Privacy News Roundup 1 January 2017

White House fails to make a convincing case for Russian hacking of US election

Following serious allegations of Russian-backed hacking during the US presidential election, the government’s analysis of the claim has fallen short.

It was hoped that the 13-page Joint Analysis Report (JAR), which was published jointly last Thursday by the Department of Homeland Security and the FBI, would be an indictment demonstrating the Russian government’s hacking of the Democratic National Committee, the Democratic Congressional Campaign Committee and Clinton Campaign Chief John Podesta.

Private sector security companies have argued for months that hackers had influenced the election and were working for the Russian government, though anonymous sources related to the leaks have claimed that the hackers acted alone. Other independent experts claim that it would be difficult to uncover the true origins of the attacks.

The JAR failed to provide a smoking gun from the Russian government, instead it restates claims made by the private sector without providing evidence. The JAR also promises newly classified intelligence into the “tradecraft and techniques” of Russian hackers.

Robert M. Lee, the CEO and founder of the security organization Dragos wrote the following last week:

This ultimately seems like a very rushed report put together by multiple teams working different data sets and motivations,

It is my opinion and speculation that there were some really good government analysts and operators contributing to this data and then report reviews, leadership approval processes, and sanitation processes stripped out most of the value and left behind a very confusing report trying to cover too much while saying too little.

Part of the inaccuracy of the report, Lee noted, is its conflation of Russian hacking groups APT28 and APT29 with malware names, such as BlackEnergy and Havex as well as actual hacking capabilities. The confusion draws into question the validity of the report as a whole and the credibility of the intelligence community.

The White House has failed to prove the alleged involvement of the Russian government in the 2016 US presidential election hacking scandal. Source: Aljazeera.

US government now collecting visitors’ social media accounts

The US government has begun requesting that visitors to the country submit their social media information to the Customs and Border Protection (CBP) before entry into the country. The CBP said that the process is part of a wider effort to identify potential “terrorist threats”.

Many visitors must now submit data as part of the online Electronic System for Travel Authorization, a visa waiver application. Through the system, users can choose to link social platforms, such as Facebook, Twitter, Instagram, Google+, YouTube and LinkedIn, as well as using extra space for other lesser-known platforms.

Privacy rights groups have pointed out that there is only limited information about how the CBP and other agencies might use visitor information. It has also been pointed out that the practice infringes the First and Fourth Amendments, which serve to protect freedom of expression and protection from unreasonable searches and seizures.

CBP introduced the practice last week though has said that for now it will not bar entry to those who decline to provide their social media information. Approximately 10 million visa applications are approved every year for visitors coming into the country, with 77.5 million foreign visitors arriving in 2015 alone. In this latest move, the CBP’s retention of social media data will be the largest government-controlled database of its kind.

US Customs and Border Protection
The US Customs and Border Protection has begun asking visitors to the country for social media data. Source: Wikipedia

Facebook is buying information from data brokers about its users’ offline lives

Facebook users might not be aware that the tech giant is now buying sensitive data about them, such as details about their income, the types of restaurants they frequent and which credit cards they own.

Since September, ProPublica has been encouraging Facebook users to share the categories of interest that the site has assigned to them. The company has collected 52,000 unique attributes that Facebook has used to classify users.

Facebook has said that its gets its information “from a few different sources”, including detailed dossiers obtained from commercial data brokers about users’ offline lives. What’s also concerning is the fact that for the most part users aren’t aware that this is happening and have no way of accessing the data held on them.

Jeffrey Chester, executive director of the Center for Digital Democracy, said that “Facebook is bundling a dozen different data companies to target an individual customer, and an individual should have access to that bundle as well.”

In its defense, Facebook said that it doesn’t inform users about the third-party data retention because it is not collected by Facebook and is widely available.

Facebook’s manager of privacy and public policy Steve Satterfield said: “Our approach to controls for third-party categories is somewhat different than our approach for Facebook-specific categories.” Adding, “This is because the data providers we work with generally make their categories available across many different ad platforms, not just on Facebook.”

For those who don’t want their information to be available on Facebook, Satterfield said users should contact the data brokers directly. He said that users can visit Facebook’s Help Centre, which provides links for opt-outs for six data brokers selling personal data to Facebook.

How to delete Facebook friend search history
Facebook is now using third parties to buy sensitive data about its users’ offline lives. Source: Wikipedia

Leave a Comment