Category Archives: Privacy

Google Faces $5 Billion Lawsuit for Invading Privacy of Users



Google users might be surprised to learn that “private” mode doesn’t actually mean that Google won’t track your internet use. Reuters reported that there is a proposed class action lawsuit against Alphabet Inc. that is seeking at least $5 billion. The lawsuit alleges that Google has been illegally invading the privacy of millions by tracking their internet use through browsers set in “private” mode.

The case is Brown et al v Google LLC et al, which was filed in the U.S. District Court, Northern District of California. I tried to find more information about this lawsuit, but could not find anything. Typically, a controversial lawsuit, that has the potential to affect many people, is embedded somewhere online. This one does not appear to be.

Google calls their private mode “incognito mode”. It would be reasonable to presume that a private mode would enable users to find information that they would not be comfortable having Google know about. For example, people might choose to look up “intimate and potentially embarrassing things” (as the lawsuit states) in Incognito mode, believing that Google would not track it.

According to the complaint filed in the federal court in San Jose, California, Google gathers data through Google Analytics, Google Ad Manager, and other applications and website plug-ins, including smartphone apps, regardless of whether users click on Google-supported ads.

Google spokesman Jose Castaneda told Reuters: “As we clearly state each time you open a new incognito tab, websites might be able to collect information about your browsing activity”. As you may have guessed, Google intends to defend itself vigorously against the claims in the lawsuit.

If this situation troubles you, there are other options. Some people prefer to use more ethical search engines such as Duck Duck Go, or Ecosia (which plants a tree for every search). Mozilla’s Firefox has the capability of blocking certain types of trackers. Keep in mind, though, that nothing on the internet is 100% private.

The lawsuit seeks at least $5,000 of damages per user for violations of federal wiretapping and California privacy laws. It will be very interesting to see if this case gets anywhere. Whenever a gigantic company is the defendant in a lawsuit, I have concerns that the case will disappear before a court can hear it.


Zoom Limits End-To-End Encryption to Paid Users



Those of you who are using Zoom, on a free account, might want to stop doing that. According to The Next Web, Zoom calls made by people who have free accounts won’t be encrypted. The end-to-end encryption is only for paid users.

Bloomberg reported that Zoom’s sales “soared” in the three months that ended on April 30, 2020. This happened due to a wave of stay-at-home orders put in place to prevent the spread of COVID-19. Those who suddenly found themselves working from home, and students whose schools shifted to virtual learning, started using Zoom. Clearly, Zoom has the money to add end-to-end encryption for all users.

Choosing not to do that is strange, especially since children use Zoom to access education. Churches and groups that focus on therapy and/or addiction have also used Zoom for meetings.

We’ve all heard about “Zoom-bombing”, which got so bad that the U.S. Department of Justice warned that “Zoom-bombing” can result in fines or imprisonment. That is a problem, but I don’t see how cutting off free users from end-to-end encryption will solve it.

The Next Web reported a quote from Zoom CEO Eric Yuan. “Free users, for sure, we don’t want to give that [end-to-end encryption]. Because we want to work it together with the FBI and local law enforcement, in case some people use Zoom for bad purpose.”

Alex Stamos, whom The Next Web identified as a security consultant for Zoom, tweeted: “Zoom is dealing with some serious issues. When people disrupt meetings (sometimes with hate speech, CSAM, exposure to children and other illegal behaviors) that can be reported by the host. Zoom is working with law enforcement on the worst repeat offenders.”

From this, it sounds like Zoom believes that free users cause shenanigans. But, that paints all free users with the same brush, and that’s not acceptable. I think Zoom will lose customers over this decision. I don’t think parents of kids who use Zoom for school, people who attend church through Zoom, or those who access self-help meetings on Zoom, will feel comfortable having law enforcement monitoring their Zoom calls.


Tech Companies Urge Congress to Protect Search and Browsing Data



Several tech companies are asking the U.S. House of Representatives to pass legislation that would prevent the FBI from obtaining people’s browser history without a warrant. The tech companies include: Mozilla, Reddit, Twitter, and Patreon.

Mozilla Corporation, Engine, Reddit, Inc., Reform Government Surveillance, Twitter, i2Coalition, and Patreon sent a letter to Speaker Nancy Pelosi, Minority Leader Kevin McCarthy, Chairman of the U.S. House Committee on the Judiciary Jerry Nadler, and Ranking Member of the U.S. House Committee on the Judiciary. From the letter:

We urge you to explicitly prohibit the warrantless collection of internet search and browsing history when you consider the USA FREEDOM Reauthorization Act (H.R. 6172) next week. As leading internet businesses and organizations, we believe privacy and security are essential to our economy our businesses, and the continued growth of the free and open internet. By clearly reaffirming these protections, Congress can help preserve user trust and facilitate the continued use of the internet as a powerful contributing force for our recovery.

This comes after the U.S. Senate voted down an amendment to the USA Patriot Act that would create a tougher standard for government investigators to collect web search and browsing histories of people in the states.

It was a bipartisan amendment that would have required the Department of Justice to show probable cause when requesting approval from the Foreign Intelligence Surveillance Court to collect the data for counterterrorism or counterintelligence investigations.


Apple and Google Released a FAQ About their Coronavirus Tracker



Earlier this month, Google and Apple announced a joint effort to enable the use of Bluetooth technology to help governments and health agencies reduce the spread of the COVID-19 virus. As you may have expected, people had questions about how that contact tracing technology would work.

In response, Apple and Google released a Frequently Asked Questions PDF with more information. Some of it explains what contact tracing is, how it works, and how it can help slow the spread of COVID-19. It also covers how their contact tracing system will protect user privacy.

Here are some key points about user privacy:

  • Each user will have to make an explicit choice to turn on the technology. It can also be turned off by the user at any time by uninstalling the contract tracing application or turning off exposure notification in Settings.
  • This system does not collect location data from your device, and does not share the identities of other users to each other, Google or Apple. The user controls all data they want to share, and the decision to share it.
  • Bluetooth privacy-preserving beacons rotate every 10-20 minutes, to help prevent tracking.
  • Exposure notification is only done on device and under the user’s control. In addition people who test positive are not identified by the system to other users, or to Apple or Google.
  • The system is only used for contract tracing by public health authorities apps.
  • Google and Apple can disable the exposure notification system on a regional basis when it is no longer needed.

However, the FAQ also makes it clear that government health authorities will have access to the information facilitated by the app. “Access to the technology will be granted only to public health authorities. Their apps must meet specific criteria around privacy, security, and data control. The public health authority app will be able to access a list of beacons provided by users confirmed as positive for COVID-19 who have opted into sharing them. The system was also designed so that Apple and Google do not have access to information related to any specific individual.”

The FAQ states a user can choose to report a positive diagnosis of COVID-19 to their contact tracing app. The user’s most privacy-preserving beacons will be added to the positive diagnosis list shared by the public health authority so that others who came in contact with those beacons can be alerted. I don’t see how that can be done without the app being able to identify one individual user from another.

It comes down to how much you trust your government to use the information from the app to help people. This sort of heath information can be used to prevent people from being eligible for health insurance coverage, or to be discriminated against in other ways. Personally, I am not going to use this app.


Google, Mozilla, and Apple Block Kazakhstan’s Root Certificate



Three big browser makers are now blocking the use of a root certificate that Kazakhstan’s government had used to intercept internet traffic. According to Ars Technica, Khazakhstan reportedly said it halted the use of the certificate. Ars Technica reported that the actions taken by Google, Mozilla, and Apple could protect users who already installed it or prevent future use of the certificate by Kazakstan’s government.

Apple told Ars Technica that it is blocking the ability to use the certificate to intercept internet traffic.

Mozilla posted on The Mozilla Blog “Today, Mozilla and Google took action to protect the online security and privacy of individuals in Kazakhstan. Together, the companies deployed technical solutions within Firefox and Chrome to block the Kazakhstan government’s ability to intercept internet traffic within the country.”

The response comes after credible reports that internet service providers in Kazakhstan have required people in the country to download and install a government-issued certificate on all devices and in every browser in order to access the internet. This certificate is not trusted by either of the companies, and once installed, allowed the government to decrypt and read anything a user types or posts, including intercepting their account information and passwords. This targeted people visiting popular sites like Facebook, Twitter, and Google, among others.

Google posted information on its Google Security Blog. Part of that blog post says: “In response to recent actions by the Kazakhstan government, Chrome, along with other browsers, has taken steps to protect users from the interception or modification of TLS connections made to websites.”

It continues: “Chrome will be blocking the certificate the Kazakhstan government required users to install. The blog post has more specific details about that certificate.

It is good that these companies, all of whom make browsers, are taking a stand against government intrusion into people’s privacy. I hope that these companies will take the same action whenever another government chooses to spy on its own people in an effort to sneakily discover what those people do online.


Amazon Allows You to Disable Human Review of Recordings



Amazon is now allowing people who use Alexa to opt-out of human review of their voice recordings, Bloomberg has reported. This comes after a researcher revealed that some of Google’s Assistant recordings had been listened to by human contractors, and people started to become concerned about what other voice activated assistants do with recorded speech.

A new policy took effect Friday that allows customers, through an option in the settings menu of the Alexa smartphone app, to remove their recordings from a pool that could be analyzed by Amazon employees and contract workers, a spokesman for the Seattle company said. It follows similar moves by Apple, Inc., and Google.

According to Bloomberg, Amazon’s decision to let Alexa users opt-out of human review of their recordings follows criticism that the program violated customers’ privacy. Amazon says the Alexa app will now include a disclaimer in the settings menu that acknowledges that people might review recordings through Alexa. Bloomberg explains how to disable that and opt-out of human review.

The Guardian reported that Apple has suspended its practice of having human contractors listen to users’ Siri recordings to “grade” them. That decision came after a Guardian report that revealed that Apple’s contractors “regularly” hear confidential and private information while carrying out the grading process. The bulk of the confidential information was recorded through accidental triggers of the Siri assistant.

Google posted on The Keyword that it has provided tools for users to manage and control the data in their Google account. You can turn off storing audio data to your Google account completely, or choose to auto-delete data after every 3 months or 18 months.


Is FaceApp Storing Users’ Photos?



You’ve probably seen images of celebrities who have used FaceApp to see what they will look like when they are older. Before you give FaceApp a try, you should be aware of concerns about what the app could be doing with people’s photos.

The Guardian spoke with the FaceApp CEO, Yaroslav Goncharov, who said that only a single picture specifically chosen by the user would be uploaded from a phone and the app did not harvest a user’s entire photo library. The Guardian said this claim was backed by researchers.

Goncharov said the data was never transferred to Russia and was instead stored on US-controlled cloud computing services provided by Amazon and Google. The developer insisted that users had the right to request their photographs be removed from the server. Goncharov said his company does not share any user data with any third parties.

The Guardian rightly pointed out: “However, users ultimately have to rely on the word of the developer that the images are being removed from the system.”

CNN reported that the Democratic National Committee (DNC) sent a security alert to 2020 presidential campaigns not to use FaceApp. Bob Lord, the DNC’s chief security officer, recommended “campaign staff and people in the Democratic ecosystem” should not use the app. He added “If you or any of your staff have already used the app, we recommend that they delete the app immediately.”

The Independent reported part of FaceApp’s terms of service:

“You grant FaceApp a perpetual, irrevocable, nonexclusive, royalty-free, worldwide, fully-paid, transferable sub licensable license to use, reproduce, modify, adapt, publish, translate, create derivative works from, distribute, publicly perform, and display your User Content and any name, username, or likeness provided in connection with your User Contenting in all media formats and channels now known or later developed without compensation to you.”

In addition, the Independent reported that FaceApp’s privacy policy “makes it clear that it is able to collect and store information from your phone and that it might be used for ads or other forms or marketing.”

It does not appear that the photos you give it are being harvested by Russia. That said, I personally don’t feel like FaceApp is making it clear to users how their photos will be used, or what information it can glean from their phones. This bothers me enough to steer clear of the app.