Another Lilting French Cash Register Chime

January 2, 2023

An outfit call SC Magazine reported that the French cash registers — you know the quaint one with brass letters and the cheery red enamel — has chimed again. “Microsoft Fined $64 Million by France over Cookies Used in Bing Searches” reports:

France’s privacy watchdog fined Microsoft €60 million ($64 million) for not offering clear enough instruction for users to reject cookies used for online ads, as part of the move to enforce Europe’s tightening data protection law.

The write up noted:

Microsoft has been ordered to solve the issue within three months by implementing a simplified cookie refusal mechanism, or it could face additional fines of €60,000 a day…

It seems that some US companies do not take those French and EU regulations seriously. My suggestion to the Softies: France in not the US. Get on a couple of special lists and you may find some quality time in a glass room at CDG next time you visit. The good news is that US embassy personnel can visit you without too much red tape bedecking those gray suits.

Stephen E Arnold, January 2, 2023

On the Path of a Super App for Crime

December 14, 2022

I know I am in the minority. In fact, I may the only person in Harrod’s Creek, Kentucky, thinking about Telegram and its technical evolution. From a humble private messaging service, Telegram has become the primary mechanism for armchair experts to keep track of Russia’s special operation, send secret messages, and engage in a range of interesting pursuits. Is it possible to promote and sell CSAM via an encrypted messaging app like Telegram? Okay, that’s a good question.

I noted another Telegram innovation which has become public. “No-SIM Signup, Auto-Delete All Chats, Topics 2.0 and More” explains that a person can sign up for the encrypted messaging service without having a SIM card and its pesky identifiers tagging along. To make sure a message about a special interest remains secret, the service allegedly deletes messages on a heartbeat determined by the Telegram user. The Telegram group function makes it possible for those who join a group to discuss a “special” interest to break up a group into sub groups. The idea is that a special interest group has special special interests. I will leave these to your imagination in the event you are wondering where some of the i2p and Tor accessible content has gone in the last few years.

As Telegram approach super app status for certain types of users, keep in mind that even the Telegram emoji have some new tricks. That little pony icon can do much more.

Stephen E Arnold, December 14, 2022

A Digital Schism: Is It the 16th Century All Over Again?

December 12, 2022

I noted “FBI Calls Apple’s Enhanced iCloud Encryption Deeply Concerning As Privacy Groups Hail It As a Victory for Users.” I am tempted to provide some historical color about Galileo, Jesuits, and infinitesimals. I won’t. I will point out that schisms appear to be evident today and may be as fraught as those when data flows were not ripping apart social norms. (How bad was it in the 16th century? Think in terms of toasting in fires those who did not go with the program. Quite toasty for some.)

The write up explains:

Apple yesterday [December 7, 2022] announced that end-to-end encryption is coming to even more sensitive types of iCloud data, including device backups, contacts, messages, photos, and more, meeting the longstanding demand of both users and privacy groups who have rallied for the company to take the significant step forward in user privacy.

Who is in favor of Apple’s E2EE push? The article says:

We [the Electronic Frontier Foundation] applaud Apple for listening to experts, child advocates, and users who want to protect their most sensitive data. Encryption is one of the most important tools we have for maintaining privacy and security online. That’s why we included the demand that Apple let users encrypt iCloud backups in the Fix It Already campaign that we launched in 2019.

Across the E2EE chess board is the FBI. The article points out:

In a statement to The Washington Post, the FBI, the largest intelligence agency in the world, said it’s “deeply concerned with the threat end-to-end and user-only-access encryption pose.” The bureau said that end-to-end encryption and Apple’s Advanced Data Protection make it harder for them to do their work and that they request “lawful access by design.”

I don’t have a dog in this commercial push for E2EE encryption which is one component in Apple’s marketing of itself as the Superman/Superwoman of truth, justice, and the American way. (A 30 percent app store tariff is part of this mythic set up as well.) I understand the concern of the investigators, but I am retired and sitting on the sidelines as I watch the Grim Reaper’s Rivian creep closer.

Several observations:

  1. In the boundary between these two sides or factions, the emergent behavior will get around the rules. That emergent behavior is a consequence of apparently irreconcilable differences. The impact of this schism will reverberate for an unknown amount of time.
  2. Absolutism makes perfect sense in a social setting where one side enjoys near total control of behavior, access, thoughts, etc. However we live in a Silicon Valley environment partially fueled by phenomenological existentialism. Toss in the digital flows of information, and the resulting mixture is likely to be somewhat unpredictable.
  3. Compromise will be painful but baby steps will be taken. Even Iran is reassigning morality police to less riot inducing activities. China has begun to respond to increasingly unhappy campers in lock down mode. Like I said, Baby steps.

Net net: Security and privacy are a bit like love and Plato’s chair. Welcome to the digital Middle Ages. The emergent middle class may well be bad actors.

Stephen E Arnold, December 12, 2022

Study Concludes Apple Privacy Promises a Sham, Lawsuit Follows

December 2, 2022

Apple would have us believe it is a bastion of privacy protection. Though it talks a good game, Techdirt reports, “Apple Sued After Another Study Finds Its Well-Hyped Privacy Standards Are Often Theatrical.” Researchers at software firm Mysk found Apple’s data tracking basically ignores privacy settings altogether. The study prompted a lawsuit (pdf) under the California Invasion of Privacy Act. Write Karl Bode notes:

“This isn’t the first time Apple’s new privacy features have been found to be a bit lacking. Several studies have also indicated that numerous app makers have been able to simply tap dancing around Apple’s heavily hyped do not track restrictions for some time, often without any penalty by Apple months after being contacted by reporters. That’s a notably different story than the one Apple has gotten many press outlets to tell. Apple desperately wants to differentiate its brand by a dedication to privacy (as you might have noticed from the endless billboards that simply say: ‘Privacy. That’s iPhone.’). And while the company may certainly be better on privacy than many other large tech giants, that’s simply not saying much.”

Good point. The lawsuit observes that details about app usage can be “intimate and potentially embarrassing.” Not to mention financially sensitive. This is why some of us have refused to bring our devices into every aspect of our lives; a suspicious nature pays off occasionally. Yep, Apple privacy… a bit lacking. No kidding?

Cynthia Murrell, December 2, 2022

Brave Tells Truth About DuckDuckGo Privacy

August 12, 2022

DuckDuckGo advertises itself as the only search engine that protects users’ privacy. While that used to be true, unfortunately it is no longer the case. The Register explains the details in, “Brave Roasts DuckDuckGo Over Bing Privacy Exception.” Brendan Eich is the CEO of Brave, an Internet browser that blocks trackers, cookies, creepy ads, and simplifies privacy. Brave even boasts it can outmaneuver Mozilla Firefox, describing its services as limited. Eich stated that DuckDuckGo allows Microsoft Bing and LinkedIn trackers accessibility in its Android, macOS, and iOs browsers.

Eich pointed out that DuckDuckGo’s contract with Microsoft exempted LinkedIn and Bing from being blocked. DuckDuckGo claims to Eich exaggerated the claim and he was referring to ad clicks. The search engine said its ads remain private. Privacytests.org tested Brave’s assertion and they could only test the Android versions. Brave did block more ads and link tracking than DuckDuckGo. Arthur Edelstein runs privacytests.org and works for Brave. He claimed that he created privacytests.org before his Brave employment and that his tests are objective.

While the tests about Brave and DuckDuckGo might be biased, Big Tech can circumnavigate privacy blockers:

“In other words, here’s how you route around privacy protections to measure your ads, whether people want this or not. Back in 2012, when Google agreed to pay a $22.5 million civil penalty to settle Federal Trade Commission charges that it misled Apple Safari users by stating it would not place tracking cookies or serve them targeted ads, the issue was the gap between what Google said and did.

Here we have Microsoft Bing Ads counseling customers how its technology facilitates tracking without third-party cookies, regardless of whether users have expressed the desire not to be tracked by adopting a privacy-oriented browser.”

Currently, there are laws to protect users’ privacy, but are only enforceable if the tracking is deemed deceptive. Google was fined for dropping cookies on Safari, but only when the search engine said it would not. California has a new regiment of privacy laws, which could set the standard for the US if someone in the state complains. Until then be aware you are being tracked and your history is sold.

And how did DuckDuckGo respond? Waddled backwards.

Whitney Grace, August 12, 2022

Google Kicked Out of School in Denmark

August 11, 2022

Like its colleagues in Netherlands and Germany, the Denmark data protection authority has taken a stand against Google’s GDPR non-compliance. European secure-email firm Tutanota reports on its blog, “Denmark Bans Gmail and Co from Schools Due to Privacy Concerns.” Schools in the Helsingør Municipality have until August 3 to shift to a different cloud solution. We learn:

“In a statement published mid July, the Danish data protection agency expresses ‘serious criticism and bans … the use of Google Workspace’. Based on a risk assessment for the Helsingør Municipality, the data protection authority concluded that the processing of personal data of pupils does not meet the requirements of the GDPR and must, therefor, stop. The ban is effective immediately. Helsingør has until August 3 to delete pupil’s data and start using an alternative cloud solution. … This decision follows similar decisions by Dutch and German authorities. The issues that governmental institutions see themselves faced with has started with the invalidation of Privacy Shield back in 2020. Privacy Shield has been a data transferring agreement between the USA and the European Union and was supposed to make data transfers between the two legally possible. However, the agreement has been declared invalid by the European Court of Justice (ECJ) in 2020 due to privacy concerns. One major problem that the EU court pointed out is that data of foreigners is not protected in the USA. The protections that are there – even if limited – only apply to US citizens.”

So the NSA can gain unfettered access to the personal data of Europeans but not US citizens. We can see how authorities in the EU might have a problem with that. As the Danish agency notes, such a loophole violates rights considered fundamental in Europe. Not surprisingly, this Tutanota write-up emphasizes the advantages of a Europe-based email service like Tutanota. It is not wrong. It seems Denmark has woken up to the Google reality. Now what about Web-search tracking?

Cynthia Murrell, August 11, 2022

Is The TikTok Google Allegation Accurate?

July 21, 2022

Good question. I know that any outfit offering a “service” has individuals who can look at data, metadata, and any other “stuff” associated with a particular entity; for example, spend limit, contacts, and geodata. Privacy and security depend on access controls. In theory, certain data are sandboxed and special approvals may be needed to get into that nifty play area. The hitch in the git along is that a system fails, a senior executive needs something now to close a big deal, a friend begs for help with such and such a problem. There’s also just the endemic “good enough” and “close enough for horse shoes” attitude which affects TV personalities interaction with Air France to a busy parent trying to buy a hamburger and shake for a hungry lacrosse player at 4 pm on a blistering day in rural Kentucky.

That means… gaps, slip ups, work arounds, and doing what’s needed to fill time or get something done fast.

I read “Nothing Is Private: TikToker Who Says She’s a Former Google Admin Warns Workers about Work Accounts.” The information in the article is about a revelation on TikTok. The problem is that I am not sure the behavior described is accurate. Heck, it could be fabricated for some clicks and maybe an appearance on the Joe Rogan podcast. Fame is where you find it today.

The article states as what a TikTok denizen said:

Whatever you put in that account—whether it’s emails, photos, Google Drive documents, or anything else—is not private.

Okay, clear enough.

For fun, let’s assume the Xoogler spilling the beans on the utility of having access to billions of users information is sort of true.

Shocking?

Nah.

The write up says:

that means that a company has access to all of the documents within someone’s company Google account, which can include things like email drafts, G-chats, and Google Drive uploads. This also reportedly applies to universities with student Google accounts. Furthermore, one does not have to leave the job or university for their administrators to obtain this access. “I can get into any of it,” Lauren says. “Any of it!”

Ads, folks. Ads mean money. Who can resist generating revenue, beating performance targets, and getting a big bonus. Once Google would toss in a ski trip or a mouse pad. Go for it. The incentive plan is what makes the Googlers spin.

What’s the fix? The answer is:

Delete. Delete. Delete.

Sounds like reasonable advice if deletion is indeed “real.” Data are backed up and delete usually means removing a pointer to an object in a file. Those back ups, the copies of data tables in a marketing department laptop, or the data required to whip up a projection based on use of information to spur quicker depletion of ad inventory.

Probably not deleted.

Let’s assume the write up describes something the Google does not, could not, would not, and will not do. Wow. Bullet dodged.

But… what if…? Wow. Bullets incoming.

Stephen E Arnold, July 21, 2022

The Murena: A Semi Dark Phone

June 10, 2022

Mobile phones are outstanding surveillance devices. Forget Google. Technology exists to suck down quite a bit of information no matter what phone one uses. Innovators keep trying to create black phone or completely secure devices. There is a market for these gizmos even if the phones are produced by law enforcement; for example, the ANON.

I noted “The Murena One Shows Exactly How Hard it Is to De-Google Your Smartphone.” The write up is interesting. I noted this passage:

You just can’t have the full Android experience without inviting Google into the equation. Instead, when you log into Google or use its services, Murena tries to mitigate the data Google can collect.

Several observations:

  • Innovators face a similar challenge de-Cooking the iPhone and de-China-ing the Oppo, OnePlus, Xiaomi, and other Middle Kingdom devices
  • The write up makes it clear that Google is the Big Dog when it comes to the Google ecosystem. Not even the Apple has such a lock. For one example of the penetration gap, see this write up.
  • One does not need to expend much effort to access data generated by mobile devices. Those apps? Yep, they are helpful.

How does one avoid leaking data? Some in the European Union use typewriters and carbon paper. Consider that perhaps.

Stephen E Arnold, June 10, 2022

DuckDuckGo: A Duck May Be Plucked

May 25, 2022

Metasearch engines are not understood by most Internet users. Here’s my simplified take: A company thinks it can add value to the results output from an ad-supported search engine. Maybe the search engine is a for-fee outfit? Either way, the metasearch systems gets the okay to send queries and get results. The results stream back to the metasearch outfit and the value-adding takes place.

One of the better metasearch systems was the pre-IBM Vivisimo. This outfit sent out queries to an ad-supported search engine, accepted the results, and then clustered them. The results appeared to the Vivisimo user as a results list with some folders in a panel. The idea was that the user could scan the folders and the results list. The user could decide to click on a folder and see what results it contained or just click on a link. The magic, as I understood it, was that the clustering took place in near real time. Plus, the query on the original Vivisimo pre-IBM system could send the user’s query to multiple Web search engines. The results from each search system would be de-duplicated. An interesting factoid from the 2000s is that search systems returned overlapping results 70 percent of more of the time. Dumping the duplicates was helpful. There were other interesting metasearch systems as well, but I am just using Vivisimo as an example of a pretty good one.

Privacy, like security, is a tricky concept to explain.

Using privacy to sell a free Web search system raises a number of questions; for example:

  1. What’s privacy in the specific context of the metasearch engine mean?
  2. Where is the money coming from to keep the lights on at the metasearch outfit?
  3. What about log files?
  4. What about legal orders to reveal data about users?
  5. What’s the quid pro quo with the search engine or engines whose results the metasearch system uses?
  6. What part of the search chain captures data, inserts trackers, bugs, cookies, etc. into the user’s query?

None of these questions catch the attention of the real news folks nor do most users know what the questions require to answer. The metasearch engines typically do not become chatty Cathies when someone like me shows up to gather information about metasearch systems. I recall the nervousness of the New York City wizard who cooked up Ixquick and the evasiveness of the owner of the Millionshort services.

Now we come to the the notion that a duck can be plucked. My hunch is that plucking a duck is a messy affair both duck and duck plucker.

DuckDuckGo Browser Allows Microsoft Trackers Due to Search Agreement” presents information which appears to suggest that the “privacy” oriented DuckDuckGo metasearch system is not so private as some believed. The cited article states:

The privacy-focused DuckDuckGo browser purposely allows Microsoft trackers on third-party sites due to an agreement in their syndicated search content contract between the two companies.

You can read the cited article to get more insight into the assertion that DuckDuck has been pluck plucked in the feathered hole of privacy.

Am I surprised? No. Search is without a doubt one of the most remarkable business segments for soft fraud. How do I know? My partners and I created The Point in 1994, and even though you don’t remember it, I sure remember what I learned about finding information online. Lycos (CMGI) bought our curated search business, and I wrote several books about search. You know what? No one wants to think about search and soft fraud. Maybe more people should?

Net net: Free comes at a cost. One does not know what one does not know.

Stephen E Arnold, May 25, 2022

Using a VPN in India?

May 10, 2022

I read “VPN Providers Are Ordered to Store User Data for 5 or More Years in India.” The land of Khichdi is a fair piece from rural Kentucky. On the other hand, the VPN providers and crypto exchange platforms can be as near as one’s mobile phone or laptop. So what?

The write up points out:

The Indian government has published a directive that will force VPN providers and crypto exchange platforms to store user data for at least five years, even when customers have since terminated their relationship with the companies in question. Decision makers at businesses who don’t comply with the new ruling could face up to one year in prison, with it going into effect in late June 2022.

Yes, just another law. What makes this interesting is that  VPN, according to some enthusiastic promotional material, preserves one’s online privacy. That sounds like a great idea to many people.

What happens if those VPN records are reviewed prior to their deletion by the VPN providers who insist that the users’ data are not preserved? I also like the VPN vendors who suggest that logs are not preserved.

If India’s directive yields some bad actor identification and incarceration, what other countries will use India’s approach as a springboard. The abuse of some online capabilities has been friction free in some places. Russia appears to have some doubts about VPNs. China? Yep, China too.

Perhaps the days of laissez-faire will end with a reprimand from Yama?

Stephen E Arnold, May 10, 2022

« Previous PageNext Page »

  • Archives

  • Recent Posts

  • Meta