Secrecy, privacy, security, intrusion

Coming soon to an android phone near you :weary:

6 Likes

That seems like a fair question. Would the behaviour of VicForests pass the sniff test? Probably not. Was any law broken? Again, probably not. (well, only by the “protesters” who beat the %$#@ out of the PI but that’s an unknown tangent.)

When much of your activity takes place in a public arena, you don’t have a reasonable expectation of privacy (in current law). If someone follows you on public roads, in public venues then you don’t have privacy. If someone follows you onto private property then that is crossing a line.

Let’s say, hypothetically, the PI was directed to uncover “dirt” on “Sarah” 
 well, members of parliament are well known to maintain their own “dirt files”, even on their own members of parliament (“keep your friends close and your enemies closer”) 
 so I don’t think you will see much action by politicians to make it more difficult to do this lawfully.

1 Like

The $64 question 
 will it be fooled by an image of the legitimate user of the phone? For example, does it have liveness detection?

2 Likes

Already on a smartphone near you (the researchers estimate 37% of all smartphones), a vulnerable sound processor that could enable a malicious actor to record everything your phone hears.

2 Likes

There will likely never receive a security update for a notable number of older devices that vendors no longer support.

That right there is the real problem.

General comment: This is a hot area of security research. The interface between the operating system and various ancillary processors, or the implementation on the ancillary processor itself, is often quick and dirty, either not having any validation at all or having faulty validation. At the same time, mobile phones are growing more and more ancillary processors. I expect many more bugs that are similar to the ones discussed in that article.

1 Like

Looks like we are being softened up for a further extension of the surveillance state: Theo Hayez coronial inquest hears of legislative gaps and barriers to accessing data - ABC News

Pedos and terrorists have been mostly mined out so now we are onto missing persons. Hence extension to surveillance in the absence even of the suspicion of crime.

2 Likes

Mozilla are working on further improvement to the sandboxing they use in Firefox. This should help alleviate cross contamination and identity theft from malicious code and websites into sensitive sites we use such as our Banking ones.

Mozilla have an article on the changes that might interest us all.

WebAssembly and Back Again: Fine-Grained Sandboxing in Firefox 95 - Mozilla Hacks - the Web developer blog

3 Likes

5 posts were split to a new topic: Australian Use of Collective Nouns

Malwatebytes blog has released a bit of interesting detail about what the FBI can get from encrypted messaging apps that many of us use. If the FBI can get it, it seems that most other Law Enforcement or Security Organisations if Govt would have similar access or lack of access.

From the details provided two of the most secure appear to be Signal and Telegram, but others also provide very limited information to authorities.

5 Likes

It ends by stating:

If there is one thing clear from the information in this document it’s that most, if not all, of your messages are safe from prying eyes in these apps, unless you’re using WeChat in China.

I would say that’s more than a little optimistic. There is a lot of metadata leaking from some of the apps, and a lot of reliance on the app developers. What’s metadata? Data that describes data (e.g. date and time of message, sender and recipient, length
), which in many cases is more valuable than the data itself.

I would not trust Telegram if I am in Russia (developer home country) or the Middle East (current headquarters). Obviously WeChat is a no-no. Anything that passes information to iCloud is potentially leaky, and I wouldn’t trust a service I have not heard of (Line). Signal looks like the best bet for protecting both data and metadata.

4 Likes

We use Line and have done so for a number of years. It is widely used in Eastern Asia
and one of its purposes is to prevent prying eyes/ears from their big neighbour. It also is within the top 5 as far as user numbers. It was one of the first to introduce true end to end encryption.

We use it in preference to other popular ones which in the past have been data miners, but now claim no longer serve such purposes.

3 Likes

This may be an introduction to our own telcos scraping for that last penny
 From Verizon in the USA with a marketing department that deserves a gong for making intrusion that defaults to opt-out look like a bonus. The spin deserves recognition - they could be pollies-in-the-making. Summary: We will safeguard your information by using it ourselves. Such a great opportunity for their customers!

Introducing Verizon Custom Experience.
It’s your experience, tailored to your interests.

Hi [Customer Name],

At Verizon, we believe being America’s most reliable network comes with a responsibility to safeguard and protect your information. Your privacy is important to us, and we want to let you know about a new choice you have regarding how we use your information.

We’d like to introduce Verizon Custom Experience, a program designed to provide you more personalized experiences with Verizon. You will be part of Custom Experience unless you opt out.

How it works

The program uses information about websites you visit and apps you use on your mobile device to help us better understand your interests. This helps us personalize our communications with you, give you more relevant product and service recommendations, and develop plans, services and offers that are more appealing to you.

To be very clear, this information is used only by Verizon; we do not sell this information to others for them to use for their own advertising.

You’re in control

Your line will be included in the Custom Experience program in 30 days unless you opt-out by using your privacy preferences [hotlinked] on the My Verizon site or My Verizon app. You can view and change your choices at any time.

2 Likes


yet.

Doesn’t work so well for the ISP if you use another, encrypted DNS lookup service.

2 Likes

And now this.

The proposal is to require adults to turn over ‘proof’ such as credit card or passport details to access some sites. That will go well on the first hack, surely it will.

3 Likes

They could use a system similar to that used for verification processes by many organisations in Australia, where details aren’t recorded by the third party site. The verification is through a query direct to the data holder (e.g. tax office, immigration dept etc) and the third party site only receives confirmations.

That could go smashingly well considering all the governments (and others) that might need to sign up to it. Not considering ‘I did not keep your details, really I didn’t’ issues as the scammers gain something akin to a trusted similarity for even asking.

1 Like

In Australia they already do from State Governments (driver licences etc) and the Commonwealth. (passports, Medicare, ATO, banking details etc). It is becoming more common for government agencies, financial institutions and others to require (automatic) online verification with direct inquires. See


The risk isn’t hacking, but phishing. If it becomes mandatory, account holders will be expecting the verification requirement for social or other online accounts
and scammers/criminal gangs will exploit the opportunity to catch new victims. It will be easy for a scammer to replicate a legitimate verification page to harvest details - like those that already exist for phishing sites.

1 Like

This is something the UK government has been pushing for several years.

I see CHOICE Community censorship is alive and well :slight_smile: . Had the website not used a hyphen the word would have shown just fine.

So - maintain a central database that can be checked and that provides privacy in relation to the website by simply issuing a single-use identifier for someone who is old enough to be using the website. What could possibly go wrong?

  1. The central database is hacked. Unlikely.
  2. The central database is misused. “Of course we emailed your mother when you attempted to enrol at the xxx website, because you are under age”. Alternatively, “this person from the opposition who is campaigning on family values is registered at seven different websites according to our databases”. First is unlikely, because the under-age user would not be in the database. Second is totally improbable because we all know that we can trust the government not to give out personal information for political gain. /sarcasm
  3. Phishing (as already mentioned by @phb), seeking “to confirm that you registered for our website. If you do not respond we will have to confirm your details with the central database as they currently do not match its records”. Pretty much inevitable.
  4. People who want to access porn and do not want to be in a government database use a VPN to say that they’re actually connecting from Iran or some other more freedom-loving country. Highly likely, and a big problem.

There are a lot of ‘free’ VPNs out there, and the reason they do not charge you is because you are the product. Of course, educating teenagers on Internet safety is a chore in itself, and the fact is that at some point they are almost certain to go looking for whatever they cannot access - this is called human nature. Can’t pay for it because you are a teen who can’t get a credit card, or because you can’t afford it? Use the free stuff, and all your base are belong to us.

There are undoubtedly many other ways this plan could go wrong, and hopefully it will be killed off once again.

6 Likes

So you want to share your porn viewing habits with the tax office?

There are technical solutions to this problem but it is doubtful that the Australian government is interested because those solutions don’t align with their surveillance agenda. In other words, the Australian government wants to inject itself into your life to a greater extent.

2 Likes

Privacy International’s May 2022 report titled “Personal data and competition: Mapping perspectives, identifying challenges and enhancing engagement for competition regulators and civil society” can be found at the following link:

Personal Data and Competition May 2022 EN.pdf (privacyinternational.org)

@BrendanMays CHOICE may be interested in this.

3 Likes