Category Archives: Privacy

Amazon Allows You to Disable Human Review of Recordings

Amazon is now allowing people who use Alexa to opt-out of human review of their voice recordings, Bloomberg has reported. This comes after a researcher revealed that some of Google’s Assistant recordings had been listened to by human contractors, and people started to become concerned about what other voice activated assistants do with recorded speech.

A new policy took effect Friday that allows customers, through an option in the settings menu of the Alexa smartphone app, to remove their recordings from a pool that could be analyzed by Amazon employees and contract workers, a spokesman for the Seattle company said. It follows similar moves by Apple, Inc., and Google.

According to Bloomberg, Amazon’s decision to let Alexa users opt-out of human review of their recordings follows criticism that the program violated customers’ privacy. Amazon says the Alexa app will now include a disclaimer in the settings menu that acknowledges that people might review recordings through Alexa. Bloomberg explains how to disable that and opt-out of human review.

The Guardian reported that Apple has suspended its practice of having human contractors listen to users’ Siri recordings to “grade” them. That decision came after a Guardian report that revealed that Apple’s contractors “regularly” hear confidential and private information while carrying out the grading process. The bulk of the confidential information was recorded through accidental triggers of the Siri assistant.

Google posted on The Keyword that it has provided tools for users to manage and control the data in their Google account. You can turn off storing audio data to your Google account completely, or choose to auto-delete data after every 3 months or 18 months.

Is FaceApp Storing Users’ Photos?

You’ve probably seen images of celebrities who have used FaceApp to see what they will look like when they are older. Before you give FaceApp a try, you should be aware of concerns about what the app could be doing with people’s photos.

The Guardian spoke with the FaceApp CEO, Yaroslav Goncharov, who said that only a single picture specifically chosen by the user would be uploaded from a phone and the app did not harvest a user’s entire photo library. The Guardian said this claim was backed by researchers.

Goncharov said the data was never transferred to Russia and was instead stored on US-controlled cloud computing services provided by Amazon and Google. The developer insisted that users had the right to request their photographs be removed from the server. Goncharov said his company does not share any user data with any third parties.

The Guardian rightly pointed out: “However, users ultimately have to rely on the word of the developer that the images are being removed from the system.”

CNN reported that the Democratic National Committee (DNC) sent a security alert to 2020 presidential campaigns not to use FaceApp. Bob Lord, the DNC’s chief security officer, recommended “campaign staff and people in the Democratic ecosystem” should not use the app. He added “If you or any of your staff have already used the app, we recommend that they delete the app immediately.”

The Independent reported part of FaceApp’s terms of service:

“You grant FaceApp a perpetual, irrevocable, nonexclusive, royalty-free, worldwide, fully-paid, transferable sub licensable license to use, reproduce, modify, adapt, publish, translate, create derivative works from, distribute, publicly perform, and display your User Content and any name, username, or likeness provided in connection with your User Contenting in all media formats and channels now known or later developed without compensation to you.”

In addition, the Independent reported that FaceApp’s privacy policy “makes it clear that it is able to collect and store information from your phone and that it might be used for ads or other forms or marketing.”

It does not appear that the photos you give it are being harvested by Russia. That said, I personally don’t feel like FaceApp is making it clear to users how their photos will be used, or what information it can glean from their phones. This bothers me enough to steer clear of the app.

Apple Removed the Zoom Vulnerability

Good news for Mac users who had Zoom installed on their computers! TechCrunch reported that Apple has released a silent update for Mac users that removes a vulnerable component in Zoom. The update does not require any user interaction and is deployed automatically.

Apple often pushes silent signature updates to Macs to thwart known malware – similar to an anti-malware service – but it’s rare for Apple to take action publicly against a known or popular app. The company said it pushed the update to protect users from the risks posed by the exposed web server.

TechCrunch quoted Zoom spokesperson Priscilla McCathy who said (in part): “We are happy to have worked with Apple on testing this update.”

Apple’s update comes after Zoom released a fix for the vulnerability that enabled nefarious people to put a link into a website that would automatically cause a Zoom user to connect to Zoom with their video running.

The patch does two things. It removes the local web server entirely, once the Zoom client has been updated. In other words, it completely removes the local web sever from a Mac. The patch also allows users to manually uninstall Zoom.

Mac users may see a pop-up in Zoom that tells them to update their Zoom client. There is a link on the Zoom blog where you can download the update. Or, you can check for updates by opening your Zoom app window.

Zoom Mac Client Vulnerability Enables Cameras Without Permission

Have you used Zoom for web conferencing, podcasting, or anything else? Be aware that there is a vulnerability in the Mac Zoom Client that can enable your camera without your permission. Uninstalling Zoom does not fix the problem.

Jonathan Leitschuh posted a very detailed article on Medium explaining the situation. In short, the vulnerability in the Mac Zoom Client allowed any malicious website to enable your camera without your permission. According to Jonathan Leitschuh, this issue potentially exposes up to 750,000 companies around the world that use Zoom to conduct day-to-day business.

Additionally, if you’ve ever installed the Zoom client and then uninstalled it, you have a localhost web server on your machine that will happily re-install the Zoom client for you, without requiring any user interaction on your behalf besides visiting a webpage. This re-install ‘feature’ continues to work to this day.

If I’m understanding this correctly, the vulnerability takes advantage of a Zoom feature that allows users to send anyone a link. When the person opens that link in their browser, the Zoom client opens on their machine. A mean-spirited person could embed a specific piece of code into a website. When a Zoom users visits that website, the user will be connected to Zoom with their video running.

Zoom posted a “Response to Video-On Concern” on the Zoom blog. In the blog, Zoom explains that “if the user has not configured their Zoom client to disable video upon joining meetings, the attacker may be able to view the user’s video feed.”

Zoom explains that the Zoom client runs in the foreground upon launch. It would be readily apparent to a user that they had unintentionally joined a meeting, and the user could change their video settings or leave the meeting immediately. According to Zoom, “we have no indication that this has ever happened.”

You can click on a link in the Zoom blog to connect with their support team. Zoom says it will go live with a public vulnerability disclosure program in the next several weeks. Until then, I recommend putting a sticker over your camera.

Superhuman Makes Changes After Criticism

Superhuman describes itself as “the fastest email experience ever made”. That may sound great to people who send and receive a lot of email. Unfortunately, Superhuman was also doing some very creepy, and potentially dangerous, things.

After some very detailed criticism of Superhuman by Mike Davidson, (on his personal blog), the Founder and CEO of Superhuman, Rahul Vorhra, decided to make some badly needed changes.

Mike Davidson pointed out that Superhuman decided to embed hidden tracking pixels inside of the emails that customers of Superhuman send out. Superhuman called that feature “Read Receipts”. It turns on by default for Superhuman customers, and without the consent of the recipients of the emails.

The so-called “Read Receipt” function enables the sender to know how many times the recipient opened that email, the times the email was opened, and the location of the recipient when they opened it. The recipient, who likely is not using Superhuman for their email, has no idea they are being tracked this way. In short, this function enables people to stalk whomever they send an email to.

Rahul Vohra provided details about changes that he would make to Superhuman in a post on Medium. In it, he explains how Superhuman users can turn read statuses off. When you do that, Superhuman will not include tracking pixels in sent emails.

Superhuman will also stop logging location information for new email. It will no longer show location information. They are deleting all historical data from their apps, and making the “read status” feature something users must opt-into.

Personally, I think that means that some of the email you receive from Superhuman users will contain tracking pixels. The opt-in does not solve the problem – it allows it to continue.

I highly recommend reading both of those posts in order to get the full details about the situation. The problems with Superhuman could have been avoided if Rahul Vorha and his team had bothered to take the time to get feedback from a diverse group of people before implementing features that invade people’s privacy.

Facebook Portal Will Spy On You After All

As reported by Recode, and with a small dose of “Told you so“, Facebook has clarified that it will spy on you using its new Portal devices after all.

In an email sent to Recode, Facebook said, “Portal voice calling is built on the Messenger infrastructure, so when you make a video call on Portal, we collect the same types of information (i.e. usage data such as length of calls, frequency of calls) that we collect on other Messenger-enabled devices. We may use this information to inform the ads we show you across our platforms. Other general usage data, such as aggregate usage of apps, etc., may also feed into the information that we use to serve ads.

I don’t have to put up with this kind of privacy abuse when I use my landline or my smartphone to make a voice call. Why should it be acceptable at all just because it’s a video call?

Imagine I phoned a retailer using their toll-free number and then I was phoned a few days later by a competitor, perhaps offering a discount. The phone company had sold my phone number to the competitor on the basis of the original call. Now, I’m fairly sure that would be flat out illegal in most countries – I’m not a lawyer but I’m pretty sure in Europe the GDPR regulations would stop that – but here we are with Facebook potentially showing us ads on the basis of who we talk to. This is just wrong, wrong, wrong.

I am increasingly of the opinion that these social media giants need regulation to ensure our rights are maintained. Keeping private both conversations, and the data about conversations, would be a very good place to start.

35 Years from Today

35 Years from today you, your spouse, your son or daughter may be involved in an investigation where an entity needs to know where you were at this exact time 35 years ago. For most of us to answer that would be nearly impossible to answer.

But Apple, Google, Facebook, Instagram, Snapchat, Fitbit and any other app or device that you use or wear pretty much knows exactly where you were at any given time, and even better the 100 people that where physically closest to you.  If you think about the metadata being collected on each of us today is incredible.

After all Google Maps recent update is even helping you with known routes and drop-offs and things of interest in between targeting you with advertising. Apps like Woz will even be able to tell an investigator if you had to deal with traffic during your commute.

Recent political events where the Supreme Court nominee produced a calendar of his daily life from 35 years ago got me to thinking about this quite a bit. The tech we carry in our pockets and purses has the most comprehensive digital diary known to man.

We have already seen Google Map data used in divorce proceedings and a variety of other legal events So whats to say that our lives will not be re-constructed later with the digital footprint we have today.

Photo by Paweł Czerwiński on Unsplash