The Murena: A Semi Dark Phone

June 10, 2022

Mobile phones are outstanding surveillance devices. Forget Google. Technology exists to suck down quite a bit of information no matter what phone one uses. Innovators keep trying to create black phone or completely secure devices. There is a market for these gizmos even if the phones are produced by law enforcement; for example, the ANON.

I noted “The Murena One Shows Exactly How Hard it Is to De-Google Your Smartphone.” The write up is interesting. I noted this passage:

You just can’t have the full Android experience without inviting Google into the equation. Instead, when you log into Google or use its services, Murena tries to mitigate the data Google can collect.

Several observations:

  • Innovators face a similar challenge de-Cooking the iPhone and de-China-ing the Oppo, OnePlus, Xiaomi, and other Middle Kingdom devices
  • The write up makes it clear that Google is the Big Dog when it comes to the Google ecosystem. Not even the Apple has such a lock. For one example of the penetration gap, see this write up.
  • One does not need to expend much effort to access data generated by mobile devices. Those apps? Yep, they are helpful.

How does one avoid leaking data? Some in the European Union use typewriters and carbon paper. Consider that perhaps.

Stephen E Arnold, June 10, 2022

DuckDuckGo: A Duck May Be Plucked

May 25, 2022

Metasearch engines are not understood by most Internet users. Here’s my simplified take: A company thinks it can add value to the results output from an ad-supported search engine. Maybe the search engine is a for-fee outfit? Either way, the metasearch systems gets the okay to send queries and get results. The results stream back to the metasearch outfit and the value-adding takes place.

One of the better metasearch systems was the pre-IBM Vivisimo. This outfit sent out queries to an ad-supported search engine, accepted the results, and then clustered them. The results appeared to the Vivisimo user as a results list with some folders in a panel. The idea was that the user could scan the folders and the results list. The user could decide to click on a folder and see what results it contained or just click on a link. The magic, as I understood it, was that the clustering took place in near real time. Plus, the query on the original Vivisimo pre-IBM system could send the user’s query to multiple Web search engines. The results from each search system would be de-duplicated. An interesting factoid from the 2000s is that search systems returned overlapping results 70 percent of more of the time. Dumping the duplicates was helpful. There were other interesting metasearch systems as well, but I am just using Vivisimo as an example of a pretty good one.

Privacy, like security, is a tricky concept to explain.

Using privacy to sell a free Web search system raises a number of questions; for example:

  1. What’s privacy in the specific context of the metasearch engine mean?
  2. Where is the money coming from to keep the lights on at the metasearch outfit?
  3. What about log files?
  4. What about legal orders to reveal data about users?
  5. What’s the quid pro quo with the search engine or engines whose results the metasearch system uses?
  6. What part of the search chain captures data, inserts trackers, bugs, cookies, etc. into the user’s query?

None of these questions catch the attention of the real news folks nor do most users know what the questions require to answer. The metasearch engines typically do not become chatty Cathies when someone like me shows up to gather information about metasearch systems. I recall the nervousness of the New York City wizard who cooked up Ixquick and the evasiveness of the owner of the Millionshort services.

Now we come to the the notion that a duck can be plucked. My hunch is that plucking a duck is a messy affair both duck and duck plucker.

DuckDuckGo Browser Allows Microsoft Trackers Due to Search Agreement” presents information which appears to suggest that the “privacy” oriented DuckDuckGo metasearch system is not so private as some believed. The cited article states:

The privacy-focused DuckDuckGo browser purposely allows Microsoft trackers on third-party sites due to an agreement in their syndicated search content contract between the two companies.

You can read the cited article to get more insight into the assertion that DuckDuck has been pluck plucked in the feathered hole of privacy.

Am I surprised? No. Search is without a doubt one of the most remarkable business segments for soft fraud. How do I know? My partners and I created The Point in 1994, and even though you don’t remember it, I sure remember what I learned about finding information online. Lycos (CMGI) bought our curated search business, and I wrote several books about search. You know what? No one wants to think about search and soft fraud. Maybe more people should?

Net net: Free comes at a cost. One does not know what one does not know.

Stephen E Arnold, May 25, 2022

Using a VPN in India?

May 10, 2022

I read “VPN Providers Are Ordered to Store User Data for 5 or More Years in India.” The land of Khichdi is a fair piece from rural Kentucky. On the other hand, the VPN providers and crypto exchange platforms can be as near as one’s mobile phone or laptop. So what?

The write up points out:

The Indian government has published a directive that will force VPN providers and crypto exchange platforms to store user data for at least five years, even when customers have since terminated their relationship with the companies in question. Decision makers at businesses who don’t comply with the new ruling could face up to one year in prison, with it going into effect in late June 2022.

Yes, just another law. What makes this interesting is that  VPN, according to some enthusiastic promotional material, preserves one’s online privacy. That sounds like a great idea to many people.

What happens if those VPN records are reviewed prior to their deletion by the VPN providers who insist that the users’ data are not preserved? I also like the VPN vendors who suggest that logs are not preserved.

If India’s directive yields some bad actor identification and incarceration, what other countries will use India’s approach as a springboard. The abuse of some online capabilities has been friction free in some places. Russia appears to have some doubts about VPNs. China? Yep, China too.

Perhaps the days of laissez-faire will end with a reprimand from Yama?

Stephen E Arnold, May 10, 2022

Google: Visits to Paris Likely to Increase

April 22, 2022

In the unlikely publication for me, Adweek published an interesting story: “French Sites Ordered to Stop Using Google Analytics Is Just the Beginning.” That title seems ominous. The election excitement is building, but the actions of Commission  Nationale de l’informatique et des Libertés is likely to grind forward regardless of who wins what. The Adweek write up states:

…the French data watchdog—Commission Nationale de l’informatique et des libertés (CNIL)—ordered three French websites to stop using audience analytics site Google Analytics, deeming the site to be illegal under the General Data Protection Regulation.

The article adds:

This means that companies based in Europe using Google Analytics—which reads cookies that are dropped on peoples’ browsers when they visit a site to gauge whether they are a new or returning user—were shipping people’s personal information to the U.S.

Are Google Analytics a problem for CNIL? Probably not for the agency, but the CNIL seems poised to become a bit of a sticky wicket for Googzilla. After years of casual hand slapping, an era of RBF (really big fines) may be beginning. Google executives might find that CNIL can make a call to a fancy Parisian hotel and suggest that the Googlers be given rooms with a less salubrious location, tired decorations, and questionable plumbing. Mais oui! C’est domage.

On a positive note, Google is taking action itself. Privacy, security, fraud — well, sort of. “Google Sues Scammer for Puppy Fraud” reports:

The complaint … accuses Nche Noel of Cameroon of using a network of fake websites, Google Voice phone numbers, and Gmail accounts to pretend to sell purebred basset hound puppies to people online.

And the conduit for these alleged untoward actions? Google. Now how did Google’s smart software overlook fake websites, issue Google Voice numbers, and permit Gmail accounts used for the alleged bad puppy things? Nope. AARP connected with Googzilla. Yeah, smart software? Nope.

Stephen E Arnold, April 22, 2022

Tim Apple and Unintended Consequences: AirPods?

April 19, 2022

Apple in my opinion emphasizes privacy. (How about the iPhone and the alleged NSO Group Pegasus functionality?) “Ukrainians Are Tracking the Movement of Russian Troops Thanks to One Occupier Looter with AirPods.” I am not sure if the write up is accurate. The source says “truth.” But…

The tracking thing is interesting; for example, Phone home malware on an iPhone, an AirTag hidden on a Russian T-14 Armata, or AirPods. Head phones? Yep.

The cited article reports:

A Russian soldier stole [a Ukrainian’s] AirPods (wireless headphones) when looting [the Ukrainian’s] apartment while Russian occupying forces were in Gostomel. Russian soldiers withdrew, but thanks to the technology on Apple devices, Ukrainians can keep track of where their headphones are. Find My technology on Apple devices lets you find the location of a lost device on the map if it’s near Bluetooth smartphones or connected to Wi-Fi.

What can one do with the help geo-location functions? One idea is to use the coordinates as a target for a semi-smart missile. (This is not a criticism of smart software. It is part of the close enough for horseshoes methods which can often deliver the payload somewhere unintended.)

Now about that Tim Apple privacy thing? Pravda or falsehood?

Stephen E Arnold, April 19, 2022

Does Apple Have a High School Management Precept: We Are Entitled Because We Are Smarter Than You

April 19, 2022

The story “Ex-Apple Employee Takes Face ID Privacy Complaint to Europe” contains information about an Apple employee’s complaint to the “privacy watchdogs outside the US.” I have no insight into the accuracy or pervasiveness of Apple’s alleged abuses of privacy. The write up states:

Gjøvik [the former Apple employee blowing the privacy horn] urges the regulators to “investigate the matters I raised and open a larger investigation into these topics within Apple’s corporate offices globally”, further alleging: “Apple claims that human rights do not differ based on geographic location, yet Apple also admits that French and German governments would never allow it to do what it is doing in Cupertino, California and elsewhere.”

What I find interesting is that employees who go to work for a company with trade secrets is uncomfortable with practices designed to maintain secrecy. When I went to work for a nuclear engineering company, I understood what the products of the firm could do. Did I protest the risks some of those products might pose? Nope. I took the money and talked about computers and youth soccer.

Employees who sign secrecy agreements (the Snowden approach) and then ignore them baffle me. I think I understand discomfort with some procedures within a commercial enterprise. A new employee often does not know how to listen or read between the lines of the official documents. My view is that an employee who finds an organization a bad fit should quit. The litigation benefits attorneys. I am not confident that the rulings will significantly alter how some companies operate. The ethos of an organization can persist even as the staff turns over and the managerial wizards go through the revolving doors.

As the complaint winds along, the legal eagles will benefit. Disenchanted employees? Perhaps not too much. The article makes clear that when high school science club management precepts are operational, some of the managers’ actions manifest hubris and a sense of entitlement. These are admirable qualities for a clever 16 year old. For a company which is altering the social fabric of societies, those high school concepts draw attention to what may be a serious flaw. Should companies operate without meaningful consequences for their systems and methods? Sure. Why not?

Stephen E Arnold, April 19, 2022

Google and Tracking Magic

February 4, 2022

Tracking user locations is baked in to Google’s apps, and that is unlikely to change as long as tracking data (“anonymized,” we are repeatedly assured) remains a valuable source of revenue. CNet considers, “Can You Really Stop Google from Tracking You? Here’s What We Know.” The short answer—you can try. Reporter Kelsey Fogarty writes:

“If you use Google’s apps on your iPhone or Android phone, it’s a good possibility you’re being tracked. And turning off your location history in your Google account doesn’t mean you’re in the clear. Disabling that setting may seem like a one-and-done solution, but some Google apps are still storing your location data. Simply opening the Google Maps app or using Google search on any platform logs your approximate location with a time stamp. In the latest lawsuits against the giant search engine company, Google has been sued by several states due to its use of location data. They allege Google makes it ‘nearly impossible’ for people to prevent their location from being tracked. After a 2018 investigation by the Associated Press, Google added features to make it easier to control what location and other data is saved, and what is deleted with features like Your Data in Maps and Search, which give you quick access to your location controls. However, DC Attorney General Karl Racine said, ‘Google falsely led consumers to believe that changing their account and device settings would allow customers to protect their privacy and control what personal data the company could access.’ Google has since defended itself.”

Of course it has. The company points to several measures one can take to “turn off” tracking, insisting control is in the hands of users. However, the write-up hints, there is no guarantee they will actually work. See the article for these methods—they may at least improve one’s odds. Or not. Google does promise one thing: users who turn off tracking will receive a less personalized experience, meaning less relevant ads and less helpful local search. Who needs privacy when one must have the name and number of the closest tapas joint.

Cynthia Murrell, February 4, 2022

With Time and Money You May Be Able to Scrub That Web Content about You

January 25, 2022

What is posted on he Internet stays in the digital ether forever, but occasionally content can be deleted but only with a lot of work. AIM explains how your Internet breadcrumbs can be deleted in the article, “Online Tools That Help You Remove Your Digital Footprint.” A person’s contact information and interests is the lifeblood of growing businesses. According to the Mine privacy start-up after they surveyed 30,000 of its users, it was discovered that a user’s email was in 350 companies databases.

That sounds like a startling statistic, but emails are shared like people used to share cigarettes. Also mailing houses and phonebooks used to list and sell the same information. Back in analog paper days, people did not have GPSs strapped to their bodies at all times so it is alarming that we can be tracked at all times and everything we do is recorded. There are ways to combat data collection, such as using privacy browsers like Brace, Firefox, and Duck Duck Go:

“Firefox is a great alternative for web browsing for privacy with its ‘Enhanced Tracking Protection’ that automatically blocks online trackers. Similarly, Duck Duck Go does not track user activity and open tabs and your browsing history can be deleted with a tap. These also include a signal ‘Global Privacy Control’ that sends your “do not sell” preference directly to websites you visit.”

There are also data deletion services. Users can backtrack and ask companies to delete all of their personal data, but it is a tedious task. Instead there are companies users can hire to delete all their personal information. It is like those services that you can hire to remove you from physical junk mail lists.

It makes sense that startups would spring up that specialize in deleting personal information. The idea is genius for niche market in cyber security and some of the companies are: Delete Me, Mine, Data Privacy Manager, Ontrack, Rightly, and Privacy bot.

The bigger question is do these companies actually provide decent services or are they a bait and switch? Our take? Parts of Internet indexes are like lice in a college dorm.

Whitney Grace, January 25, 2022

Apple: The Privacy Outfit

January 14, 2022

I have avoided writing about Apple’s handy dandy stalker gadgets. Those are some super special privacy centric gizmos, aren’t they? I will, however, point anyone with an interest in Apple’s privacy approach to “Your iPhone Can Secretly Listen to Conversations with AirPods — Here’s How.” Good actors and bad actors may get some surveillance ideas. The article says:

Apple’s Live Listen feature lets you hear someone speaking around 50 feet away.

That’s handy, isn’t it?

Allegedly the system works with AirPods, AirPods Pro, AirPods Max, Powerbeats Pro or Beats Fit Pro.

For the how to, absorb the information in the article, which includes illustrative screen shots. Yep, Apple is definitely into profits, ooops, I meant privacy.

Stephen E Arnold, January 14, 2022

Interesting Dating App Not Publicly Loved by the EU

January 13, 2022

Anyone wishing to keep up with decisions regarding the EU’s General Data Protection Regulation (GDPR) can turn to the GDPRhub wiki. Unfortunately, articles posted there are not always the easiest to read, especially after being machine-translated from one language to another. We slogged through the tortured prose in Norway authority Datatilsynet’s article 20/02136-18 regarding a recent fine imposed upon Grindr. The introductory summary states:

“In January 2020, the Norwegian DPA received 3 complaints against Grindr from the Norwegian Consumer Council (NCC) in collaboration with noyb [European Center for Digital Rights] regarding the sharing of data between the Grindr app and advertising partners MoPub, Xandr, OpenX Software, Ad Colony and Smaato. The complaint was based on the report ‘out of control’ prepared by the company mnemonic, and commissioned by the NCC. The NCC’s inquiry showed that Grindr shared certain categories of personal data to several advertising partners, including advertising ID, IP address, GPS, location, gender, age, device information and app name. The data was shared through software development kits (SDKs).”

The rest of the post outlines the technical details about the case, including issues of jurisdiction, guideline violations, and assessment of the 65,000,000 NOK ($7,345,000) fine. The key issue is Grindr’s user agreement, which did not give users enough control over their personal data to meet GDPR requirements. See the article for an extensive discussion of that reasoning. Basically, it looks like Grindr just did what it wanted and assumed it could beg for forgiveness. It was sadly mistaken. Let this be a lesson to other companies looking to distribute their apps in Europe. Fines that Google, Facebook, and Amazon weather as a matter of course could break smaller outfits.

Cynthia Murrell, January 11, 2021

Next Page »

  • Archives

  • Recent Posts

  • Meta