Social  2024  2023  2022  2021  2020


TikTok Assures U.S. Lawmakers it's Working to Safeguard User Data From Chinese Staff
2.7.22  Social 
Thehackernews
Following heightened worries that U.S. users' data had been accessed by TikTok engineers in China between September 2021 and January 2022, the company sought to assuage U.S. lawmakers that it's taking steps to "strengthen data security."

The admission that some China-based employees can access information from U.S. users came in a letter sent to nine senators, which further noted that the procedure requires the individuals to clear numerous internal security protocols.

The contents of the letter, first reported by The New York Times, shares more details about TikTok's plans to address data security concerns through a multi-pronged initiative codenamed "Project Texas."

"Employees outside the U.S., including China-based employees, can have access to TikTok U.S. user data subject to a series of robust cybersecurity controls and authorization approval protocols overseen by our U.S.-based security team," TikTok CEO Shou Zi Chew wrote in the memo.

This includes what it calls a narrow set of non-sensitive TikTok U.S. user data, such as public videos and comments, to meet interoperability requirements, while emphasizing that this access will be "very limited" in scope and pursuant to protocols developed in collaboration with the U.S. government.

TikTok, a popular social video-sharing service from Beijing-based ByteDance, has long remained in the crosshairs of U.S. lawmakers over national security risks that could arise from the Chinese government requesting data belonging to U.S. users directly from its parent firm.

But in the letter, the company aimed to reassure that it has never been asked to provide data to the Chinese authorities and that it would not accede to such government inquiries.

TikTok further reiterated that 100% of U.S. user data is routed to Oracle cloud infrastructure located in the U.S., and that it's working with the enterprise software firm on more advanced data security controls that it hopes to finalize "in the near future."

On top of that, the ByteDance-owned company said it's planning to delete U.S. data from its own backup servers in Singapore and the U.S. and fully switch to Oracle cloud servers situated in the U.S.

The latest wave of scrutiny into TikTok follows a report from BuzzFeed News that alleged frequent access by ByteDance staff, citing anonymous employees, who said "everything is seen in China" and referenced a "Master Admin" who "has access to everything."

The company called the allegations and insinuations as "incorrect and are not supported by facts," noting that people who work on these projects "do not have visibility into the full picture."


Twitter Fined $150 Million for Misusing Users' Data for Advertising Without Consent
28.5.22  Social  
Thehackernews
Twitter, which is in the process of being acquired by Tesla CEO Elon Musk, has agreed to pay $150 million to the U.S. Federal Trade Commission (FTC) to settle allegations that it abused non-public information collected for security purposes to serve targeted ads.

In addition to the monetary penalty for "misrepresenting its privacy and security practices," the company has been banned from profiting from the deceptively collected data and ordered to notify all affected users.

"Twitter obtained data from users on the pretext of harnessing it for security purposes but then ended up also using the data to target users with ads," FTC Chair Lina M. Khan said in a statement. "This practice affected more than 140 million Twitter users, while boosting Twitter's primary source of revenue."

According to a complaint filed by the U.S. Justice Department, Twitter in May 2013 began enforcing a requirement for users to provide either a phone number or email address to improve account security.

The intention was to ostensibly help users recover access to their locked accounts as well as enable two-factor authentication by sending a one-time password to the registered phone number or email address after signing in with a username and password.

But what Twitter failed to make transparent was that it also allowed advertisers to use this information to target specific ads by matching them with email addresses and phone numbers already obtained from other third-parties such as data brokers.

The social media platform reiterated the issue was addressed as of September 17, 2019, adding it will work to make investments with regards to "operational updates and program enhancements to ensure that people's personal data remains secure and their privacy protected."

"Consumers who share their private information have a right to know if that information is being used to help advertisers target customers," said U.S. Attorney Stephanie M. Hinds for the Northern District of California. "Social media companies that are not honest with consumers about how their personal information is being used will be held accountable."

This development marks the second time Twitter has settled with the U.S. consumer protection watchdog. In March 2011, it admitted to charges that it "deceived consumers and put their privacy at risk by failing to safeguard their personal information," thereby enabling hackers to gain administrative control over the platform twice in 2009.


Twitter's New Owner Elon Musk Wants DMs to be End-to-End Encrypted like Signal
29.4.22  Social  
Thehackernews
Twitter DM End-to-End Encryption
Elon Musk, CEO of SpaceX and Tesla and Twitter's new owner, on Thursday called on adding support for end-to-end encryption (E2EE) to the platform's direct messages (DM) feature.

"Twitter DMs should have end to end encryption like Signal, so no one can spy on or hack your messages," Musk said in a tweet.

The statement comes days after the microblogging service announced it officially entered into an agreement to be acquired by an entity wholly owned by Elon Musk, with the transaction valued at approximately US$ 44 billion, or US$ 54.20 per share in cash.

The deal, which is expected to be closed over the next six months, will see it becoming a privately held company.

"Free speech is the bedrock of a functioning democracy, and Twitter is the digital town square where matters vital to the future of humanity are debated," Musk said in a statement.

"I also want to make Twitter better than ever by enhancing the product with new features, making the algorithms open-source to increase trust, defeating the spam bots, and authenticating all humans."

The continued lack of end-to-end encryption for Twitter direct messages has been a point of concern, with the Electronic Frontier Foundation (EFF) noting how it could undermine user privacy and safety.

"Because they are not end-to-end encrypted, Twitter itself has access to them," the EFF said. "That means Twitter can hand them over in response to law enforcement requests, they can be leaked, and internal access can be abused by malicious hackers and Twitter employees themselves (as has happened in the past)."

Meta, which has been steadily adopting E2EE across its services with plans to complete the rollout sometime by next year, reiterated that privacy is a fundamental human right and that "safe and secure messaging is more important than ever."

A two-year report from Business for Social Responsibility (BSR) commissioned by the tech giant and released this month found that "expanding end-to-end encryption enables the realization of a diverse range of human rights and recommended a range of integrity and safety measures to address unintended adverse human rights."

The independent human rights impact assessment also highlighted the risks arising as a consequence of improved privacy protections, including facilitating child exploitation, distribution of child sexual abuse material (CSAM), and spreading hate speech.

"Yet, the impacts of E2EE go far beyond such a simplistic 'privacy versus security' or 'privacy versus safety' framing," the social media behemoth said in response to the findings.


Signal CEO Resigns, WhatsApp Co-Founder Takes Over as Interim CEO
19.1.2022
Social Thehackernews
WhatsApp
Moxie Marlinspike, the founder of the popular encrypted instant messaging service Signal, has announced that he is stepping down as the chief executive of the non-profit in a move that has been underway over the last few months.

"In other words, after a decade or more, it's difficult to overstate how important Signal is to me, but I now feel very comfortable replacing myself as CEO based on the team we have, and also believe that it is an important step for expanding on Signal's success," Marlinspike said in a blog post on Monday.

Executive chairman and WhatsApp co-founder Brian Acton, who famously urged users to #DeleteFacebook in March 2018 and founded the Signal Foundation along with Marlinspike after he walked away from the social media giant in 2017 over a conflict with Facebook's plans to monetize WhatsApp, will serve as the interim CEO while the search for a replacement is on.

Founded in July 2014, Signal has more than 40 million monthly users, in part driven by a surge of new users in January 2021 when Meta-owned WhatsApp enacted a controversial policy change that sparked a privacy backlash over the nature of personal information shared with its parent company.

But the communication app's rapid growth has had its share of downsides, what with the company's employees raising concerns about the fallout stemming from potential misuse of the service by malicious actors, which could add ammunition to ongoing debates about weakening encryption protections to facilitate law enforcement investigations.

Complicating matters further is its decision to integrate MobileCoin, purportedly an "encrypted-focused cryptocurrency" into the app to facilitate peer-to-peer payments, a shift that could potentially put private messaging at risk by not only attracting regulatory scrutiny but could also serve as an open invitation for criminals to exploit the platform to their benefit.

"Signal and WhatsApp have effectively protected end-to-end encryption from multiple legal attacks at the state and federal level," Alex Stamos, Facebook's former chief security officer, told The Platformer last week.

"But the addition of pseudo-anonymous money transfer functions greatly increases their legal attack surface, while creating the possibility of real-life harms (extortion, drug sales, CSAM sales) that will harm them in court, legislatures and public opinion."

Security researcher Bruce Schneier had a similar take last year when Signal began testing support for MobileCoin payments.

"Secure communications and secure transactions can be separate apps, even separate apps from the same organization," Schneier said. "End-to-end encryption is already at risk. Combining it with a cryptocurrency means that the whole system dies if any part dies."


Facebook Launches 'Privacy Center' to Educate Users on Data Collection and Privacy Options
14.1.2022
Social Thehackernews

Meta Platforms, the company formerly known as Facebook, on Friday announced the launch of a centralized Privacy Center that aims to "educate people" about its approach with regards to how it collects and processes personal information across its family of social media apps.

"Privacy Center provides helpful information about five common privacy topics: sharing, security, data collection, data use and ads," the social technology firm said in a press release.

The first module, Security, will offer easy access to common tools such as account security settings and two-factor authentication. Sharing will provide specifics about post visibility and settings to archive or trash old posts. Collection and Use will give users a quick glance into the type of data Meta harvests and learn how and why it's used, respectively. Lastly, the Ads section will furnish information regarding a user's ad preferences.

The learning hub is expected to be initially limited to a small pool of people using Facebook on desktop in the U.S., with plans to roll it out to a broader set of users and more of its apps in the coming months. Users part of the pilot will be able to access Privacy Center by navigating to Settings and Privacy on the desktop version of Facebook.

Privacy Center joins a plethora of other tools already offered by the tech giant, including Privacy Shortcuts and Privacy Checkup, both of which guide users through some of the privacy and security settings on the platform and review their choices. Where the new feature differs is that it hopes to serve as a one-stop place to navigate the myriad privacy and security controls available across Facebook, Instagram, and WhatsApp.

Over the years, Facebook's privacy controls have emerged as a magnet for controversy for being confusing to the point of not being useful enough to protect users' data, not least driven by labyrinthine menus and obtuse wording that are designed to push users away from making privacy-friendly choices on its service.

The so-called "dark patterns" — subtly coercive user interface design — came under the spotlight in June 2018, when a report by the Norwegian Consumer Council, titled Deceived by Design, revealed how "default settings and dark patterns, techniques and features of interface design meant to manipulate users, are used to nudge users towards privacy intrusive options."

In punishing users for choosing privacy over sharing, the report called out Facebook and Google's "privacy intrusive default settings, misleading wording, giving users an illusion of control, hiding away privacy-friendly choices, take-it-or-leave-it choices, and choice architectures where choosing the privacy friendly option requires more effort for the users."

A subsequent study of Facebook's desktop user interface undertaken by researchers from the University of Bremen in March 2021 noted that "the way in which Facebook handles control over privacy settings sets an example for a novel dark pattern," adding by "placing all privacy settings behind several interface layers, Facebook actively offers a well designed but incomplete alternative to handle them."