The niner noteworthy and the 12 recaps of 2016 (day 9)

Privacy professionals

are all lawyers

, at least that is a one-liner I have heard often enough from people within the International Association of Privacy Professionals. And yes I’m somewhat irritated about that statement.
Data protection has, if lawyers like it or not, a very large technical aspect that if not taken care of will mean that their legal work means absolutely nothing for the privacy protection of our society.
In this instalment I will be looking at data protection from a technology point of view including: the privacy aware usage of drones, biometric voice prints and how a piece of software can render them useless, health data in the hands of one of the biggest privacy violators on the web, fitness bands and their privacy impact, issues with Apple iMessage and iCloud syncing of call data.
But the legal site has it’s place too in this 12 recaps series.
Check out day 10: Legal privacy, here.

In chronological order:

Realizing the potential of drones, yet preserving our privacy


Those guidelines are voluntary and consensus material at best. That remote controlled planes can have interesting applications, either for hobbyist or commercial usage, is quite clear. However, what are the penalties for doing something that clearly goes against common sense and that set of voluntary rules? Can I shoot them out of the sky if they invade the airspace over my private property?
That’s “shoot” theoretically btw as I have a couple of idea’s that are far more destructive and leave certainly less physical evidence to trace back to me too. And no I won’t write them down here.
In all honesty, great they are thinking about the privacy of society but I am placing question marks by the reality and usefulness of this approach. As specially because it is a consensus approach with the industry looking to make a lot of money from selling and operating these machines to the widest possible extend.
source: TechCrunch (external link)

iMessage Preview Problems


If Apple calls this differential privacy then I am certainly not impressed. With Appel’s CEO Tim Cook always saying that Apple “takes your privacy very seriously” the preview of weblink in your iMessage conversations certainly shows a different attitude.
There is a good reason why not to load remote content in received e-mails, certainly not by default. As the iMessage service is more or less replacing e-mail for shorter messages and even sharing links, Apple should at least let users make the choice themselves if they want to click on it or not.
The information leakage is bad enough, what would make it worse or even disastrous is when a zero-day vulnerability is found in the message application. Another scenario would use a link, downloaded malware and an unsuspected user to click and install it whilst accepting an app from an unknown developer (unsigned code).
source: TheAntiSocialEngineer (external link)

Ad Industry to FCC on Privacy Rules: You Got It Wrong


Yes the Federal Communications Commission (FCC) got it right. The reason why the advertising industry has been crying wolf over this proposal has nothing to do with American consumers but everything with their own revenue model and nothing else. We have seen a similar show of crocodile tears when Apple introduced ad-blocking capabilities to the iOS mobile platform a couple of years ago.
Another interesting bit from this article and somewhat the underlying issue of an entirely other privacy issue namely the safe harbor or it’s successor EU/US privacyshield, is that the Federal Trade Commission has no rule making authority. So even if it wanted to enforce these rules more strictly but needs extra rules and jurisdiction to do so, it can’t decide on that itself. Where as the FCC can and will do so in protection of customer’s privacy.
source: Crain Communications (external link)

Fitbit, Jawbone, Garmin and Mio fitness bands criticized for privacy failings


Most new technologies will face issues, however if certain core principals aren’t incorporated in the design phase from the start, it is extremely difficult to do so later. This also holds for privacy by design and by default.
Whilst under US law three of the four companies may comply very well, with the general data protection regulation (GDPR) they will simply have to comply to EU privacy law when they have European customers.
So if they are committed to privacy, why do behind the scenes calls to Facebook as well as two tracking companies? Is dat what you would call “committed to user’s privacy”? If so, then I respectfully disagree.
Another issue may very well be that these privacy policies are not printed on the box or that people are directed to read them before they buy any of these products, apart from the fact that the longest is a massive 22 pages. Which makes me wonder, if I would have one of those fitness bands and disagree with their privacy policy, can I get my money back or am I left with a useless privacy destroying piece of junk?
source: TechCrunch (external link)

Adobe Voco ‘Photoshop-for-voice’ causes concern


As we have seen with photoshop, Voco will indeed cause a lot of controversy and will potentially be extremely dangerous. It is not a question of if but when it will be misused for defeating voice recognition systems used by e.g. UK banks or mislead people in believing somebody said something they really didn’t and keep denying they ever said.
Okay, the software can be used for obvious pranks as well. but that’s not the focus here. It would be more serious if this program is misused during election campaigns undermining democracies or even used in fake phone calls to world leaders or industry leaders to feed them false information or even use a voice artists’ recordings to make new work without having to pay the specific person to actually get paid for it, which Adobe so much as suggested the software can be used for in the BBC article.
Technically this is an interesting bit of research but ethically this will become extremely dangerous and very worrying if it is put on sale.
source: BBC News (external link)

FYI Apple fans – iCloud slurps your call histories


I’ve noticed this as well and even called Apple about it who, at least the representative I spoke to, didn’t know about this apparently hidden feature. The problem itself is not that Apple synchronises this, but the fact they don’t ask permission to do so as they do with calendar, contacts, Safari, reminders etc.
This call list synchronisation is extremely annoying and if I could switch it off I certainly will. That is despite the obvious privacy issues related to this.
If Apple is really committed to privacy then this trick behind it’s customers’ backs shows otherwise. Unless that’s what Tim Cook meant with

differential privacy

.
source: The Register (external link)

TfL to track Tube users in stations by their MAC addresses


How do you depersonalise a mac address I dare ask? This is an interesting usage of mac addresses (which are the hardware addresses your device broadcasts over the wireless network and the same once the network uses to get you your data as well). Can this data be considered personal identifiable? Not by itself it can’t, together with other data e.g. check-in/out information that may well be possible although in busy stations extremely hard to do.
Although if you log the same device traveling the same possibly unique route every day around the same time, then it will become easier or even extremely likely you can uniquely identify a certain traveler if this data is combined with entry and departure data from personal travel cards, CCTV images and possible browsing habits if the public phasing WiFi is actually used.
In other words, I believe the TFL is on safe grounds for now but needs to be extremely careful not to cross the line on this one which is extremely close to their current operational usage.
source: The Register (external link)

IETF plants privacy test inside DNS


Interesting concept and certainly something I will have to look into in more detail. But isn’t this actually not fixing but moving the problem of surveillance? Yes it encrypts the transport layer so sniffing DNS requests isn’t possible anymore, but the request and associated data still is accessible and therefore could still be logged at the DNS server side.
Whilst this may improve parts of the security of DNS request and may not leak as much information as the current system, I believe it may not be the total solution. That is not even counting the possible adoption rate of the changes to the DNS protocol which can be extremely slow and take years or even more then a decade. I’m referring to the implementation of DNSSec (DNS Secure) which even now is not fully implemented but was designed in the late 1990s and was meant to clean up the DNS records to make the system more reliable.
source: The Register (external link)

Google secures five-year access to health data of 1.6m people


This is a follow-up to a story I wrote about in May of 2016 which apparently was only the tip of the iceberg. Let’s say I’m glad I am not a patient of the NHS so it isn’t my medical data being handed over to a company that by all means has no spotless privacy record.
Whatever the reasons behind this prove of concept deal, do we really trust Google to carefully handel this kind of sensitive data? Or will you see kidney transplant advertisements in your search results from an Alphabet hospital in the near future?
Besides if it is only a real-time alerting app, why do they need to have all the additional data as well? Unless you may do a bit more then just alerting and are also analysing patterns and possibly more.
source: Naked Security (external link)

Other articles in this series