Oct 03

Hacker claims third-party iPhone apps can freely transmit UDID, pose serious threat to privacy

Posted in: Apple, AppleIphone, gps, ios, iPhone, privacy, Today's Chili

When Apple addressed a congressional inquiry on privacy in July, the company claimed that it couldn’t actually track a particular iPhone in real time, as its transactions were anonymous and thoroughly randomized. Bucknell University network admin Eric Smith, however, theorizes that third-party application developers and advertisers may not have the same qualms, and could be linking your device to your name (and even your location) whenever they transmit data. Smith, a two-time DefCon wardriving champ, studied 57 top applications in the iTunes App Store to see what they sent out, and discovered that some fired off the iPhone’s UDID and personal details in plaintext (where they can ostensibly be intercepted), including those for Amazon, Chase Bank, Target and Sam’s Club, though a few were secured with SSL. Though UDIDs are routinely used by apps to store personal data and combat piracy, what Smith fears is that a database could be set up linking these UDIDs to GPS coordinates or GeoIP, giving nefarious individuals or organizations knowledge of where you are.

It’s a scary idea, but before you direct hate Apple’s way, it’s important to note that Cupertino’s not necessarily the one to blame. iOS is arguably the best at requiring users to opt-in to apps that perform GPS tracking; transmitting the UDID and account information together publicly is strictly against the rules; and we’d like to think that if users provide their personal information to an application developer in the first place, they’d understand what they’re doing. Of course, not all users monitor those things closely, and plaintext transmission of personal details is obviously a big no-no.

Smith’s piece opens and closes on the idea that Apple’s UDID is like the unique identifier of Intel’s Pentium III processor, which generated privacy concerns around the turn of the century, and we wonder if ths story might play out the same way — following government inquiries, Intel offered a software utility that let individuals manually disable their chip’s unique ID, and removed it from future CPUs.

Hacker claims third-party iPhone apps can freely transmit UDID, pose serious threat to privacy originally appeared on Engadget on Sun, 03 Oct 2010 19:51:00 EDT. Please see our terms for use of feeds.

Permalink   |  sourcePSKL  | Email this | Comments

No Comments | Tags: , ,
Sep 30

Study: select Android apps sharing data without user notification

Posted in: Android, app, apps, Google, GoogleAndroid, gps, privacy, security, study, Today's Chili

Come one, come all — let’s gather and act shocked, shall we? It’s no secret that Google’s Android Market is far easier to penetrate than Apple’s App Store, which is most definitely a double-edged sword. On one hand, you aren’t stuck waiting a lifetime for Apple to approve a perfectly sound app; on the other, you may end up accidentally downloading some Nazi themes that scar you for life. A curious team of scientists from Intel Labs, Penn State and Duke University recently utilized a so-called TaintDroid extension in order to log and monitor the actions of 30 Android apps — 30 that were picked from the 358 most popular. Their findings? That half of their sample (15, if you’re rusty in the math department) shared location information and / or other unique identifiers (IMEI numbers, phone numbers, SIM numbers, etc.) with advertisers. Making matters worse, those 15 didn’t actually inform end-users that data was being shared, and some of ’em beamed out information while applications were dormant. Unfortunately for us all, the researchers didn’t bother to rat out the 15 evil apps mentioned here, so good luck resting easy knowing that your library of popular apps could be spying on you right now.

Update: A Google spokesperson pinged up with an official response to the study, and you can peek it after the break.

Update 2: Looks as if the full study (PDF) has been outed, with the 30 total apps named. Here they are: The Weather Channel, Cestos, Solitaire, Movies, Babble, Manga Browser, Bump, Wertago, Antivirus, ABC – Animals, Traffic Jam, Hearts, Blackjack, Horoscope, 3001 Wisdom Quotes Lite, Yellow Pages, Dastelefonbuch, Astrid, BBC News Live Stream, Ringtones, Layer, Knocking, Barcode Scanner, Coupons, Trapster, Spongebob Slide, ProBasketBall, MySpace, ixMAT, and Evernote. Thanks, Jordan!

Continue reading Study: select Android apps sharing data without user notification

Study: select Android apps sharing data without user notification originally appeared on Engadget on Thu, 30 Sep 2010 16:06:00 EDT. Please see our terms for use of feeds.

Permalink   |  sourceBBC, App Analysis (PDF)  | Email this | Comments

No Comments | Tags: , , , ,
Sep 30

Study Shows Some Android Apps Leak User Data Without Clear Notifications

Posted in: Android, apps, Phones, privacy, Today's Chili

Something as simple as changing your Android phone’s wallpaper or downloading a ringtone could transmit personal data about you, including your location, without your knowledge.

Sound farfetched? It’s not: About 15 of 30 randomly selected, popular, free Android apps sent sent users’ private information to remote advertising servers and two-thirds of the apps handled data in ambiguous ways, say researchers.

The researchers at Duke, Intel Labs and Penn State University, created a tool called TaintDroid that identifies apps transmitting private data to distant locations. TaintDroid monitors how applications access and use your location, microphone, camera, phone numbers in your contact list. The tool also provides feedback once an app is newly installed, letting you know if the app is transmitting data.

“This automatic feedback gives users greater insight into what their mobile applications are doing and could help users decide whether they should consider uninstalling an app,” says Peter Gilbert, a graduate student in computer science at Duke University who’s working on the project. The TaintDroid program isn’t publicly available yet.

The latest data supports a study published in June by mobile security company SMobile Systems that found 20 percent of the then-available 48,000 third-party applications for the Android operating system provided sensitive or private information to outside sources.

Data collection practices in apps are increasingly becoming a major privacy issue for consumers. In July, a mobile security firm called Lookout identified a free wallpaper Android app, Jackeey, that allegedly gathered data about its users, including their phone numbers, carrier subscriber identifiers and phone number of their voicemail accounts. The app then sent the information to a website based in China. The Jackeey app is estimated to have anywhere from 1 to 4 million downloads.

Read more…


No Comments | Tags: , ,
Sep 22

Google’s Eric Schmidt faces off with Stephen Colbert

Posted in: Google, interview, privacy, search, Television, Today's Chili, TV, video

Last night the man behind the Keep Fear Alive campaign sat down with one of tech’s luminaries — Google’s Eric Schmidt — for a frank discussion about just exactly what it is that his company does. While the focus was on Google’s precarious relationship with our personal data, it would be hard to sum up the entirety of the conversation in a quick post (that’s why Skynet invented video). It is interesting to see Schmidt dodging what are incisive and extremely sharp questions (though veiled in sarcasm they may be) from Mr. Colbert. Put aside the next five minutes or so and do yourself a favor: watch the thing.

Continue reading Google’s Eric Schmidt faces off with Stephen Colbert

Google’s Eric Schmidt faces off with Stephen Colbert originally appeared on Engadget on Wed, 22 Sep 2010 11:05:00 EDT. Please see our terms for use of feeds.

Permalink   |  sourceThe Colbert Report  | Email this | Comments

No Comments
Sep 16

Dell Streak Is Perfect For A Doctor’s Lab Coat

Posted in: enterprise, Medicine, privacy, security, Tablets and E-Readers, Today's Chili

Dell Streak and Accessories, from Dell.com

The Dell Streak was always an odd fit for the consumer market — smaller than other tablets, bigger than other smartphones. But Dell sees a bright future for it in enterprise in general, and medicine in particular.

Dell’s Jamie Coffin and Scott Jenkins recently mapped their healthcare strategy for ZDNet. Because Dell healthcare services already provides IT infrastructure for over 350 hospitals, they can integrate their portable devices and software with the systems already in place — an advantage Apple, Samsung, and other tablet makers can’t match.

Devices that store and handle medical information have to fulfill a very strict set of requirements. Besides hooking into a hospital or healthcare network’s systems, there’s HIPAA, or the Health Insurance Portability & Accountability Act, a 1996 law that protects patient privacy.

There are also security nightmares whenever a device storing confidential information is lost or networked communications are transferred without encryption or or other security protections. Finally, medical devices have to be rugged, germ-resistant, and capable of working in disaster scenarios without ready access to electricity or a data network. This is one significant reason why hospitals’ information systems frequently seem so low-tech; it’s not recalcitrance, but redundancy by design.

For these reasons, medical devices are usually provided by specialized providers who can meet these requirements. They’re typically expensive, with patents or scarcity preventing competition, and UI is (ahem) not particularly a priority. Consumer devices, on the other hand, can beat specialized devices on price and usability. Dell thinks that they can leverage their consumer and enterprise positions to offer the best of both worlds.

Also, it really is just the right size for a lab coat pocket.

Dell Healthcare and Life Sciences [Dell]
Dell’s enterprise Streak plan: Target verticals like healthcare [ZDNet]
Dell Streak may soon be streaking into lab coat pockets [TeleRead]

See Also:


No Comments | Tags:
Sep 04

Google agrees to pay $8.5 million to make Buzz privacy lawsuits go away

Posted in: Google, lawsuit, legal, privacy, Today's Chili

Remember back when Google’s Buzz social networking app shared user’s private information without their consent? Heck, do you remember Buzz at all? Suffice it to say that some unhappy folks sued, and it looks like they’re about to accept a hefty settlement in place of their day in court. Though no money’s exchanged hands quite yet and a judge has yet to approve, Google’s agreed to drop $8.5 million and “disseminate wider public education about the privacy aspects of Google Buzz” as part of a class-action settlement, according to court documents. While there’s certainly a chunk of dough potentially being doled out here, we have to imagine individual Gmail users won’t be seeing much — most will go to “organizations focused on Internet privacy policy or privacy education” — which makes us wonder if $8.5 million isn’t a small price to pay to get Buzz back into the national news feeds.

In related (or possibly completely coincidental) news, Google took the opportunity today to revamp its master Privacy Policy. Read all about it at our more coverage link, if you’re into that kind of stuff.

Google agrees to pay $8.5 million to make Buzz privacy lawsuits go away originally appeared on Engadget on Sat, 04 Sep 2010 16:44:00 EDT. Please see our terms for use of feeds.

Permalink Search Engine Land, Ars Technica  |  sourceAFP  | Email this | Comments

No Comments
Aug 17

Lower Merion, PA school district cleared of Federal spying charges, approves new privacy policies

Posted in: lawsuit, legal, privacy, Today's Chili

Though a now-infamous Pennsylvania school district admitted to taking thousands of pictures of schoolchildren without their consent, federal investigators have decided not to pursue criminal charges. That doesn’t halt a class-action complaint against the district (which charges invasion of privacy and wiretapping) but a US attorney told reporters that FBI and police investigators hadn’t found proof beyond a reasonable doubt that school employees had criminal intent to spy on students using their school-issued laptops.

On a related note, students returning to Lower Merion for a new school year can set their minds at ease, as the school board just approved a new set of laptop regulations that (among other things) ban remote monitoring of microphones and webcams. Feel free to pick through for technical loopholes at our more coverage link, and let’s hope this little LMSD soap opera is finally at an end.

Lower Merion, PA school district cleared of Federal spying charges, approves new privacy policies originally appeared on Engadget on Tue, 17 Aug 2010 16:30:00 EDT. Please see our terms for use of feeds.

Permalink   |  sourceAssociated Press, Philadelphia Inquirer  | Email this | Comments

No Comments
Aug 16

SNAP for iOS gives you The Power… to appraise your Facebook privacy

Posted in: app, Apple, ios, iPhone, privacy, security, social networking, SocialNetworking, Today's Chili
SNAP (Social Network Analyzer for Privacy) by BIT Systems does one thing, and one thing only: it looks at your Facebook profile and then “grades you on how visible you are to the outside world.” Of course, you can always just go into Facebook itself and look at your privacy settings, which would save you the steps of downloading an app and using it to login to your account, but at least the thing is free. And it does provide a handy and thorough tutorial on Facebook privacy in general. Hit the source link to take it for a spin.

Continue reading SNAP for iOS gives you The Power… to appraise your Facebook privacy

SNAP for iOS gives you The Power… to appraise your Facebook privacy originally appeared on Engadget on Mon, 16 Aug 2010 08:34:00 EDT. Please see our terms for use of feeds.

Permalink   |  sourceApp Store  | Email this | Comments

No Comments | Tags: , ,
Aug 10

Saudi Arabia pleased by RIM’s concession, says BlackBerry messaging can stay for now

Posted in: BlackBerry, privacy, RIM, security, Today's Chili

The forty-eight hour deadline came and went, but Saudi Arabia didn’t pull the plug — citing a “positive development” in RIM’s efforts to appease Saudi regulators, the country has allowed BlackBerry messaging services to continue for the time being. Saudi Arabia’s Communications and Information Technology Commission (CITC) didn’t specify what the aforementioned “development” was, but thanks to well-placed anonymous sources we can hazard a guess: “CITC will now be able to monitor communications via messaging services,” one Saudi telecom official told the Wall Street Journal, and Reuters reports that RIM will hand over BlackBerry decryption codes to the country. That’s all for now, but expect this issue to bubble back to the surface again in the United Arab Emirates come October.

Saudi Arabia pleased by RIM’s concession, says BlackBerry messaging can stay for now originally appeared on Engadget on Tue, 10 Aug 2010 15:33:00 EDT. Please see our terms for use of feeds.

Permalink   |  sourceWall Street Journal, Reuters  | Email this | Comments

No Comments | Tags:
Aug 10

WSJ: Google ‘agonizing’ over user privacy, ‘vision document’ suggests selling data

Posted in: Google, privacy, Today's Chili

It was just last week that the Wall Street Journal reported Microsoft’s decision to limit private browsing in IE8 as part of its ongoing series on online privacy, and today the focus is on Google, which is said be “agonizing” over the balance between user privacy and advertising opportunities. It’s a long piece that you should read in full, but essentially the WSJ claims that Larry Page and Sergey Brin have gone from strictly forbidding any efforts to track users online to a more subtle interpretation of their famous “don’t be evil” motto which allows them to leverage user data and sell finely targeted ads without “exploiting customers.” According to the WSJ, the change in attitude came with the rise of upstart ad firms that lacked Google’s scruples and the search giant’s purchase of DoubleClick, which led to Google’s first use of cookies. What’s more, once at Google, former DoubleClick exec Aitan Weinberg produced a seven-page “vision document” that outlined several strategies to profit from user data, ranging from building a “trading platform” for user data to allowing users to pay directly and get rid of ads all together. (Google says the document was for “brainstorming” and that some of the proposals are “complete non-starters.”)

The WSJ also says Google’s working hard on that rumored social networking service to go head-to-head with Facebook, complete with a “like” button it can put across the web to build an even better profile of your likes and dislikes, and that the company is considering mixing user data from across services like Gmail and Google Checkout to make those profiles even deeper, all while trying to balance privacy, security, and legal interests. This balance appears to be causing significant tension between everyone at Google, Larry and Sergey included: the WSJ says the two founders have had shouting matches over things like selling “interest-based” ads, and that Sergey has been more reluctant than Larry to take advantage of user data. Like we said, it’s a good read, so hit the source link and get to it.

WSJ: Google ‘agonizing’ over user privacy, ‘vision document’ suggests selling data originally appeared on Engadget on Tue, 10 Aug 2010 13:41:00 EDT. Please see our terms for use of feeds.

Permalink   |  sourceWall Street Journal  | Email this | Comments

No Comments