Using a VPN in India?

May 10, 2022

I read “VPN Providers Are Ordered to Store User Data for 5 or More Years in India.” The land of Khichdi is a fair piece from rural Kentucky. On the other hand, the VPN providers and crypto exchange platforms can be as near as one’s mobile phone or laptop. So what?

The write up points out:

The Indian government has published a directive that will force VPN providers and crypto exchange platforms to store user data for at least five years, even when customers have since terminated their relationship with the companies in question. Decision makers at businesses who don’t comply with the new ruling could face up to one year in prison, with it going into effect in late June 2022.

Yes, just another law. What makes this interesting is that  VPN, according to some enthusiastic promotional material, preserves one’s online privacy. That sounds like a great idea to many people.

What happens if those VPN records are reviewed prior to their deletion by the VPN providers who insist that the users’ data are not preserved? I also like the VPN vendors who suggest that logs are not preserved.

If India’s directive yields some bad actor identification and incarceration, what other countries will use India’s approach as a springboard. The abuse of some online capabilities has been friction free in some places. Russia appears to have some doubts about VPNs. China? Yep, China too.

Perhaps the days of laissez-faire will end with a reprimand from Yama?

Stephen E Arnold, May 10, 2022

Google: Visits to Paris Likely to Increase

April 22, 2022

In the unlikely publication for me, Adweek published an interesting story: “French Sites Ordered to Stop Using Google Analytics Is Just the Beginning.” That title seems ominous. The election excitement is building, but the actions of Commission  Nationale de l’informatique et des Libertés is likely to grind forward regardless of who wins what. The Adweek write up states:

…the French data watchdog—Commission Nationale de l’informatique et des libertés (CNIL)—ordered three French websites to stop using audience analytics site Google Analytics, deeming the site to be illegal under the General Data Protection Regulation.

The article adds:

This means that companies based in Europe using Google Analytics—which reads cookies that are dropped on peoples’ browsers when they visit a site to gauge whether they are a new or returning user—were shipping people’s personal information to the U.S.

Are Google Analytics a problem for CNIL? Probably not for the agency, but the CNIL seems poised to become a bit of a sticky wicket for Googzilla. After years of casual hand slapping, an era of RBF (really big fines) may be beginning. Google executives might find that CNIL can make a call to a fancy Parisian hotel and suggest that the Googlers be given rooms with a less salubrious location, tired decorations, and questionable plumbing. Mais oui! C’est domage.

On a positive note, Google is taking action itself. Privacy, security, fraud — well, sort of. “Google Sues Scammer for Puppy Fraud” reports:

The complaint … accuses Nche Noel of Cameroon of using a network of fake websites, Google Voice phone numbers, and Gmail accounts to pretend to sell purebred basset hound puppies to people online.

And the conduit for these alleged untoward actions? Google. Now how did Google’s smart software overlook fake websites, issue Google Voice numbers, and permit Gmail accounts used for the alleged bad puppy things? Nope. AARP connected with Googzilla. Yeah, smart software? Nope.

Stephen E Arnold, April 22, 2022

Tim Apple and Unintended Consequences: AirPods?

April 19, 2022

Apple in my opinion emphasizes privacy. (How about the iPhone and the alleged NSO Group Pegasus functionality?) “Ukrainians Are Tracking the Movement of Russian Troops Thanks to One Occupier Looter with AirPods.” I am not sure if the write up is accurate. The source says “truth.” But…

The tracking thing is interesting; for example, Phone home malware on an iPhone, an AirTag hidden on a Russian T-14 Armata, or AirPods. Head phones? Yep.

The cited article reports:

A Russian soldier stole [a Ukrainian’s] AirPods (wireless headphones) when looting [the Ukrainian’s] apartment while Russian occupying forces were in Gostomel. Russian soldiers withdrew, but thanks to the technology on Apple devices, Ukrainians can keep track of where their headphones are. Find My technology on Apple devices lets you find the location of a lost device on the map if it’s near Bluetooth smartphones or connected to Wi-Fi.

What can one do with the help geo-location functions? One idea is to use the coordinates as a target for a semi-smart missile. (This is not a criticism of smart software. It is part of the close enough for horseshoes methods which can often deliver the payload somewhere unintended.)

Now about that Tim Apple privacy thing? Pravda or falsehood?

Stephen E Arnold, April 19, 2022

Does Apple Have a High School Management Precept: We Are Entitled Because We Are Smarter Than You

April 19, 2022

The story “Ex-Apple Employee Takes Face ID Privacy Complaint to Europe” contains information about an Apple employee’s complaint to the “privacy watchdogs outside the US.” I have no insight into the accuracy or pervasiveness of Apple’s alleged abuses of privacy. The write up states:

Gjøvik [the former Apple employee blowing the privacy horn] urges the regulators to “investigate the matters I raised and open a larger investigation into these topics within Apple’s corporate offices globally”, further alleging: “Apple claims that human rights do not differ based on geographic location, yet Apple also admits that French and German governments would never allow it to do what it is doing in Cupertino, California and elsewhere.”

What I find interesting is that employees who go to work for a company with trade secrets is uncomfortable with practices designed to maintain secrecy. When I went to work for a nuclear engineering company, I understood what the products of the firm could do. Did I protest the risks some of those products might pose? Nope. I took the money and talked about computers and youth soccer.

Employees who sign secrecy agreements (the Snowden approach) and then ignore them baffle me. I think I understand discomfort with some procedures within a commercial enterprise. A new employee often does not know how to listen or read between the lines of the official documents. My view is that an employee who finds an organization a bad fit should quit. The litigation benefits attorneys. I am not confident that the rulings will significantly alter how some companies operate. The ethos of an organization can persist even as the staff turns over and the managerial wizards go through the revolving doors.

As the complaint winds along, the legal eagles will benefit. Disenchanted employees? Perhaps not too much. The article makes clear that when high school science club management precepts are operational, some of the managers’ actions manifest hubris and a sense of entitlement. These are admirable qualities for a clever 16 year old. For a company which is altering the social fabric of societies, those high school concepts draw attention to what may be a serious flaw. Should companies operate without meaningful consequences for their systems and methods? Sure. Why not?

Stephen E Arnold, April 19, 2022

Google and Tracking Magic

February 4, 2022

Tracking user locations is baked in to Google’s apps, and that is unlikely to change as long as tracking data (“anonymized,” we are repeatedly assured) remains a valuable source of revenue. CNet considers, “Can You Really Stop Google from Tracking You? Here’s What We Know.” The short answer—you can try. Reporter Kelsey Fogarty writes:

“If you use Google’s apps on your iPhone or Android phone, it’s a good possibility you’re being tracked. And turning off your location history in your Google account doesn’t mean you’re in the clear. Disabling that setting may seem like a one-and-done solution, but some Google apps are still storing your location data. Simply opening the Google Maps app or using Google search on any platform logs your approximate location with a time stamp. In the latest lawsuits against the giant search engine company, Google has been sued by several states due to its use of location data. They allege Google makes it ‘nearly impossible’ for people to prevent their location from being tracked. After a 2018 investigation by the Associated Press, Google added features to make it easier to control what location and other data is saved, and what is deleted with features like Your Data in Maps and Search, which give you quick access to your location controls. However, DC Attorney General Karl Racine said, ‘Google falsely led consumers to believe that changing their account and device settings would allow customers to protect their privacy and control what personal data the company could access.’ Google has since defended itself.”

Of course it has. The company points to several measures one can take to “turn off” tracking, insisting control is in the hands of users. However, the write-up hints, there is no guarantee they will actually work. See the article for these methods—they may at least improve one’s odds. Or not. Google does promise one thing: users who turn off tracking will receive a less personalized experience, meaning less relevant ads and less helpful local search. Who needs privacy when one must have the name and number of the closest tapas joint.

Cynthia Murrell, February 4, 2022

With Time and Money You May Be Able to Scrub That Web Content about You

January 25, 2022

What is posted on he Internet stays in the digital ether forever, but occasionally content can be deleted but only with a lot of work. AIM explains how your Internet breadcrumbs can be deleted in the article, “Online Tools That Help You Remove Your Digital Footprint.” A person’s contact information and interests is the lifeblood of growing businesses. According to the Mine privacy start-up after they surveyed 30,000 of its users, it was discovered that a user’s email was in 350 companies databases.

That sounds like a startling statistic, but emails are shared like people used to share cigarettes. Also mailing houses and phonebooks used to list and sell the same information. Back in analog paper days, people did not have GPSs strapped to their bodies at all times so it is alarming that we can be tracked at all times and everything we do is recorded. There are ways to combat data collection, such as using privacy browsers like Brace, Firefox, and Duck Duck Go:

“Firefox is a great alternative for web browsing for privacy with its ‘Enhanced Tracking Protection’ that automatically blocks online trackers. Similarly, Duck Duck Go does not track user activity and open tabs and your browsing history can be deleted with a tap. These also include a signal ‘Global Privacy Control’ that sends your “do not sell” preference directly to websites you visit.”

There are also data deletion services. Users can backtrack and ask companies to delete all of their personal data, but it is a tedious task. Instead there are companies users can hire to delete all their personal information. It is like those services that you can hire to remove you from physical junk mail lists.

It makes sense that startups would spring up that specialize in deleting personal information. The idea is genius for niche market in cyber security and some of the companies are: Delete Me, Mine, Data Privacy Manager, Ontrack, Rightly, and Privacy bot.

The bigger question is do these companies actually provide decent services or are they a bait and switch? Our take? Parts of Internet indexes are like lice in a college dorm.

Whitney Grace, January 25, 2022

Apple: The Privacy Outfit

January 14, 2022

I have avoided writing about Apple’s handy dandy stalker gadgets. Those are some super special privacy centric gizmos, aren’t they? I will, however, point anyone with an interest in Apple’s privacy approach to “Your iPhone Can Secretly Listen to Conversations with AirPods — Here’s How.” Good actors and bad actors may get some surveillance ideas. The article says:

Apple’s Live Listen feature lets you hear someone speaking around 50 feet away.

That’s handy, isn’t it?

Allegedly the system works with AirPods, AirPods Pro, AirPods Max, Powerbeats Pro or Beats Fit Pro.

For the how to, absorb the information in the article, which includes illustrative screen shots. Yep, Apple is definitely into profits, ooops, I meant privacy.

Stephen E Arnold, January 14, 2022

Interesting Dating App Not Publicly Loved by the EU

January 13, 2022

Anyone wishing to keep up with decisions regarding the EU’s General Data Protection Regulation (GDPR) can turn to the GDPRhub wiki. Unfortunately, articles posted there are not always the easiest to read, especially after being machine-translated from one language to another. We slogged through the tortured prose in Norway authority Datatilsynet’s article 20/02136-18 regarding a recent fine imposed upon Grindr. The introductory summary states:

“In January 2020, the Norwegian DPA received 3 complaints against Grindr from the Norwegian Consumer Council (NCC) in collaboration with noyb [European Center for Digital Rights] regarding the sharing of data between the Grindr app and advertising partners MoPub, Xandr, OpenX Software, Ad Colony and Smaato. The complaint was based on the report ‘out of control’ prepared by the company mnemonic, and commissioned by the NCC. The NCC’s inquiry showed that Grindr shared certain categories of personal data to several advertising partners, including advertising ID, IP address, GPS, location, gender, age, device information and app name. The data was shared through software development kits (SDKs).”

The rest of the post outlines the technical details about the case, including issues of jurisdiction, guideline violations, and assessment of the 65,000,000 NOK ($7,345,000) fine. The key issue is Grindr’s user agreement, which did not give users enough control over their personal data to meet GDPR requirements. See the article for an extensive discussion of that reasoning. Basically, it looks like Grindr just did what it wanted and assumed it could beg for forgiveness. It was sadly mistaken. Let this be a lesson to other companies looking to distribute their apps in Europe. Fines that Google, Facebook, and Amazon weather as a matter of course could break smaller outfits.

Cynthia Murrell, January 11, 2021

DarkCyber for November 30, 2021: Sean Brizendine, SecureX

November 30, 2021

This DarkCyber program features an interview with Sean Brizendine. He is one of the founders of SecureX, where he serves as the director of Blockchain technology. The interview covers:

  • SecureX’s secret sauce in the crypto currency and services market
  • How open source software fits into the company’s technology portfolio
  • How the products and services further the capabilities of Web 3.0, distributed computing, and enhanced online security.

Mr. Brizendine is a certified Certified IIB Council Blockchain Professional & EC Council Online University Lecturer covering Blockchain in their Cyber Talk Webinar Series.

You can view the 11 minute interview on YouTube at this link.

Kenny Toth, November 30, 2021

An Example of Modern Moral Responsibility Avoidance

November 22, 2021

Virtual Private Networks (VPNs) are supposed to be one of the  Surfside condo’s garage pillars of network security. In reality, however, it all depends on the VPN provider. We learn about one cryptic hack from Tech.co’s piece, “Researchers Uncover Mystery Data Breach of 300 Million VPN Records.” Writer Jack Turner explains:

Security firm Comparitech claims to have discovered an exposed database in early October, which held over 100GB of data and 300 million records, in various forms. Within the data that was compromised were 45 million user records that included email addresses, encrypted passwords, full name and username; 281 million user device records including IP address, county code, device and user ID; and 6 million purchase records including the product purchased and receipts. All in all, it represents a motherlode of data that could conceivably be used for nefarious purposes, including phishing campaigns, should it fall into the wrong hands. While the database was closed within a week of Comparitech discovering it, the data it contained has apparently been made public.”

Not good. But what makes this case so mysterious? The VPN provider ActMobile Networks, which operates a number of VPN brands, denies even maintaining any databases. However, we learn:

“According to Comparitech, if the data didn’t come from ActMobile, it came from someone trying very hard to impersonate them. The SSL certificate of the compromised server shows it belonging to actmobile.com, the WHOIS record for the IP address where the data was located is listed as being owned by ActMobile Networks, and the database held several references to ActMobile’s VPN brands.”

Hmm. Turner emphasizes it is important to choose a VPN that indeed does not maintain logs, though they may cost a little more. See the article for Tech.co’s top nine recommendations.

And moral responsibility. Hey, these are zeros and ones, not fuzzy stuff.

Cynthia Murrell November 22, 2021

Next Page »

  • Archives

  • Recent Posts

  • Meta