Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
The U.S. federal government is secretly ordering Google and other search engines to track and provide data on anyone who searches certain terms through *keyword warrants*, according to a new report. In recent years, only two such warrants have been made public, but accidentally *unsealed court documents obtained by Forbes* show the government has been making these requests far more frequently. [...] <https://www.forbes.com/sites/thomasbrewster/2021/10/04/google-keyword-warrants-give-us-government-data-on-search-users/?sh=3D62af27647c97> https://nypost.com/2021/10/06/us-government-ordering-search-engines-to-provide-search-data/
https://www.scientificamerican.com/article/the-fda-should-better-regulate-medical-algorithms/ "Medical algorithms are used across the health care spectrum to diagnose disease, offer prognosis, monitor patients’ health and assist with administrative tasks such as scheduling patients. But recent news in the U.S. is filled with stories of these technologies running amok. From sexual trauma victims being unfairly labeled as “high-risk” by substance-abuse- scoring algorithms to diagnostic algorithms failing to detect sepsis cases in more than 100 health systems nationwide to clinical decision support (CDS) software systematically discriminating against millions of Black patients by discouraging necessary referrals to complex care”this problem abounds. And it extends our pandemic as well. In a review of 232 machine-learning algorithms designed to detect COVID-19, none were of clinical use. "The kicker: most of these algorithms did not require FDA approval, and the ones that did often were not required to conduct clinical trials." The FDA's 510(k) regulatory process promotes medical innovations by establishing a broadened definition of "device similarity"—if the newest form of a medical device is not too different from the old, approval for deployment and use is given without significant qualification trial for effectiveness or safety. The 510(k) process has been abused by medical device manufacturers, especially those based on computer technology. Patients that rely on embedded applications (pacemakers, cardiodefibrillators, drug infusers, continuous glucose monitors, etc.) and diagnostic systems (X-rays, MRI, blood chemistry analyzers, etc.) are constantly exposed to adverse product events documented as malfunctions, injuries, and deaths. Adverse events also contribute to inconvenience that consumers and insurers underwrite through lost time and expense. Failure to minimize software defect escape exposes patient populations to unnecessary and avoidable technological risks. Reforming the 510(k) process by subjecting algorithmic qualification efforts to broad public scrutiny (e.g., open source inspection) can suppress product defect escape potential.
Apple’s so-called App Tracking Transparency initiative has not stopped all tracking. Testing by Johnny Lin and Sean Halloran of "Lockdown Privacy" showed that apps are using "Fingerprinting" to track users. https://blog.lockdownprivacy.com/2021/09/22/study-effectiveness-of-apples-app-tracking-transparency.html https://www.washingtonpost.com/technology/2021/09/23/iphone-tracking/ "To find out what happens when you tap “ask app not to track,” Lockdown says it tested ten popular apps on an iPhone running iOS 14.8 and again with the newest iOS 15, analyzing what personal information flowed out of them. As part of a technical change that arrived with iOS 14.5, the apps were no longer able to access one valuable piece of data: a kind of social security number for your iPhone, known as the ID for Advertisers, or IDFA. But there’s other information that can identify your phone beyond that number. [...]" For example: The app "Subway Surfers starts sending an outside ad company called Chartboost 29 very specific data points about your iPhone, including your Internet address, your free storage, your current volume level (to 3 decimal points) and even your battery level (to 15 decimal points). It’s the kind of unique data that could be used by advertisers to identify your iPhone, possibly letting them know what other apps you use or how to target you."
As it lauded former President Donald Trump and spread his unfounded claims of election fraud, One America News Network saw its viewership jump. Reuters has uncovered how America’s telecom giant nurtured the news channel now at the center of a bitter national divide over politics and truth. https://www.reuters.com/investigates/special-report/usa-oneamerica-att/
Free press advocates called Gov. Mike Parson's comments against a St. Louis Post-Dispatch journalist "absurd." When a St. Louis Post-Dispatch journalist discovered that the Missouri state teachers website allowed anyone to see the Social Security numbers of some 100,000 school employees, he did what any reporter might do. He published a story about the security vulnerability — though not before warning the state and giving it time to remove the affected webpages. Another official might have thanked the newspaper for spotting the flaw and giving a heads-up before publicizing it — or at least downplayed what appears to be an embarrassing government mishap. But Missouri Gov. Mike Parson (R) did the opposite: He called the journalist “a hacker” who may face civil or criminal charges for “decod[ing]” HTML code on the Department of Elementary and Secondary Education website and viewing three Social Security numbers. The journalist was “acting against the state agency to compromise teachers’ personal information in an attempt to embarrass the state and sell headlines for their news outlet,” Parson announced Thursday. He said that he had referred the case to the Cole County prosecutor and the Missouri State Highway Patrol’s Digital Forensic Unit. The announcement immediately drew appalled reactions from The Post-Dispatch and other journalistic organizations. “We stand by our reporting and our reporter who did everything right,” Ian Caso, president and publisher of The Post-Dispatch, said in a statement. “It’s regrettable the governor has chosen to deflect blame onto the journalists who uncovered the website’s problem and brought it to DESE’s attention.” Committee to Protect Journalists’ U.S. and Canada program coordinator Katherine Jacobsen called Parson’s legal threats “absurd.” “Using journalists as political scapegoats by casting routine research as ‘hacking’ is a poor attempt to divert public attention from the government’s own security failing,” she told The Washington Post in an email. https://www.washingtonpost.com/media/2021/10/14/mike-parson-st-louis-post-dispatch-hacker/
A transgender man (i.e., someone who was born female and subsequently transitioned gender) was registered with his medical practice and the UK National Health Service as male. Having a vagina and cervix, he arranged a cervical screening test (US: Pap test). When the test results came back suggesting abnormalities, the hospital follow up checks were significantly delayed by confusion over why a man needed cervical cancer checks. https://www.bbc.co.uk/news/uk-england-humber-58515769" In fact the patient had also had to take the initiative to arrange the original screening. NHS England policy for cervical screening is that those between 25 and 64 registered with a GP as female will be routinely invited for cervical screening, those registered as male won't. Transgender men can contact their GP to arrange to book a screening. Transgender men are not routinely invited to cervical screening checks and might not arrange their own. To be clear about terminology, according to the World Health Organisation, `gender' is used to describe the characteristics of women and men that are socially constructed, while `sex' refers to those that are biologically determined. People are born female or male, but learn to be girls and boys who grow into women and men. This learned behaviour makes up gender identity and determines gender roles. A data field intended for one purpose, recording biological sex, is being used to record something else (gender identity) for a small number of patients while using exactly the same coding. There does not appear to be a field that would disambiguate the two usages. A person or automated system reading the record cannot distinguish them immediately without reading background notes or accompanying letters. The risk: Records that conflate biological sex with gender identity can result in people having essential health checks compromised or missed altogether.
When Facebook went down, it took Instagram and WhatsApp with it. -L https://slate.com/technology/2021/10/whatsapp-facebook-instagram-outage-india-startups.html?via=rss
Jonathan M. Gitlin (8 Jun 2019) NASA will allow private astronauts on the ISS for $11,250-$22,500 a day The space agency wants to create a sustainable economy in low Earth orbit. The forward end of the International Space Station is pictured showing portions of five modules. From right to left is a portion of the U.S. Destiny laboratory module linking forward to the Harmony module. Attached to the port side of Harmony (left foreground) is the Kibo laboratory module from the Japan Aerospace Exploration Agency (JAXA) with its logistics module berthed on top. On Harmony's starboard side (center background) is the Columbus laboratory module from ESA (European Space Agency). NASA On Thursday morning, NASA held a press conference to announce that the International Space Station is now open for business. Previously, commercial organizations have only been able to use the ISS for research purposes; now NASA is open to letting them make a profit in low Earth orbit (LEO). "We're marketing these opportunities as we've never done before," said NASA's Chief Financial Officer Jeff DeWitt earlier today. For starters, the space agency issued a new directive that allows commercial manufacturing and production to occur on the ISS, as well as marketing activities. It's not quite "anything goes," though”approved activities have to have a link to NASA's mission, stimulate the development of a LEO economy, or actually require a zero-G environment. NASA has published a price list for the ISS, and it's setting aside five percent of the station's annual resources (including astronaut time and cargo mass) for commercial use.
So now they're comparing Facebook with cigarettes and opioids. For the record, similar accusations were made against comic books and horror movies in their day. Here we go again.
Recently I've been getting a whole bunch of requests, from people I don't know, to join "chats" via Google Chat. (I don't yet know Google Chat, but I assume that it is an evolution of Duo?) I assume this is some kind of fraud or phishing, possibly a version of 419/advance fee fraud. Anybody have any additional details? (I don't have time to explore it by joining the chats, but does anyone know if there are any malware vulnerabilities?)
When the hyper-wealthy ruler of the Middle Eastern emirate of Dubai found himself embroiled in a British court case with the Jordanian princess who was once his wife, he did more than hire top-shelf lawyers. He also deployed high-tech software purchased from an Israeli company to hack the cellphones of his ex-wife, two of her lawyers and three other associates, according to court documents made public on Wednesday. https://www.nytimes.com/2021/10/06/world/europe/dubai-sheik-hacked-phones-ex-wife-uk.html
Title: Bugs in our Pockets: The Risks of Client-Side Scanning Authors: Hal Abelson, Ross Anderson, Steven M. Bellovin, Josh Benaloh, Matt Blaze, Jon Callas, Whitfield Diffie, Susan Landau, Peter G. Neumann, Ronald L. Rivest, Jeffrey I. Schiller, Bruce Schneier, Vanessa Teague and Carmela Troncoso http://arxiv.org/abs/2110.07450 Comments: 46 pages, 3 figures License: http://creativecommons.org/licenses/by/4.0/ Our increasing reliance on digital technology for personal, economic, and government affairs has made it essential to secure the communications and devices of private citizens, businesses, and governments. This has led to pervasive use of cryptography across society. Despite its evident advantages, law enforcement and national security agencies have argued that the spread of cryptography has hindered access to evidence and intelligence. Some in industry and government now advocate a new technology to access targeted data: client-side scanning (CSS). Instead of weakening encryption or providing law enforcement with backdoor keys to decrypt communications, CSS would enable on-device analysis of data in the clear. If targeted information were detected, its existence and, potentially, its source, would be revealed to the agencies; otherwise, little or no information would leave the client device. Its proponents claim that CSS is a solution to the encryption versus public safety debate: it offers privacy -- in the sense of unimpeded end-to-end encryption—and the ability to successfully investigate serious crime. In this report, we argue that CSS neither guarantees efficacious crime prevention nor prevents surveillance. Indeed, the effect is the opposite. CSS by its nature creates serious security and privacy risks for all society while the assistance it can provide for law enforcement is at best problematic. There are multiple ways in which client-side scanning can fail, can be evaded, and can be abused. RELATED COMMENTARY: https://www.theguardian.com/world/2021/oct/15/apple-plan-scan-child-abuse-images-tears-heart-of-privacy From Ross Anderson: https://www.lightbluetouchpaper.org/2021/10/15/bugs-in-our-pockets/ The report is also at https://www.cl.cam.ac.uk/~rja14 From Susan Landau <email@example.com> https://www.lawfareblog.com/bugs-our-pockets-risks-client-side-scanning From Bruce Schneier: https://www.schneier.com/blog/archives/2021/10/security-risks-of-client-side-scanning.html
Please report problems with the web pages to the maintainer