Facebook privacy policy criticised

24 February 2015 Last updated at 13:28

Facebook has been accused of breaking European data-protection laws, in a report written for Belgium's privacy watchdog.

The social network placed "too much burden" on users to navigate its complex settings, said the report.

Also, it said, people were not told enough about how data Facebook gathered on them was used in adverts.

In response, Facebook said it was confident its policies and terms complied with relevant laws.

Complicated collection

The report was drawn up in response to Facebook's announcement it was updating its privacy policy and its terms and conditions. The updated terms were implemented on 30 January.

The report, written by academics from the University of Leuven, said the changes were not "drastic" but instead clarified what Facebook had been doing for some time.

The clarification led the report's authors to conclude that Facebook was "acting in violation of European law" governing:

• how data is gathered about people
• what is done with the information
• how people are informed about these practices

Facebook had a very complicated collection of settings which made it difficult for people to make an informed choice or be sure they were not surrendering data they wanted to keep private, said the report.

Users should get more information about which information was being shared with and which organisations saw it, added the report.

In response, Facebook said its updated terms and policies were much clearer and concise and helped "expand" the control people had over advertising.

It said its privacy policies and terms were overseen by the Irish data protection commissioner, which made sure they both complied with broader European laws on how data was gathered and used for advertising.

"We're confident the updates comply with applicable laws," it added.

The report comes as European law makers are grappling with a significant update to the region's data-protection regime. The updated laws are expected to be in force from 2017 onwards.

23.43 | 0 komentar | Read More

Ad tool is 'worse than Superfish'

23 February 2015 Last updated at 19:51 By Jane Wakefield Technology reporter

Researchers have identified a fresh threat to the way consumers interact with websites, this time from software designed to block advertisements.

PrivDog has been found to compromise a layer of the internet known as Secure Socket Layer (SSL) - used to safeguard online transactions.

It follows the discovery of a similar problem with Superfish, software pre-installed on some Lenovo computers.

PrivDog said that its issue might compromise more than 57,000 users.

"The issue potentially affects a very limited number of websites," the firm said in a statement.

"The potential issue has already been corrected. There will be an update tomorrow, which will automatically update all 57,568 users of these specific PrivDog versions."

PrivDog - a tool designed to block ads and replace them with ones from "trusted sources" - joins a growing list of software affected by related security flaws.

Experts say they have uncovered a further dozen examples since Superfish was brought to the public's attention last week.

Superfish was designed to help users find products by visually analysing images on the web to find the cheapest ones.

But it compromises security by intercepting connections and issuing fake certificates - the ID's used to identify websites - to trick sites into handing over data. This a practice commonly known as a man-in-the-middle attack.

Lenovo has since issued a tool to allow users to remove the hidden software. It now faces legal action from a group of users who say that it acted unlawfully in pre-loading it.

Shocking

PrivDog, has been described by several experts as being "worse than Superfish".

A particular concern is its links to the security firm Comodo, which issues a third of the secure certificates used on the web.

PrivDog was developed by the founder of Comodo, Melih Abdulhayogulu, and some versions of it are packaged with Comodo's own software.

But Comodo told the BBC that the affected versions "had never been distributed" by it.

A discussion begun on the Hacker News forum first uncovered that in the process of swapping adverts, PrivDog also appeared to leave machines vulnerable to attack.

In a blogpost freelance technology journalist Hanno Boeck explained: "A quick analysis shows that it doesn't have the same flaw as Superfish, but it has another one which arguably is even bigger."

"PrivDog is in every sense as malicious as Superfish," added Simon Crosby, co-founder of security firm Bromium.

"It intercepts and decrypts supposedly secure communication between the browser and a remote site - such as the user's bank - ostensibly to insert its own advertising into pages in the browser.

"It is substantially more scary, though, because PrivDog effectively turns your browser into one that just accepts every https certificate out there without checking its validity, increasing vulnerability to phishing attacks, for example."

User privacy

Last week Comodo announced that it had become the number one digital certificate authority in the world, with its products used by nearly 35% of all websites ending in .com.

"They are one of the leading certificate authorities, and the fact that PrivDog is issuing fake certificates is shocking," said Marc Rogers, principal researcher at security firm CloudFlare.

In a blogpost written at the beginning of 2014, Mr Abdulhayogulu said that he had developed PrivDog "with the privacy of the user in mind".

"Isn't it great that the company whose DNA is about your security makes more money so that they can continue to innovate and invest in products that make you safer," he wrote at the time.

Parental controls

Security experts have identified a growing list of software that appears to interfere with SSL.

Most of the products were developed by security firms, said Mr Rogers.

They include anti-malware software and tools designed to offer parents more control over their children's web browsing.

All can be traced back to Komodia - technology developed by an Israeli firm, which describes itself as a "SSL hijacker".

At the time of writing, Komodia's website was offline. It blamed this on a denial-of-service attack prompted by "recent media attention".

23.43 | 0 komentar | Read More

Yahoo and NSA clash over encryption

24 February 2015 Last updated at 13:16

A Yahoo executive has publicly challenged the National Security Agency (NSA) over encryption "backdoors".

Alex Stamos pressed NSA director Adm Mike Rogers on whether the access to encrypted data requested by the US authorities should also be granted to the Russian and Chinese governments.

Adm Rogers insisted an agreement could be reached "within a framework".

The tense exchange came after many top tech figures refused to attend a White House cybersecurity summit this month.

"If we're going to build defects, backdoors or golden master keys for the US government, do you believe we should do so... for the Chinese government, the Russian government, the Saudi Arabian government, the Israeli government, the French government?" asked Mr Stamos, Yahoo's chief information security officer.

After initially dodging the question, Adm Rogers - who took over as director of the NSA last year - responded: "I think that we're lying that this isn't technically feasible.

"Now, it needs to be done within a framework. I'm the first to acknowledge that."

According to a transcript provided by the Just Security website, he argued that he did not want the FBI and NSA to unilaterally decide what access they should have, but insisted an agreement was achievable.

Pressed on whether he thought that access should also be granted to other nations' governments, Adm Rogers said: "I think we can work our way through this."

Mr Stamos responded: "I'm sure the Chinese and Russians are going to have the same opinion."

The exchange took place before delegates at a cybersecurity conference hosted by the New America Foundation on Monday.

There has been an increasingly tense relationship between the US authorities and Silicon Valley since information was leaked by NSA whistleblower Edward Snowden.

Encryption of user data has subsequently become increasingly popular and, in some cases, the companies hand over the keys to users, making it difficult to break.

But the White House has asked tech firms to share more data with law enforcement agencies. And the US authorities want them to build in vulnerabilities that they would be able to exploit.

The rift was illustrated when, earlier this month, senior Google, Yahoo and Facebook executives turned down invitations to a White House cybersecurity summit at Stanford University.

Tim Cook, of Apple, was one of the few top tech bosses to appear.

Adm Rogers told the conference on Monday that the NSA needed a way to access data if it was believed that a device was "being used for criminal, or in my case, foreign intelligence or national security issues".

But he acknowledged that there were legitimate concerns to be addressed before a "legal framework" could be established.

23.43 | 0 komentar | Read More

Net of things starter kit unveiled

24 February 2015 Last updated at 00:39

A "starter kit" designed to spur on the invention of internet-connected gadgets has been announced as part of a tie-up between two leading tech firms.

Chip designer ARM and cloud services giant IBM say it can take just five minutes to unbox the equipment and start sending readings to online apps.

They suggest this will make it easier to test smart home, smart city and other "internet of things" prototypes.

One expert said small start-ups would be among those that could benefit.

The IoT Starter Kit consists of two parts:

• a pre-configured microcontroller development board - featuring one of ARM's Cortex-M4 processors and a small amount of built-in memory - which is designed to be dedicated to a single task
• a sensor expansion board, containing a thermometer to measure temperature, an accelerator to measure motion, two potentiometers - kinds of rotating dimmer knobs, a buzzer, a small joystick, an LED light that can show three different colours, and a rectangle black-and-white LCD display

These two components fit together and can be attached to the net via an ethernet cable and to other computer equipment via a USB link.

This provides a way to take readings about the kit's surrounding environment and the state of physical objects it is attached to.

Instructions contained in the box guide the owner to visit an IBM website.

If the owner enters the device's credentials on this site they can see the data it is recording in real-time.

In addition they can access a variety of tools created by IBM and other firms to analyse the information and/or funnel it through online programs that in turn control other internet-connected equipment.

One example the firms gave for how this might be used in real-life involved using the kit to send information about local conditions to a remote data centre, which in turn would send back commands to a smart lighting system made up of internet-connected bulbs.

Another more grizzly suggestion was to connect a set of smart mouse traps to the internet, allowing a building janitor to know which ones had been triggered and avoid having to check each one in person.

"Frankly the use cases are bounded only by human imagination," said IBM's vice president of development Rob Lamb.

Zach Shelby, ARM's vice president of marketing, added: "[It's for] anybody who is into making products, whether they are makers who have a Kickstarter idea...all the way up to the device engineers for the big companies."

The boxed kit will be manufactured by another company, Freescale. The price has yet to be set, but ARM said it should be somewhere between $50 (£32) and $200.

Internet of things explosion

The components in the starter kit are not new, but by bundling them together ARM and IBM hope to tempt developers to their ecosystems rather than those of rivals.

Nearly five billion internet-connected "things" - including fridges, sprinkler systems and cars - will be in use by the end of the year, and that figure is set to rise four-fold by 2020, according to the tech consultancy Gartner.

ARM makes money by both licensing its chip designs to computer manufacturers and charging firms using its forthcoming "internet of things" mbed operating system to securely transmit readings back to data centres.

IBM provides a range of compatible cloud services, including the Bluemix platform, which allows online apps to be built and run, and Watson, an artificial intelligence-enhanced analytics system.

Its goal is to entice developers who buy the kit with free trials of these products and then convince them to pay for their regular use and associated storage.

"This is a very sensible partnership for the firms to have because they can offer a complete start-up kit," said Ruari McCallion, a writer for trade magazine The Manufacturer.

"But the lower the price comes the better."

ARM said the kit would be on sale within "months not quarters" but could not be more exact.

23.43 | 0 komentar | Read More

'Digital legacy' letter plea issued

24 February 2015 Last updated at 05:37

People need to consider their "digital legacy" and whether they want relatives to access their online accounts after they die, a funeral company has said.

Research for Co-operative Funeralcare has highlighted the difficulties people have experienced when trying to deal with a loved one's internet identities.

The firm suggests people could put the account details, including passwords, in a sealed letter to their executors.

It comes after Facebook this month unveiled legacy settings for its users.

Facebook was following in the footsteps of Google and other technology companies when it added the new setting that gives people the option of having their account permanently deleted, or some aspects passed to the control of a friend or relative when they die.

A Co-operative survey found that while almost all bank customers now have access to their accounts online, three out of four have not made any arrangements for the details to be passed on.

The poll of more than 2,000 adults also discovered that almost 80% of those who attempted to manage online bank, utility, shopping and social media accounts following a death said they had experienced problems.

Only 16% of people, however, said they wanted their next of kin to have access to their social media accounts, with around the same number saying they would like them to stay in touch with their online contacts.

The Co-operative said that while it was suggesting people may like to include their account information in a sealed letter to their executors, the details should never be included in a will, as it could become a public document after their death.

Sam Kershaw, director of operations for Co-operative Funeralcare, said: "Conversations about end of life are never easy. However, as we increasingly live and manage our lives online, communicating with a loved one about the accounts you hold and what you would want to happen to them may greatly help should they ever need to access, manage or close accounts on your behalf."

23.43 | 0 komentar | Read More

LinkedIn settles password hack claim

24 February 2015 Last updated at 13:47

Business networking site LinkedIn has paid $1.25m (£810,000) to settle a legal claim filed after millions of passwords were stolen.

The 6.5 million passwords were stolen in June 2012 and posted to a website hosted in Russia.

LinkedIn users who pay to use the service launched legal action claiming their data was not being well protected.

The cash settlement will be shared among LinkedIn's paying American users.

The company has set up a website to handle the claims people can file to get their share of the cash. Only those who paid to use the site between 15 March 2006 and 7 June 2012 are eligible. The maximum each person can claim is $50.

Users have until 2 May this year to file their claim.

The legal action was brought by users who alleged that LinkedIn had put their personal information at risk by not taking standard steps to protect passwords if they were stolen.

On the website, LinkedIn denied that it had done anything wrong and said the cash settlement was the best way to resolve the legal claims and would "avoid the distraction and expense of ongoing litigation".

Any money left unclaimed would be distributed among the Center for Democracy and Technology, the World Privacy Forum and the CyLab Usable Privacy and Security Laboratory at Carnegie Mellon university, said LinkedIn.

23.43 | 0 komentar | Read More

Google warns Blogger users over porn

24 February 2015 Last updated at 11:42

Google has warned users of its Blogger platform that blogs containing sexually explicit images and videos will be made private on 23 March.

None of the blogs will be deleted, but they will no longer be publicly visible, the tech giant says.

People currently posting adult content are advised to either remove it or make their blogs private themselves.

Blogs created after the March deadline may be taken down if they contain adult material, the updated terms state.

Under the updated adult policy terms, nudity will be allowed on Blogger blogs only if it "offers a substantial public benefit, for example in artistic, educational, documentary, or scientific contexts".

Bloggers are already asked to use the tag "adult" if their site contains explicit material, which means a warning page appears before the site can be accessed.

Under its current terms, Google reserves the right to add that tag itself even if the blog author disagrees.

In 2013 the company banned Blogger sites from carrying adverts for adult websites.

Censorship

Yahoo-owned Tumblr also adjusted its policies on hosting sexual content in 2013, hiding "adult" themed sites from its search tool but reinstated them after a social-media backlash.

Critics have dismissed Google's move as an unnecessary form of censorship.

"Adult content has historically been at the forefront of fighting for free speech and political dissent, and this won't be changing anytime soon," wrote journalist and sex columnist Violet Blue on ZDNet.

"Sexual and erotic expression is protected speech, and pornography is not illegal."

23.43 | 0 komentar | Read More

Phones can be tracked by battery use

23 February 2015 Last updated at 12:41 By Zoe Kleinman Technology reporter, BBC News

Android phones can be tracked without using their GPS or wi-fi data by studying their power use over time, a study has found.

A smartphone uses more power the further away it is from a cellular base and the more obstacles are in its way as it reaches for a signal.

Additional power use by other activities could be factored out with algorithms, the researchers found.

They created an app designed to collect data about power consumption.

"The malicious app has neither permission to access the GPS nor other location providers (eg cellular or wi-fi network)," the team - Yan Michalevsky, Dan Boneh and Aaron Schulman, from the computer science department at Stanford University, along with Gabi Nakibly, from Rafael Ltd - wrote in their paper.

"We only assume permission for network connectivity and access to the power data.

"These are very common permissions for an application, and are unlikely to raise suspicion on the part of the victim."

There are 179 apps currently available on Android app store Google Play that request this information, the team add.

Activity such as listening to music, activating maps, taking voice calls or using social media all drain the battery but this can be discounted due to "machine learning", the report says.

"Intuitively the reason why all this noise does not mislead our algorithms is that the noise is not correlated with the phone's location," it says.

"Therefore a sufficiently long power measurement (several minutes) enables the learning algorithm to 'see' through the noise."

The tests were carried out on phones using the 3G network but did not measure signal strength as that data is protected by the device.

'Stuffed with sensors'

"With mobile devices now becoming ubiquitous, it is troubling that we are seeing so many ways in which they can be used to track us," said cyber-security expert Prof Alan Woodward, from Surrey University.

"I think people sometimes forget that smartphones are stuffed full of sensors from gyroscopes and GPS to the more obvious microphones and cameras.

"This latest work shows that even that basic characteristics (power consumption) has the potential to invade privacy if monitored in the right way," he added.

"We are approaching the point where the only safe way to use your phone is to pull the battery out - and not all phones let you do that."

23.43 | 0 komentar | Read More

Apple invests 1.7bn euros in centres

23 February 2015 Last updated at 14:51

Apple is to invest 1.7bn euros (£1.25bn) developing data centres in the Republic of Ireland and Denmark.

The centres will be located near Athenry in County Galway and Viborg, central Jutland.

The County Galway centre will be built on land owned by the state forestry agency in the Republic of Ireland, Coillte.

It will create work for up to 300 people, though most of those jobs will be in the construction phase.

The company is aiming to have the centre powered entirely by renewable energy.

Data centres contain racks of computer servers and consume a large amount of power, keeping them cool.

The centres will be used by Apple to operate services such as its online music and app stores.

The Irish Prime Minister Enda Kenny said: "It is a very significant investment in the west of Ireland and is fantastic news for Athenry with significant knock-on benefits for the region."

23.43 | 0 komentar | Read More

Pebble crowdfunds new smart watch

24 February 2015 Last updated at 15:01 By Zoe Kleinman Technology reporter, BBC News

Pebble is returning to crowdfunding website Kickstarter to build its second smartwatch, Pebble Time.

The new device will have a colour e-paper display and up to seven days battery life, the firm claimed.

It will also have a microphone enabling users to send short voice replies to notifications and messages received from the watch via their smartphone.

Pebble raised more than $10m (£6.4m) in crowdfunding for its first generation device.

It has since sold more than one million Pebble watches.

In the first hour following the announcement of Pebble Time more than $2m (£1.2m) had been raised by roughly 11,000 backers, smashing the device's initial fundraising target of $500,000 (£323,000).

"Pebble was first brought to life by 69,000 backers and people who supported our vision three years ago. We could not think of a better way to share our new watch," said Eric Migicovsky, chief executive of Pebble.

"With Pebble Time, we're launching completely new hardware and re-imagined software."

The new watch will be 20% thinner than its predecessor and comes with a smart accessories port which the firm hopes will encourage developers to build hardware for it.

A new operating system organises alerts chronologically - although the screen is not a touchscreen.

Pebble intends to ship the new watch to its crowdfunder backers at the end of May, and have it on sale worldwide by the end of the year with a retail price of $199 (£128).

Some experts said that size was one factor affecting the smartwatch industry.

"It seems more intelligent but one problem will be readability under various light conditions," said watch expert Alexander Linz.

"I have to wear reading glasses - I couldn't read a watch without glasses.

"A mini screen with limited resolution will probably not have big success because it is hard to read - even the iPhone got bigger in the end."

Mr Linz added that future generations of smart watches were likely to come with Near Field Communication (NFC) tools, enabling the device to be more autonomous - which Pebble Time does not have.

"NFC will be the future," he said.

"Without it, take away the smartphone and ask yourself what is left. It's a mirror on your wrist mirroring information from your phone."

23.43 | 0 komentar | Read More