Subscribe and receive Social Media CyberWatch in your inbox.

Table of Contents

• Prominent Privacy Research Findings
• Legislative Updates & Responses
• Service Provider Landscape

Prominent Privacy Research Findings

New research identifies users from limited data points

A new study published in Scientific Reports demonstrates that only four data points unique to a particular time and place are enough to uniquely identify almost any individual. Data from over 1.5 million people were gathered from mobile devices to support these conclusions. The BBC reports the findings reveal that even if mobile numbers and other personal details were removed from data sets, the mobility information alone may be enough to trace back to a particular individual. This could pose a privacy risk if “anonymized” data sets were shared with third parties. Other recent social media research findings similarly show that such a small number of data points may identify a user. Another report found that Facebook ‘likes’ can form surprisingly accurate personal portraits. Among the researchers’ findings were that male sexuality can be identified with 88 percent accuracy, and U.S. political affiliation (whether Democrat or Republican) with 85 percent accuracy.

Research sheds light on why people don’t act according to their privacy wishes

A recently-published longitudinal study of privacy practices demonstrates that a sample of Facebook users had gradually become less likely to share their personal information publicly. This persisted until policy and interface changes by Facebook partially arrested the trend. Other findings from the same research team argues that the idea of treating privacy as a matter of understanding and control over one’s personal data may be a false comfort. Indeed, people often do not act in their stated best interest when making transactions involving their personal information. Furthermore, the researchers found that more detailed user control over how one’s personal information is used encourages people to share more sensitive information with larger audiences.

Back to top

Legislative Updates & Responses

Proposed CFAA revision sparks controversy

A recently-proposed revision to the U.S. Computer Fraud and Abuse Act (CFAA) that would  broaden its scope has met broad criticism from academics, advocacy groups, the popular press, many of whom criticize the current state of the law as overbroad. The 1986 Act criminalizes gaining unauthorized access to computer systems. A Los Angeles Times editorial argues that the act’s ambiguity as to what constitutes authorization makes it susceptible to abuse. For example, the prosecution of activist Aaron Swartz equated a violation of Terms of Service agreements with unauthorized access. The EFF notes that the proposed revision to the act would quadruple maximum jail sentences for the crimes Swartz was accused of. Meanwhile, law professor Eric Goldman argues the law has evolved from one meant to prevent malicious hacking to one that restricts general unauthorized access to intangible assets such as intellectual property. He proposes the CFAA and similar laws be amended to retain only restrictions on defeating security measures and denial-of-service attacks.

Service providers distance themselves from CISPA as petition campaigns gain traction

The revived Cyber Intelligence Sharing and Protection Act (CISPA) has faced criticism for its broad, ambiguous language that has been argued to create exemptions to privacy laws in the name of cybersecurity. A Wired editorial argues the law would facilitate the usage of personal information collected under the act for prosecutions of crimes unrelated to cybersecurity. In response to the revised act, a campaign to stop the bill organized by advocacy groups and activists seeks petition signatures to send to the U.S. Congress. Similarly, a petition on the White House website to stop the bill has reached over 100,000 signatures, enough to mandate a response from the Obama administration. Shortly thereafter, Facebook joined Microsoft in dropping its support for the bill, the former company citing privacy concerns. Both companies have stated they favour a more “balanced” approach to security and privacy.

Back to top

Service Provider Landscape

Google shutters another “quasi-public” service

Many users of Google Reader petitioned for it to be saved after the company announced it would be shutting down the service later this year. This is just the latest of a series of high-profile service discontinuations by the tech giant. The demise of Reader particularly frustrated those who use the service to bypass Internet censorship systems. The service has been used to evade many filtering systems because the Reader software tramsits websites securely via Google’s own servers (located in the U.S.), rather than directly from third party servers which may be blocked by censors. While other RSS services that operate in a similar technical manner as Google Reader, these services will face a challenge in replicating Reader’s success as a censorship-circumvention tool because a large part of Reader’s power arguably comes from people’s trust in Google’s brand.

Microsoft releases its first transparency report

Earlier this month, Microsoft released its first Law Enforcement Requests Report, similar to the “transparency reports” released by Google and Twitter. The report reveals that Microsoft complied with 79 percent of U.S. government requests for subscriber data and 83 percent of requests from non-U.S. governments in 2012. The report’s release follows the January publication of an open letter signed by many advocacy groups requesting Microsoft to clarify what information is stored when users communicate via Skype, and to make public any government requests for that data. Microsoft’s report treats Skype as a separate category, explaining in a blog post that Skype data was collected differently due to the fact that the service was only acquired by Microsoft in late 2011. Interestingly, the report claims that Skype did not provide any customer communications content in response to 4,713 total government requests for users data, although an undisclosed amount of transactional data (such as usernames, email accounts and billing information) was provided. Furthermore, the report does not directly respond to the demand raised in the open letter about Microsoft’s relationship with TOM Online, a Chinese company that distributes modified Skype software for the Chinese market that has been found to censor and surveill its users.

Facebook expands ad targeting to include offline purchases

Facebook recently announced a partnership with several data brokers to incorporate their consumer data into the Facebook ad-targeting platform. The social media platform is now working with Datalogix, Epsilon, Acxiom, and BlueKai, companies that gather information about users through online cookies as well as through offline sources sucha as supermarket loyalty cards. Profiles assembled by brokers typically start with a name, address, and contact information, then add demographic information, hobbies, life-events, salary and more. The EFF has posted a guide on how to opt-out of these data brokers to ‘suppress’ your information from certain uses, which may or may not include sharing the information with Facebook.

Back to top

Read previous editions of Social Media CyberWatch.

The post Social Media CyberWatch – March 2013 appeared first on The Citizen Lab.

In order to lawfully conduct communications surveillance (“lawful interception”) in the U.S. and Western Europe, a law enforcement agency must seek authorisation from a court and produce an order to a network operator or internet service provider, which is then obliged to intercept and then to deliver the requested information. In contrast, Russian Federal Security Service operatives (FSB) can conduct surveillance directly by utilising lawful interception equipment called SORM.

Read the full post.

The post Lawful interception: The Russian approach appeared first on The Citizen Lab.

• Legislative Updates
• Personal Information & Obscurity
• Cookies & Tracking

Legislative Updates

A variety of lobbyist battles, legislative deaths and rebirths, as well as a presidential executive order all brought new changes to social media and online privacy realms this month.

Lobbying frenzy in wake of proposed EU privacy changes

Proposed changes to the EU Data Protection Regulation drew a variety of responses from privacy advocates amidst heavy lobbying from US companies against the initiatives. One proposed revision would create a “right to be forgotten” across all member states, requiring companies to delete a user’s data at their request. The proposals drew a variety of amendments, and advocacy group Europe v Facebook reported that 25% of the content of such amendments were directly copied from lobbyist papers. Additional criticism of the changes came from a US diplomat, who warned that if the proposals were passed, the resulting restrictions might provoke a trade war. These moves were preceded by statements from several privacy advocacy groups including the Electronic Frontier Foundation (EFF) and the American Civil Liberties Union (ACLU), who wrote to various United States government officials, arguing that the United States should not hinder the EU’s privacy-strengthening regulation. Meanwhile, representatives for US IT companies argued that prescriptive regulation hinders innovation and economic development.

CISPA re-introduction draws privacy criticism

The Cyber Intelligence Sharing and Protection Act (CISPA) was re-introduced this month, unchanged from last year’s version that was passed in the United States House of Representatives, but defeated in the Senate after an outcry from “tens of thousands of concerned individuals”. The Act is designed to set up a streamlined system for the private sector to report cyber threat information to federal agencies. In response to the re-introduced bill, the EFF launched an online petition urging lawmakers to oppose it. Concerned privacy advocates claim the Act’s broad language would allow organizations to disclose their customers’ personal information to the US intelligence community with little transparency, and expressed dissatisfaction that no substantive changes were introduced in the latest version.

Obama cybersecurity executive order elicits diverse responses

US President Obama issued an executive order entitled “Improving Critical Infrastructure Cybersecurity” which calls for improved cybersecurity information sharing between private entities and the government while maintaining privacy and civil liberties protections. Other key demands include a call for a frameworks to reduce cyber risks to critical infrastructure, develop a cybersecurity program to protect said infrastructure, and identify the infrastructure at greatest risk. Michigan’s Chief Security Officer Dan Lohrmann writes that the executive order has elicited a wide range of reactions. For example, security expert Eugene Kaspersky praised the order as a step in the right direction in the wake of increased cyber attacks on critical infrastructure. In contrast to their response to CISPA, privacy advocates have generally praised the executive order for its attempt to protect security while not diminishing privacy. However, critics claim the order does not account for the complex network of existing security frameworks in place and fails to provide any concrete solutions to current problems.

Canadian Internet surveillance bill killed

Canada’s controversial Internet Surveillance Bill C-30 was killed by the Harper government earlier this month, about a year after the bill’s controversial introduction, which saw Canadian Public Safety minister Vic Toews disparage opponents of the bill as supporters of child pornographers. The bill would have required digital service providers to install equipment that enabled authorities to engage in real-time monitoring of the digital activities of customers without court authorization. Vocal opponents of the bill, including Ontario’s Information and Privacy Commissioner Ann Cavoukian and Vancouver-based Internet advocacy group OpenMedia.ca, were delighted to see the bill’s demise.

Back to top

Personal Information & Obscurity

Facebook had a policy triumph in the wake of a challenge over German privacy law, while the inner workings of Google Play’s personal information disclosure to developers raised the ire of privacy advocates.

Facebook defeats German privacy challenge

Facebook defeated a legal challenge by a German privacy watchdog (ULD) over the social networking site’s policy that requires all users to register with their real names. While a ban on pseudonyms may breach German privacy law, the court ruled that as Facebook is technically headquartered in Ireland, the law did not apply. In response, a representative for the ULD argued that the ruling will encourage multinational tech companies to set up their headquarters in jurisdictions with the weakest data protection. While a unified online identity can be useful for commercial purposes, one commentator argues that pseudonyms reflect the nature of people’s fragmented online identities and help to encourage creative thought.

Google Play store provides user data to app developers

An Android application developer caused a stir when he revealed that Google sends him the email address, approximate location, and occasionally the full name of individuals who downloaded his application from the Play Store. A source familiar with Play Store operations claimed that this is intentional, and has always been their practice. As the Play Store was modelled on Apple’s App store, which does not disclose purchaser details to developers, critics are claiming that most users do not expect their personal information to be shared with anyone besides Google (whom purchasers may assume they are doing business with). Google’s main privacy policy is arguably broad enough to cover this type of sharing as being between “affiliates”, to whom personal information is provided.

Back to top

Cookies & Tracking

This month saw several notable developments in online tracking policy. These occurred in the diverse areas of international standards deliberations, web browser implementations, and social media user interaction design.

Will the Do Not Track standard resume development?

After development stalled due to bitter tensions between advertising industry and privacy advocates, the Do Not Track (DNT) web standard is said to be resuming its course, while others are less sure of its future. The working group in charge of the standard has reportedly agreed on a roadmap and several key requirements. The standard, which is already partially implemented in numerous web browsers, provides a way for browsers to inform servers that the user does not wish to be tracked. When the standard’s self-regulated development appeared to have stalled, the advocacy group Consumer Watchdog called on the Federal Trade Commission (FTC) to push for DNT legislation. While no proposed legislation has yet emerged, the resumed development does follow the release of the FTC’s mobile privacy report [PDF], which recommends an implementation of DNT for mobile browsers.

Firefox to block third-party cookies by default

Perhaps in response to the stalled Do Not Track development, an update to the popular Firefox web browser will see it blocking cookies from third-party URLs by default. This move will bring it in alignment with the Safari browser’s similar default setting. When a web browser displays a website, any cookies loaded from a different domain are treated as “third-party origin”. Typically, third-party cookies are used to track individuals across different websites and serve them ads tailored towards an interest profile, a practice known as Online Behavioural Advertising (OBA). Nevertheless, a web browser will still save third-party cookies if the browser visited that third-party in the past. Jules Polonetsky, a leading privacy expert, posits that the move may provide an opportunity for ad companies to be more explicit about how and why they track users, re-framing a practice that largely operates in the background.

Facebook re-targeted ads to adopt AdChoices icon

In response to pressure to be more transparent about its ad re-targeting program, Facebook is reportedly introducing the AdChoices icon to indicate when an advertisement is “re-targeted”, displayed to the user based on information collected about the his/her web browsing history. The disclosure is a step towards transparency, but is not an obvious one; the small icon will only appear alongside a re-targeted advertisement only after a user hovers over it. Jeffery Chester of the Center for Digital Democracy was not impressed by the move, arguing that merely informing users that an advertisement is targeted does not amount to disclosure of how that information is harvested in the first place.

Back to top

Read previous editions of Social Media CyberWatch.

The post Social Media CyberWatch – February 2013 appeared first on The Citizen Lab.

Cell phone searches are a common law enforcement tool, but up until now, the public has largely been in the dark regarding how much sensitive information the government can get with this invasive surveillance technique. A document submitted to court in connection with a drug investigation, which we recently discovered, provides a rare inventory of the types of data that federal agents are able to obtain from a seized iPhone using advanced forensic analysis tools. The list, available here, starkly demonstrates just how invasive cell phone searches are—and why law enforcement should be required to obtain a warrant before conducting them.

Last fall, officers from Immigration and Customs Enforcement (ICE) seized an iPhone from the bedroom of a suspect in a drug investigation. In a single data extraction session, ICE collected a huge array of personal data from the phone. Among other information, ICE obtained:

call activity
phone book directory information
stored voicemails and text messages
photos and videos
apps
eight different passwords
659 geolocation points, including 227 cell towers and 403 WiFi networks with which the cell phone had previously connected.

For the full article, see here.

The post New document sheds light on government’s ability to search iPhones appeared first on The Citizen Lab.

Passware Inc. is a forensics security company that develops investigation software kits to reveal passwords on seized computers. Last year it released a version of its kit that allows an investigator to reveal the passwords of Apple’s FileVault encryption technology, along with those for similar technologies such as TrueCrypt, PGP Disk, and BitLocker. Recently the kit has gained more features and now has the ability to snoop through a system’s hibernation file for Google and Facebook account passwords.

The Passware snooping technology works by accessing a system’s memory either through a port that has direct memory access (DMA), or by accessing a system’s sleepimage (hibernation) files. It scans the contents of these resources for patterns to reveal relevant passwords.

While Passware is meant for investigative purposes only and is targeted both by intent and price to forensics institutions, Passware CEO Dmitry Sumin acknowleged that the software being available does pose a potential threat in a press release:

“There’s no guarantee that professional-grade versions of Passware Kit won’t fall into the wrong hands. As most users know, a running computer is insecure in many ways and leaving it unattended makes it available to unauthorized individuals. Simple advice for all users is to disable hibernation on their computers and after dealing with confidential information to power them off. Full-disk encryption also prevents access to the system hibernation file.”

For the full article, see here.

The post Passware expands to grab Facebook and Google passwords appeared first on The Citizen Lab.

Federal Justice Minister Rob Nicholson says the controversial Bill C-30, known as the online surveillance or warrantless wiretapping bill, won’t go ahead due to opposition from the public.

The bill, which was known as the Protecting Children from Internet Predators Act, was designed to help police combat child pornography. But civil liberties and privacy groups — even the federal privacy commissioner — said the bill violated the rights of Canadians.

Opponents lobbied strenuously against C-30, saying it was an overly broad, “Big Brother” piece of legislation that would strip all Canadians of the right to privacy.

The bill would have required internet service providers to maintain systems to allow police to intercept and track online communications without a warrant.

Canadians rallied against the bill after Public Safety Minister Vic Toews famously told an opposition MP that he could “either stand with us or with the child pornographers.” Those explosive comments outraged many Canadians and helped to galvanize the opposition to C-30.

For the full article, see here.

The post Government killing online surveillance bill appeared first on The Citizen Lab.

Professor Deibert spoke about the Canadian company Blackberry and the lack of transparency in Blackberry’s agreements with governments abroad. In India particularly, Tremonti and Deibert discussed the Indian government’s open requests to turn over access to its encrypted networks. Blackberry has so far been unclear as to what extent it has made arrangements with foreign governments to censor information or provide law enforcement access to its networks. During the show, Deibert asked, “Is Blackberry facilitating the violation of human rights abroad?”

Listen to the entire episode.

The post Citizen Lab Director Ron Deibert on CBC’s The Current appeared first on The Citizen Lab.

On 1st February 2013 Privacy International, together with the European Centre for Constitutional and Human Rights (ECCHR), the Bahrain Center for Human Rights, Bahrain Watch and Reporters without Borders, filed complaints with the Organisation for Economic Cooperation and Development (OECD) against Gamma International, a company that exports “FinFisher” (or “FinSpy”) intrusive surveillance software, and Trovicor GmbH, a German company (formerly a business unit of Siemens) which also sells internet monitoring and mass surveillance products. The complaints ask the UK and German National Contact Points (NCPs), to ascertain whether the technology companies have breached the OECD Guidelines for Multinational Enterprises by exporting surveillance products to Bahrain, where the authorities use such products in human rights abuses.

The OECD Guidelines is a key international instrument for promoting corporate social responsibility. The Guidelines are addressed by governments of adhering countries to enterprises that operate from or in those countries, and contain broad, non-binding recommendations for responsible business conduct, covering a range of issues such as labour, human rights, bribery, corruption and the environment.

For the full article, see here.

The post OECD complaint against Gamma International and Trovicor appeared first on The Citizen Lab.

Table of Contents

• Facebook, Skype and Instagram
• Privacy legislation updates, proposals and responses
• Mobile App Privacy
• SSL Implementations

Facebook, Skype and Instagram

New features, security concerns and policy fumbles among web giants Facebook, Skype and Instagram each caused a significant amount of concern among privacy advocates and the larger web community this past month.

Facebook Graph Search announced

Facebook’s newly announced Graph Search has caused large ripples among privacy and security commentators. The product greatly enhances the specificity of search results on the social network by incorporating powerful filtering mechanisms based on people’s profile data, “likes”, and other activities. For example, a satirical blog called “Actual Facebook Graph Searches” outlines some disturbing search queries, such as “Family members of people who live in China and like Falun Gong”, which highlight the product’s potential for malicious use. While Facebook claims Graph Search conforms to existing privacy settings and does not expose any information previously unavailable, critics point out that it works to undermine a Facebook user’s sense of obscurity. Currently, users have some perception that their activity on the site will drift away into obscurity as new activities appear at the top of people’s feeds. Graph Search, however, can efficiently dig up those long-forgotten posts, Likes and interests, bringing information to light that could be useful to stalkers, phishing operatives, or potential employers. In response to these risks, the Electronic Frontier Foundation (EFF) has published a guide on “How to protect your privacy from Facebook’s Graph Search”.

Skype under pressure from activists

A recent open letter to Skype signed by Reporters without Borders, the EFF, and many other organizations calls on Skype’s owner, Microsoft, to clarify what information is stored when people use its service and make public any government requests for such data. Essentially, they are calling on Skype to issue a transparency report similar to those released Google and Twitter. The letter also demands Skype’s analysis of what data malicious third parties may be able to collect, and to clarify the company’s relationship with TOM Online, the operator of a licensed, modified version of Skype for the Chinese market. While the letter asks that Skype explains what it knows about “the surveillance and censorship” that users “may be subject to” while using Tom-Skype, as was reported by the Information Warfare Monitor — a public-private venture between two Canadian institutions: the Citizen Lab and the SecDev Group, an operational think tank based in a Ottawa (Canada) — in 2008, messages containing blacklisted words such as ‘“Taiwan Independence” trigger the application to send chat logs to a Chinese server and block the transmission of such messages to others. Skype’s owner at that time, eBay, had no comment on the message monitoring; Microsoft is currently “reviewing the letter” — how it will respond remains to be seen.

Aftermath of Instagram TOS debacle

After last month’s public outcry over language in Instagram’s update to its Terms of Service which may have permitted it or its affiliates to use user content in advertisements, independent analytics suggested that Instagram’s daily active users dropped by 50 percent in the weeks after the announcement. Although the company responded to the community uproar by reverting the advertising section of its Terms to the earlier language, the negative publicity seemed to have taken a large toll. However, since those reports, Instagram has released its own data indicating 90 million monthly active users, and claimed that it continues to see strong growth around the world. While the company’s response may have helped to mitigate some long-term damage to its user base, the backlash highlights that social media users are keen to make their voices heard when it comes to perceived potential misuses of personal data.

Back to top

Privacy legislation updates, proposals and responses

The close of 2012 and the start of 2013 saw several key legislative stories surface regarding the collection and disclosure of user data, both in the United States and EU.

ECPA / VPPA shuffles

In the wake of last year’s Petraeus affair, many privacy activists in the United States called for modernizations to the Electronic Communications Privacy Act of 1986 (ECPA) to better protect email privacy from law enforcement. Late last year, the Senate Judiciary committee passed a bill to amend ECPA that would require law enforcement to obtain a warrant before compelling service providers to hand over a subscriber’s emails. However, when Congress considered the bill, they added an amendment to the Video Privacy Protection act of 1988 (VPPA) to it, and later dropped the ECPA reforms shortly before voting, after heavy law enforcement lobbying.

The VPPA amendment passed, and U.S. companies may now obtain distinct consent via the Internet to disclose a consumer’s video viewing information through electronic means. Netflix lobbied for the change in order for its users to legally be allowed to share their video watching habits on Facebook.

Google and others want to see a warrant

Perhaps as a response to the fizzled attempt to amend ECPA, Google announced late January that it requires a probable cause warrant in order to divulge the contents of a user’s Gmail messages to law enforcement. Authorities may still obtain registration information such as name and IP address without a warrant, using only a subpoena. This announcement coincided with the release of Google’s latest transparency report, which for the first time breaks down U.S. government requests for data by legal justification. The report shows that 68 percent of U.S. requests were made with only a subpoena, which is similar to the 60 percent figure released by Twitter in its latest transparency report.

After the news about Google’s policy broke, The Hill newspaper reported that Microsoft, Facebook, and Yahoo! also require warrants before divulging the contents of their user’s communications. The companies all reportedly justified their policies based on case law arising from United States vs. Warshak, a ruling that found police breached an individual’s constitutional (fourth amendment) rights against unreasonable search and seizure when obtaining email contents without a warrant.

EU data privacy law proposal draws responses from lobbyists, activists

A draft of a new EU Data Protection Regulation would significantly broaden the definition of personal data to include a variety of persistent online identifiers such as cookies, IP addresses, “and other unique identifiers”. The law would also mandate that users provide explicit (opt-in) consent to data processing activities before online service providers utilize their data in such a manner. Furthermore, consent would be invalidated if a platform’s terms of service change in such a way that a person has no option other than to accept the change or cease using the platform he / she has devoted significant time to. Der Spiegel claims this provision could refer to Facebook’s strategy of continually expanding the scope of “public” items on the platform.

In response to the proposed law, a lobbyist representing U.S. companies such as Facebook, Google and Zynga posited that if they were not legally able to monetize user data, Gmail and Facebook may be compelled to start to charge customers for the services. In opposition to such lobbying, U.S. data privacy advocates such as the American Civil Liberties Union, the Consumer Federation of America, and the Center for Digital Democracy wrote to the EU in favour of increased consumer protections.

States’ social media employment laws

California and Illinois have both passed laws that bar employers from demanding social media login details from job applicants and employees, while Nebraska and Vermont are considering similar legislation. These laws are aimed at curbing employers’ practices of managers and other authority figures snooping on their employee’s activities on social networks. The California law furthermore protects university students in a similar manner and prohibits retaliation in the case that someone refuses a request to disclose such social media information.

COPPA rule revised

The FTC issued a decision this month that amended the Commission’s rules regarding its enforcement of the Child’s Online Privacy Protection Act (COPPA). The ruling will enable websites to obtain verifiable parental consent to the disclosure of children’s personal information through newly approved methods such as the electronic submission of scanned consent forms or video conferencing. The ruling is intended to make it simpler for web services to obtain proper consent and comply with the law. It furthermore adds new forms of personally identifiable information to its scope, including physical location, a child’s image or his/her voice.

Back to top

Mobile App Privacy

Mobile applications continue to introduce new privacy challenges; and policy makers and watchdogs are following suit by releasing guidelines to help developers to protect their users’ data.

California issues mobile app privacy guidelines

The state of California has released “Privacy on the Go (PDF)”, a guide for mobile app developers to approach privacy by design when building their applications. Some highlights from the guidelines include a call for readable privacy policies, notice when data is shared with third parties, and for apps to only collect the minimum amount of personally identifiable information required for system functionality. Onlookers point to this as an example of the growing awareness of mobile privacy issues, and an important step in protecting user privacy. The recommendations are not enforceable by law, but they may be signposts indicating the direction the the law will take in the future.

Back to top

SSL Implementations

SSL is an encryption layer that secures normal web communications using the http standard. It is increasingly being adopted as the default by social media sites, which previously only utilized the protocol when dealing with usernames and passwords (such as during registration or log-ins).

Yahoo! Mail now under https following XSS vulnerability

Yahoo! Mail now joins other major webmail providers by offering users the ability to use SSL connections during use sessions. This follows a call by the EFF and other rights groups last year for the company to do so. Yahoo! Mail was also recently compromised by an XSS vulnerability that could have provided attackers with backdoor access to millions of accounts. In the wake of that incident, Yahoo!’s chief information security officer was dismissed. The move to implement SSL as an option still leaves Yahoo behind Microsoft Live and Gmail, which implement the secure protocol by default.

Nokia server decrypts HTTPS data en route to mobile browser

Nokia’s mobile browser “Xpress” drew criticism due to an intermediary server’s decryption of secured data during transmission. The browser routes all incoming web traffic through a centralized server that pre-processes content to reduce filesize and save bandwidth. This preprocessing is a fairly common practice among mobile browsers, but Nokia’s servers temporarily store encrypted data in plain text form, leaving the data in an accessible format, and circumventing the security expected by its users. Nokia assured the public that it wasn’t using this decrypted data to spy on its users; however, critics call on the company to be more transparent in its use of user data.

Back to top

Read previous editions of Social Media CyberWatch.

The post Social Media CyberWatch – January 2013 appeared first on The Citizen Lab.

January 28 marks International Privacy Day. Different countries are celebrating this day calling attention to their own events and campaigns. This year, EFF is honoring the day by sharing some advocacy strategies utilized by human rights advocates and activists from Argentina, the UK, Canada, and the United States, that have helped to defeat overreaching surveillance proposals that threaten civil liberties.

As we’ve continued to report, states throughout the world are demanding private data in ever-greater volumes—and are succeeding at getting it. They are obtaining detailed logs of our entire lives online, and they are doing so under weaker legal standards than ever before. Several laws and proposals now afford many states warrantless snooping powers and nearly limitless data collection capabilities. These practices remain shrouded in secrecy, despite some private companies’ attempts to shine a light on the alarming measures states are taking to obtain information about the populace.

For the full article, see here.

The post International Privacy Day: Anti-surveillance success stories appeared first on The Citizen Lab.