud but often sets the wrong configuration. The discovery of these vulnerabilities by a mobile security company also makes problems for iOS and Android applications. – Yansong Wang

Apple might be amping up their security and privacy measures for iOS but they can’t control how third parties are storing their user data. Research by Zimperium just shows that nearly 11877 Android apps and 6608 iOS apps use public cloud service like AWS, Azure or Google Cloud with misconfiguration that could potentially, or already expose personal information, passwords and even medical information. These data are just available to anyone because of how the developers didn’t take proper steps to configure the cloud storage. Some companies have been made aware of the problems but not much has change. - Phuong Ngo

Most dating apps/websites have open sourced data available. Open user data provided by online dating sites can be a blessing and a curse. With more people turning to them during lockdown, the risks to privacy are being exacerbated. — Saurabh Jain

A researcher found five similar vulnerabilities in the kernel of Linux operating systems that can allow an attacker to escalate local privileges on a victim’s network. These flaws could allow an attacker to potentially steal data, run administrative commands or install malware on operating systems or server applications. Not just privilege escalation, but also remote code execution are two types of vulnerabilities that can significantly increase the risk to an organization.- Ye Zeng

A new Ponemon Institute and WhiteSource report on application security indicates that most large enterprise-scale organizations feel that their portfolio of applications has become more vulnerable recently.- Shengwang Zhang

Singapore Airline, the second carrier that reported a data breach. It’s not a direct customer of SITA, an air transport communications and IT vendor that originally met the cyber security attack. However, as a member of Star Alliance, a part of restricted data was shared to Star Alliance group, which involved membership number and tier status.– Mingliao Xu

A Turkish actuarial consultancy which analyzes data to help calculate insurance risk and premiums has inadvertently exposed data on 15,000 cases involving people killed or injured in traffic accidents after a cloud misconfiguration. For each of the 15,000 court cases, the researchers found personally identifiable information (PII) and more details of witnesses, complainants and other parties. Cyber-criminals could also use the data to try and bribe officials and blackmail or threaten individuals, it claimed —— Tingyi Guo

About a half million French people’s sensitive medical data has been stolen and leaked online. DataData can be access from multiple sites, includes many personal information like names, phone number and address. So far these files can be found in seven different places online.— Hehan Xie

Covenant HealthCare's login information was being sold on the dark web in addition to employee email accounts compromised by a password spray attack. Social security numbers, driver's licenses, medical records, and more were accessed by an unauthorized third party. -Michelle Muldoon

A hacker is selling over 500 million Facebook users’ phone numbers through a Telegram bot, which allows matching ID and phone numbers for 533 million Facebook users- Shengwang Zhang

Privacy of 1.6 million Washington state residents was recently compromised. In addition to personal data of people who have filed for unemployment claims, sensitive data held by the Washington state Department of Children, Youth and Families are leaked as well. – Kung-Hsiang (Steeve) Huang

A large-scale cyber attack on a PA law firm potentially exposed health information for ~36,000 patients at the University of Pittsburgh medical center. According to the article, hackers had access to patient sensitive data through employee email accounts. A law firm working with the UPMC confirmed that sensitive data such as names, DOB, SSN, financial account numbers, medical record numbers were all potentially leaked and/or accessed. As of now there is no confirmed evidence that the leaked information was misused and what the blast radius or impact of this breach is, although access to the patient data was indeed confirmed – Tanmay Ghai

Hackers stole the personal information of more than 200,000 patients from Nebraska Medicine using malware. Patient information includes medical records, insurance information, and even social security numbers. The good news is that the leaks haven't yet cost patients anything. – Junbo Sheng

A researcher claims to have hacked into internal systems of major companies including Apple and Microsoft using novel supply chain attack whhich included creating malicious node packages and uploading them to npm registry under unclaimed names and these packages collected information through their preinstallation scripts on th

The presence of web shells is one of the strongest signals of an ongoing cyberattack. The hacker can easily use web shell malware to pull data from billions of emails, applications, endpoints, and identities, but it is difficult for the defender to detect. Microsoft’s security team has reported that the shell malware has nearly doubled since last year, and also they pointed out Internal web applications are often more susceptible to compromise due to lagging patch management or permissive security requirements - Ye Zeng

This could prove to be one of the major privacy-related setbacks of the pandemic. Nebraska Medicine and the University of Nebraska Medical Center have begun notifying patients and employees whose personal information may have been compromised in a data security breach last fall. — Saurabh Jain

Two days after declaring potential IPO, the largest cloud service provider in Europe, OVHcloud, has one of its data center on fire. The blaze destroyed one of the four servers sites in Strasbourg centre, damaging another, with the rest two sites shut down for safety. Those clients got affected includes the Centre Pompidou and cryptocurrency exchange Deribit, the France cloud provider has not provided any further comment on potential causes, or if the fire is related to any safety protocols. – Zihuan Ran

Data Sharing

Uber and Lyft will be sharing information on a pool of driver's personal information to prevent violence and sexual/physical assault of their passengers. It will enable the companies to view which drivers and delivery persons have been deactivated due to this kind of accidents. - Aziza Saulebay

Google

An antitrust lawsuit against Google which focuses on Google's advertising tech has been updated because Google plans to block third-party tracking cookies in Chrome by 2022. The lawsuit accuses that the move would be against the interests of smaller publishers such as local newspapers. However, Google thinks the lawsuit mischaracterizes many aspects of their business and argues that privacy advocates, advertisers, and their own rivals are welcomed to the steps Google is taking with the Privacy Sandbox. - Yi Jin

The new Google Nest Hub will track users' body activity in bed to generate personalised sleep-tracking reports. Google said the new features had been "built with privacy in mind”. People still are concerned about the exploitation of personal data. – Jia-Yu Lee

Google has protected users’ info very well and almost none is exposed to public during these years. Google abandon tracking third-party cookies while shifting to a privacy-focused first-party data model. As consumer expectations for privacy rises, Google believes solutions that use personal identifiers are not a sustainable lone-term investment.– Bolong Pan

Google claims that it won’t use any new identifiers made by third parties. The company is working on protect anonymity while still delivering results for advertisers and publishers. This new ad policies reflect a changing industry -- and a potential move to sidestep government regulation. – Rosy Zhou

Google announced that third-party cookies in Chrome will be removed while a new technology that considers groups of users' data without users' individual identifiers will be used for advertisement. -Gan Xin

A Data Protection Impact Assessment published by Dutch data protection authorities anounced that the data handling in Google Workspace contains “ten privacy risks” and lacks of transparency of how data was processed by Google. Problems including potential legal gray areas surrounding both the tech giant and Google Begins to Integrate Stricter Privacy Policies - N. Ingraham, Engadget March 4, 2021
Google is striving to implement stricter policies in regards to their users' privacy due to the backlash and lawsuits that have been filed against them. Google wants to make their data that they collect be more anonymous, and release lease personal level data to advertisers. Google will also no longer try and support as many cookies as they currently do during the second quarter of the fiscal year. – Addison Allred
Google Privacy Sandbox added to US antitrust complaint - Danny Bradbury, ITPro. 03/17/2021
A group of US states has extended an antitrust complaint against Google, addressing its move to a new advertising tracking method.The plaintiffs- 13 states and the Commonwealth of Puerto Rico have taken issue with Google's plan to replace third-party cookies in Chrome, crashing the move as cementing approach that forces advertisers to do business with Google.The refreshed complaint argues that, whilst Google’s latest update may enhance privacy for users, it could also push more advertisers to rely on Google’s suite of ad products, thus reinforcing the company’s grip of the market – Lei Gao

Other, e.g. Security Technologies

Netflix Introduces Measures to Prevent Password Sharing - Author: James Coker, Source: Infosecurity Magazine, Date:3/12/2021
Recently, Netflix has introduced trial measures to try and prevent the practice of password sharing with multiple households. In the trial, users can verify if they are eligible to access a particular account according to Netflix's terms of service, via a code sent via text or email. Jake Moore, a cybersecurity specialist at ESET, said: it is unrealistic to expect that people are going to stop sharing their accounts completely, so my advice would be to regularly change your passwords in order to flush out anyone who has gained access over the last year who shouldn't have. —— Tingyi Guo
It’s an NFT Boom. Do You Know Where Your Digital Art Lives? - Brady Dale, Coindesk, 23 February 2021
Non-fungible tokens, built on the Ethereum blockchain, are a way to prove ownership of digital art and collectibles. But what happens when the file, storage solution, or issuing organization is taken offline? How does the NFT prove ownership if the location of the asset changed? This article calls for a standard on how NFT media is permanently persisted to resolve data ownership.
Consider Your Data Privacy When Making MyHeritage 'Deepfakes' - David Murphy, LifeHacker 03/03/2021
A website MyHeritage launched a “Deep Nostalgia” tool to create realistic deepfake animations from images. The tool is designed for getting an idea of what a person might have been as a living human being from an old photo. However, using this tool may also cause exposure to data privacy. – Haonan Xu

The Pandemic and Privacy

Global Vaccine Passport Raise Concerns Over Privacy and Inequity - Aishwarya Jagani, Digital Privacy, 18th March 2021
As governments and airlines worldwide prepare to issue “vaccine passports” — digital details of a person’s COVID-19 immunization status — critics expressed fears that these digital passes could put sensitive medical and health data in the hands of authorities and law enforcement, endangering the privacy of millions of citizens. - Nana Andriana
Why COVID-19 "vaccine passports" could be "Pandora's box" for data privacy and ethical issues -Barry Collins, Forbes, Feb 10, 2021
Covid-19 vaccination passport might raise ethical concerns such as potential discrimination against those without vaccination and data privacy issues – Yifeng Shi
Colleges That Require Virus-Screening Tech Struggle to Say Whether It Works By Natasha Singer and Kellen Browning, New York Times, 03/02/2021
As campuses around the US are reopening, hundreds of colleges and universities are adopting technologies such as fever scanners, symptom checkers, wearable heart-rate monitors and other new Covid-screening technologies. These tools often cost less than frequent virus testing of all students. Even though these technologies help colleges in showcasing their pandemic safety efforts, their usefulness in identifying possible cases and their effectiveness in preventing the spread are in question. - Arzu Karaer
Receiving COVID-19 vaccine does not enroll you in a government tracking system or medical experiment By Noah Y. Kim February 26, 2021
A viral video shows a doctor accusing the U.S. government of testing out COVID-19 vaccines on the general population and involuntarily entering recipients into a tracking system. The article fact checks the claims made by the doctor and gives proof of how invalid this claim is and what the actual story is. -Supreet Randhawa
COVID19 Vaccine Phishing Scams Surge 26% in Three Months - Phil Muncaster UK / EMEA News Reporter , Infosecurity Magazine
Vaccine-related phishing jumped 26% in a recent three-month period. It shows that criminals adjusted and intensified their campaigns according to real-world news events and public awareness. What's more, they also improved their email tactics to bypass gateways and spam filters. -zheyu ren

Remote Learning

5 minutes with Kelvin Coleman - Remote learning and data privacy issues. - Maria Henriquez, securitymagazine.com 3/18/2021
The education space has become a major target for cybercriminals. CISA and the FBI recently issued a joint statement warning K-12 schools of worsening dangers in 2021 after a recent 57% spike ransomware attacks in the sector. – Rosy Zhou

Privacy Regulation and other Government Regulation

California Passes New Regulation Banning 'Dark Patterns' Under Landmark Privacy Law - Brianna Provenzano, GIXMODO Mar 15, 2021
California Consumer Privacy Act(CCPA) conducts additional stricter regulations and laws in privacy protection in California. Recently new regulations were approved to ban the ‘Dark Patterns’ — tricks in websites or apps that frustrate or bamboozle users into doing things they wouldn’t normally do. Users are annoyed a lot by those tactics, usually being almost forced to see some advertisements, subscribe some content or consent to grant some privacy privileges. These new regulations can help to improve the user experience and web environment and can help to better protect users’ privacy as well. – Lingyu Ge
House Democrat introduces data privacy bill - Author(CHRIS MILLS RODRIGO), Source(THE HILL) Mar 10, 2021
Rep. Suzan DelBene reintroduced legislation Wednesday aimed at creating a national standard for data privacy. The legislation would require businesses to get affirmative consent from users before sharing their sensitive information, like financial account numbers, health information or SSNs. It would also let users opt-out of the collection of other nonsensitive data.
The Need for a Strong Privacy Law - Marc Rotenberg, The New York Times 3.15, 2021
A baseline federal privacy law should make clear the responsibilities for those companies that choose to collect and use personal data. And the law should establish clear rights for those whose personal data is held by others. Every effort should be made to minimize the collection of personal data where possible.– Bolong Pan
Twos Company: Virginia Has a Comprehensive Data Privacy Law - Aaron Burstein, Alysa Zeltzer Hutnik & Rod Ghaemmaghami, Ad Law Access Blog 3/2/2021
The post points out Virginia has become the second state that enacts comprehensive privacy legislation after Governor Ralph Northam signed the Virginia Consumer Data Protection Act (VCDPA). This post takes a look at the VCDPA provisions that are novel and require close attention by companies. The new ground of the bill is that it includes a category called "sensitive data" which can only be processed with users' consent. - Yi Jin
Virginia governor signs comprehensive data privacy law - Rebecca Klar, The Hill 03/02/21
Virginia Gov. Ralph Northam (D) signed the Consumer Data Protection Act on Tuesday, making Virginia the second state in the U.S. to pass a comprehensive data privacy law. The bill will give consumers the right to opt out of having their personal data processed for targeted advertising and the right to confirm if their data is being processed. Other states are also considering data privacy proposals. –Yixiang Cao
Massachusetts managed to write rules on facial recognition - Kashmir Hill New York Times 02/27/21
Massachusetts is one of the first states to put legislative guardrails around the use of facial recognition technology in criminal investigations. The state managed to strike a balance on regulating the technology, allowing law enforcement to harness the benefits of the tool, while building in protections that might prevent the false arrests that have happened before. - Aziza Saulebay

Apple

Seriously, stop sharing your vaccine cards on social media -- Samantha Murphy Kelly, CNN Business, 03/18/2021

There has been a huge wave of sharing vaccine card on social media recently, which poses significant security and privacy risks, warned by multiple government agencies. The card contains a combination of sensitive personal and medical information, including name, date of birth, medical record number, vaccine lot number, clinic location and the brand of vaccination received, which provides a breeding ground for identity thefts and phishing. A cybercriminal could, for example, attempt to call your healthcare company to learn about your medical history or diagnoses, cancel upcoming procedures, change prescription doses and more. — Haipeng Yu
TikTok wants to keep tracking iPhone users with state-backed workaround - Patrick McGee and Yuan Yang, Financial Times, 3/16/21
China's big tech companies such as Tencent and ByteDance are working to bypass some of Apple's new privacy policies in order to continue their tracking of iPhone users for targeted advertising. In recent times, Apple has released new legislation to give users more "privacy", and a part of that is a permission/opt-out feature for when they are allowed to track data. As a response, the China Advertising Association has launched a new tracking initiative called CAID and is backing ByteDance, in particular, to help them continue to track users with this workaround. – Tanmay Ghai
Apple warns Chinese apps not to dodge its new privacy rules - yuan yang, Financial Times, Mar 13,2021
Apple wants to enforce user privacy regulation of apps. Chinese tech companies usually create device identifiers via "set Device Name". Apple wants to stop them from creating device identifiers. Chinese tech companies create a new way that create identifiers in the cloud, then create parameters in the device. It likes a cat-and-mouse game. - JY(Jinyu) Zhao
Facebooks Privacy Battle With Apple - Jason Aten, February 28, 2021
With Apple's new privacy restrictions that it will place with iOS 14, Facebook pushes back against the restrictions that it will place on Apple devices. The main privacy restriction that Facebook is against is Apple requiring that users must agree to give Facebook access to their location. Facebook claims that this will hurt their business model of promoting to small businesses in particular since they will no longer be able to identify what small business companies are currently closest to the user if they don't have the users current location. - Addison Allred
First Malware Designed for Apple M1 Chip Discovered in the Wild - Ravie Lakshmanan, The Hacker News, 2-18-2021
Despite being only recently released, there is already a piece of malware similar to Pirrit that is able to infect the device. Despite being a natively x86 compatible malware, it has been modified to run on the M1's ARM architecture and allow the download and install of unwanted applications ie the GoSearch22 adware. Although GoSearch22 has had its certificates revoked, it had the ability, when valid, to disguise itself as a legitimate browser and collect browsing data as well as pop up random advertisements and download more malware. This is the first of what is likely to be many compromises of Apple's newly designed CPU. -Vartan Batmazyan
Zuckerberg: Facebook may actually be in a ‘stronger position’ after Apple’s iOS 14 privacy changes, -Salvador Rodriguez, CNBC, Mar. 18, 2021
Facebook CEO Mark Zuckerberg said that the privacy update to iOS 14 will help Facebook to be on a good position by their new commerce products. Facebook used to announce that updates on iOS 14 lead to a more than 50% drop in its Audience Network advertising business. – Congrui Li
Apple’s New Privacy Labels May Not Always Be Correctly Applied Scott Ikeda, CPO Magazine, 02/12/2021
• The privacy labels of some Apple apps were found to not accurately represent the information collected, tested by a number of media sources
• The main issue is due to apple's not checking each and every app submitted to the store for compliance
• It seems like Apple’s new privacy labels may rely strongly on “community policing” to be truly effective, if not properly handled
• Haipeng Yu
iOS 14.4 update fixes iPhone security bugs, so it’s best to install it ASAP - The Verge>New iPhone update fixes actively exploited vulnerability - Mitchell Clark, The Verge January 26 2021
As discussed in lecture, security mechanisms are what realize security policy. In its most recent patch notes, Apple disclosed an 'arbitrary code execution' bug. This kind of flaw allows hackers to bypass security mechanisms and unfortunately it was seen 'actively exploited'. – Francisco Ventura
What We Learned From Apple’s New Privacy Labels - Brian X. Chen, New York Times，Jan. 27, 2021
APPLE store requires application manufacturers to list labels to indicate how the application will use the collected data to process customer information, which will also cause confusion for other applications. How to Read Apple’s Privacy Labels become important. – Jinglun Chen
Apple and Facebook at odds over privacy move that will hit online ads - Alex Hern, theguardian.com, Jan 28, 2021
Apple decided to release a new feature called App Tracking Transparency(ATT) in "early spring". This will require apps to ask for users' permission in order to track them around the web. Facebook said Apple was pushing for "anti-personalized ads and will take the world back 10 or 20 years", they believe "ATT" will kill small businesses by preventing them from advertising to would-be customers. Also, Facebook targets a number of other features of IOS that are applied unfairly. A new set of "privacy nutrition labels" requires Facebook to list the types of data it collects while apps provided by Apple like iMessage do not display the same info. - Xihao Zhou
In Response To Apple IDFA, Facebook Plans To Have Its Own Ad Tracking Notification - Scott Ikeda, CPO Feb 10, 2021
The new Apple IDFA terms will soon require apps that use ad tracking to notify iPhone and iPad users and obtain consent via a pop-up.That appears to be the tack that Facebook is taking. And Facebook started rolling out the messages to users of the Apple Facebook and Instagram apps on Monday – Hehan Xie
What Apple's big tech frenemies think of its iOS 14 privacy updates - RACHEL KRAUS, Mashable 2/10/2021
The story explains different views of executives of Apple's big tech buddies on Apple’s new privacy updates which mandate that apps ask for permission to track user behavior. Executives of Facebook and Snap were pretty much down with the privacy, while Twitter claimed the changes could have a modest impact and Google kept silent on it. - Yi Jin
Facebook v Apple: the looming showdown over data tracking and privacy - Josh Taylor, The Guardian, Feb.13, 2021
This is a follow-up of my last news about Apple's App Tracking Transparency(ATT). Facebook will display a new pop-up screen to encourage users to agree with their data tracking policy. Apple will allow users to control what data each app collects and switch it on and off at will. - Xihao Zhou
Facebook's ‘Red Team X’ Hunts Bugs Beyond the Social Network's Walls - Lily Hay Newman, Wired 03/18/2021
Red Team X, founded in the spring of 2020 and led by Ionescu. The Red Team X mission speaks directly to trying to secure the supply chain for Facebook, and the scope is to look at the security of pretty much anything that would be consequential to Facebook as a company. The internal hacking team has spent the last year looking for vulnerabilities in the products the company uses, which could in turn make the whole internet safer. -– Tian Yang

Facebook

Facebook Login, User Data And Privacy On Oculus Headsets. - Happy Baker, UPLOAD January 31,2021
Facebook forces users to do a Facebook login when they use oculus headsets. Facebook will collect users' data via those headsets, and then use the data to target relevant ads to users. From my point of view, Facebook should show more respect to user privacy. - Jinyu Zhao
Everything You Need To Know: Facebook Login, User Data And Privacy On Oculus Headsets - Author(HARRY BAKER), Source(UPLOAD) 01/31/2021
Facebook’s Oculus Quest 2 requires a Facebook login, and agreeing to Facebook’s terms of service for the device. Facebook confirmed that users' activity on an Oculus device, such as which apps users use, will be used to target “relevant content” to users, for example ads or Facebook events. -- Kaifan Lu

Social Media and Other Apps and Privacy

Clubhouse's Security and Privacy Lag Behind Its Explosive Growth By LILY HAY NEWMAN 02.26.2021 01:10 PM
Clubhouse seems like the new 'it' thing. The invite-only app has been in news since last year and it's only been growing ever since. Last summer, it had just a few thousand users, mostly Silicon Valley tech workers and venture capitalists who wanted to connect with one another during the pandemic. Today, it has millions of users, a valuation of roughly $1 billion, and a ton of buzz. Both the Tesla chief executive Elon Musk and the Facebook head Mark Zuckerberg recently appeared on Clubhouse, causing such a stir that the platform nearly crashed. But as Clubhouse continues to expand, its security and privacy failings have come under increased scrutiny—and left the company scrambling to correct problems and manage expectations. -Supreet Randhawa
Can Clubhouse Move Fast Without Breaking Things? - Kevin Roose, The New York Times, Feb. 25, 2021
As a fast-growing social media platform, there are still many concerns about Clubhouse, including mishandling user data, the uncontrolled purpose for audio rooms, etc. – Congrui Li
Clubhouse's Security and Privacy Lag Behind Its Explosive Growth Lily Hay Newman, 2/26/2021
With the explosive growth of the audio-based social media app Clubhouse, privacy concerns also merges with it. Including transmitting users' identifiers and identity numbers unencrypted, further revelations followed that Clubhouse discussions were being scraped for an unaffiliated Android app, allowing Android users to listen along in real-time. Researcher also believe that Clubhouse hasn't given adequate thoughts to its security issue because it does not offer end-to-end encryption to its users.- Chengyuan Zhou
Can Clubhouse Move Fast Without Breaking Things? - Kevin Roose, New York Times 2/25/21
While clubhouse has been growing rapidly and gaining more and more users, some privacy and security issues have also emerged. The servers might be monitored by the governments, Clubhouse asks for access to users’ entire contact lists, and many other concerns are associated with the application. – Jiemin Tang
Clubhouse: The Hot New Social Network Has Big Privacy Problems -Barry Collins, Forbes, Feb 10, 2021
Clubhouse, a recently popular audio-only social network app, raises some concerns about user privacy information. Clubhouse uses an invite-only mechanism to obtain users. It will also grab your contact information for those who aren't members yet. – Yifeng Shi
You’ve been invited to Clubhouse. Your privacy hasn’t. - Author(Sara Morrison), Source(Vox) Feb 12, 2021
Clubhouse is an audio-based app that allows users to create and join rooms where all kinds of topics are discussed. If you didn’t give Clubhouse access to your contacts, Clubhouse still has made it possible for them to know anyway, encourages them to follow you. It’s not clear why Clubhouse doesn’t have better options for users to manage their privacy or more information for users about how their data might be used or linked to them.
Clubhouse Is Suggesting Users Invite Their Drug Dealers and Therapists - Will Oremus, OneZero 02/11/2021
Clubhouse, a fast-growing, invite-only app on iPhone, seems to be taking users’ contact data further than the norm. The article explained how Clubhouse uses your personal data in a creative and a little creepy way. By uploading your phone’s address book, you will be able to see a list showing you how many “friends on Clubhouse” each of those people already has. – Yilin Zhang
Mozilla Privacy Report V-Day Edition: Multiple Dating Apps and Tech Gadgets singled out for Serious Security Lapses - Jonathan Greig, Tech Republic 2/10/21
Grindr, Hinge and Halo among many other apps and tech gadgets were tagged 'Privacy not Included' label by the report. The report looks through data collection policies and security posture of 24 dating apps including Tinder and Bumble in the V-Day edition. Dating apps, especially Grindr and POF, are deemed as privacy nightmare since they share biometrics and personal information collected with third parties. - Phuong Ngo
Social media helps bring people together, but in this political climate it's tearing us apart Meghan Lopez, Denver 7, Feb 01, 2021 10:52 PM
To communicate with others, some people turn to social media, while others use the social networks to take a break from their everyday lives or vent their frustrations. Social media is now playing a part in politics more and more. The channels are now used by politicians, advocacy parties, policymakers, and more as a way to communicate with voters and spread their message. -Supreet Randhawa
Instagram Bans Hundreds of Accounts With Stolen User Names - Taylor Lorenz, The New York Times, Feb. 4, 2021
Many O.G. usernames on Instagram are stolen by hacking, extortion, blackmail and harassment and been sold. Instagram is coordinating with Twitter and Tiktok to ban this users who are involved in stealing.– Congrui Li
Social media expose 80 percent oversharing - Phil Muncaster Infosecurity Magazine 02/02/21
This news tells us about people exposing most of their information over social media making it easier for hackers to do social engineering. The readily available information on social media is being used to do phishing or online fraud. - Aziza Saulebay
Grindr is fined $11.7 million under European privacy law. - Natasha Singer and Aaron Krolik, The New York Times, Jan. 25, 2021
Grindr has been fined by the Norwegian Data Protection Authority for sending location and tracking data to advertising companies without user consent. This not only violates European policy, but has dangerous implications for users in countries where homosexuality is illegal. The sanctions will hopefully emphasize the need for dating apps to acquire consent before sharing sensitive user information. - Brianna Heffernen
Canadian class action over Facebook data scandal dismissed - Christine Dobby, The Standard 02/18/21
An Ontario judge has dismissed one proposed class-action lawsuit against Facebook related to the Cambridge Analytica privacy breach, while a second, broader claim remains outstanding. The data breach came to light in 2018 and exploded into a worldwide scandal, and law firms filed class-action lawsuits, including a handful on behalf of Canadian Facebook users. But justice ruled that the plaintiff had no proof that any Canadian user’s data was shared with the British firm. –Yixiang Cao
WhatsApp shares plans for new privacy policy -Abrar Al-Heeti,(CNET) Date: 18 Feb 2021
WhatsApp shares it's new privacy plan clarifying that it does not share personal chats of people to facebook, businesses have the option to use "secure hosting services from Facebook to manage WhatsApp chats with their customers, answer questions, and send helpful information like purchase receipts. - Pratheek Athreya
WhatsApp Will Re-introduce Controversial New Privacy Policy - Karissa Bell, Vice February 18, 2021
Facebook plans to have WhatsApp reimplement privacy policy that allows any interaction with businesses on WhatsApp to influence the ads targeted towards you on Facebook. Users have been urged to read the privacy policy since there was miscommunication that Facebook planned to take more data from a user's WhatsApp activity. Rather, they plan on using existing data they have extracted from WhatsApp to generate better ads. Because user's originally believed that it was infringing upon more of their personal data, they began turning towards alternative messaging apps. – Addison Allred
WhatsApp will re-introduce controversial new privacy policy -K.Bell; engadget; date: 18 Feb 2021
Whatsapp claims that it does not have access to its users private communications but they released a new policy in January that needed its users to agree to its new policy to continue using whatsapp. After facing a lot of backlash due to it, they are planning to re-introduce the updated privacy policy in the coming weeks. The new policy will address people's concerns and the role Facebook plays with whatsapp's data. It is still suspicious that Facebook claims that they get no data from whatsapp whatsoever but there is a usual distrust when it comes to Facebook; given its background. - Pratishtha Sing
WhatsApp is having another go at explaining its privacy policy to users - Ian Carlos Campbell - The Verge - Feb 18, 2021
WhatsApp made a new announcement, which explains how users can learn about their privacy policy. The new policy focuses on treating business-user message and user-user message differently. The goal of this new policy is possibly to address the rising concerns of WhatsApp sharing data with its parent company, Facebook. – Zihuan Ran
WhatsApp Chaos: Time for a Comprehensive Data Security and Privacy Law? - Author: Jason Williams, Source: infosecurity magazine, Date:2/8/2021
WhatsApp published its new terms and conditions. And users are obliged to accept this if they wish to continue using WhatsApp after February 8 2021. In this new term, Facebook would be having access to millions of user information from WhatsApp. Some countries such as India have filed a petition against WhatsApp saying it is jeopardizing national security. GDPR applicable countries will receive a privacy policy because GDPR is one of the strictest in the world. Therefore, it is not too late to act, and introduce sound privacy legislation now to ensure that app providers have meaningful, clear terms and conditions that will allay doubts and suspicions in the minds of the user. —— Tingyi Guo
Italy orders Tiktok to block underage users after 10 year-old girl dies doing viral challenge - Euronews, Jan/27/2021
Italy ordered Tiktok to block access to users whose age cannot be confirmed. The temporary ban comes after the death of a young girl will last until 15 February. Italy also asked other social networks for clarification on children policy.– Jia-Yu Lee

Internet of Things

Digidog, a Robotic Dog Used by the Police, Stirs Privacy Concerns - Maria Cramer and Christine Hauser, The New York Times 2/27/21
As the surveillance model with emergency service unit and bomb squad, the New York Police Department’s Digidog brings privacy concerns to the public. This new technology model has raised concerns about its improper use which causes bias, mobile surveillance, hacking. Last year, the city council passed the Public Oversight of Surveillance Technology Act offering regulation on the kinds of surveillance and technology techniques. The Act asks the Police Department to be more transparent for such Digidog robots. – Yi Lin

AI and Big Data

Nothing Personal, But Ethical AI Is Our Strongest Weapon In Data Privacy Wars - Susan Galer, Forbes 03/18/2021
Training AI models would be one of the strongest solutions to protect data privacy. It is an effective and relatively simple solution. The AI model will anonymize personal data by removing all data identifiers while still available for the companies to analyze the population. – Haonan Xu

Other

Your Face Is Not Your Own - Kashmir Hill, New York Times, Date
A secretive start-up scraped the internet to build a facial-recognition tool, it tested a legal and ethical limit and blew the future of privacy in America wide open. Although this has caused people to worry about privacy, Clearview can also be used in many areas that are beneficial to humans, such as the rescue of children. Massive data can accurately identify children. Both the Navy and the Army are its customers, and the more images that can be captured, the better the results.– Jinglun Chen
Hot Air Balloons Invade Privacy in Napa Valley - Barry Eberling, Napa Valley Register, 3/13/21
Napa Valley neighborhood group sues hot air balloon business for invading privacy. They advocate that thousands of people can see directly into private homes/backyards every day. Currently, the business is allowed to fly up to 8 balloons daily for 225 days a year. -Michelle Muldoon