Jump to content

Search the Community

Showing results for tags 'data collection'.

  • Search By Tags

    Type tags separated by commas.
  • Search By Author

Content Type


  • Site Related
    • News & Updates
    • Site / Forum Feedback
    • Member Introduction
  • News
    • General News
    • FileSharing News
    • Mobile News
    • Software News
    • Security & Privacy News
    • Technology News
  • Downloads
    • nsane.down
  • General Discussions & Support
    • Filesharing Chat
    • Security & Privacy Center
    • Software Chat
    • Mobile Mania
    • Technology Talk
    • Entertainment Exchange
    • Guides & Tutorials
  • Off-Topic Chat
    • The Chat Bar
    • Jokes & Funny Stuff
    • Polling Station


  • Drivers
  • Filesharing
    • BitTorrent
    • eDonkey & Direct Connect (DC)
    • NewsReaders (Usenet)
    • Other P2P Clients & Tools
  • Internet
    • Download Managers & FTP Clients
    • Messengers
    • Web Browsers
    • Other Internet Tools
  • Multimedia
    • Codecs & Converters
    • Image Viewers & Editors
    • Media Players
    • Other Multimedia Software
  • Security
    • Anti-Malware
    • Firewalls
    • Other Security Tools
  • System
    • Benchmarking & System Info
    • Customization
    • Defrag Tools
    • Disc & Registry Cleaners
    • Management Suites
    • Other System Tools
  • Other Apps
    • Burning & Imaging
    • Document Viewers & Editors
    • File Managers & Archivers
    • Miscellaneous Applications
  • Linux Distributions


  • General News
  • File Sharing News
  • Mobile News
  • Software News
  • Security & Privacy News
  • Technology News

Find results in...

Find results that contain...

Date Created

  • Start


Last Updated

  • Start


Filter by number of...

Found 12 results

  1. I IN NO WAY TAKE ANY CREDIT FOR THIS IT WAS TAKEN FROM MDL FORUM AND SOME POSTS BY MEMBERS ON THIS FORUM! Manual: Tools: Microsoft Telemetry Tools Bundle v2.33 Windows 10 Lite v9 Private WinTen v0.84 Blackbird v6 v1.0.80.2 [Works with Win 7/8/8/1/10] O&O ShutUp10 v1.8.1423 WPD - Windows Privacy Dashboard v1.4.1834 WindowsSpyBlocker v4.36.0 Spybot Anti-Beacon v3.5 [Works with Win 7/8/8/1/10] W10Privacy v3.7.0.8 Privatezilla v0.50.0 SharpApp v0.46.1 Debotnet v0.7.8 Disable Windows 10 Tracking v3.2.3 Destroy Windows Spying v1.0.1.0 [Works with Win 7/8/8/1/10] [NOT RECOMMENDED AS NOT UPDATED ANYMORE]
  2. Wonder about the data Google collects in Chrome and links to you? Now we know Up until now, it was clear that Google was collecting data through its Chrome web browser and other services, but most users probably did not know the exact data types and data that Google was collecting. Microsoft revealed what it collects from users of its Windows 10 operating system, and other browser makers, Mozilla for example, reveal more details when it comes to telemetry. All applications on Apple's App store need to reveal to users the data that they collect and link to the user. I stumbled upon this through a tweet by DuckDuckGo. If you open the Google Chrome listing on Apple's App store website, and click on the "see details" link under App Privacy on the page, you will get the list of data that is linked to you when you are using the browser on Apple iOS devices. It is likely, but not confirmed, that most of these are also collected and linked in Chrome on Android and desktop devices. The collected and linked data is sorted into the three categories analytics, product personalization and app functionality. Here is the entire list: Analytics Location -- Coarse Location User Content - Audio Data, Customer Support Browsing History -- Browsing History Identifiers -- User ID, Device ID Usage Data -- Product Interaction Diagnostics -- Crash Data, Performance Data, Other Diagnostic Data Other Data -- Other Data Types Product Personalization Location -- -Coarse Location Browsing History -- Browsing History Identifiers -- User ID, Device ID Usage Data -- Product Interaction App Functionality Financial Info -- Payment Info Location -- Coarse Location User Content -- Audio Data, Customer Support, Other User Content Browsing History -- Browsing History Identifiers -- User ID, Device ID Usage Data -- Product Interaction Diagnostics -- Crash Data, Performance Data, Other Diagnostic Data Other Data -- Other Data Types Google collects a user ID and device ID, the browsing history, usage data, diagnostics data and more. How about other browsers? Mozilla collects contact info (email), user ID and device ID, but nothing else, the DuckDuckGo Privacy Browser and Brave nothing at all, Microsoft Edge the device ID, browsing history and diagnostic crash data, and Opera the Device ID, Location, and diagnostics. Google is collecting more than anyone else in its Chrome web browser. Source: Wonder about the data Google collects in Chrome and links to you? Now we know
  3. Google is making it easier to disable Gmail data collection for smart features Google has announced that its Gmail service will soon provide a new setting to let users decide whether they want their data to be used in order to enable smart features across Google services. The ability to disable these smart features was already available, but with the new experience, it should help users more easily understand when they're disabling data collection and processing by Google. Google has added some smart features to Gmail over time, such as smart compose and the tabbed inbox, which are meant to make the experience more convenient. Many users may not consider the implications of using these features and how they're tied to data collection, so the new setting should make that a bit easier to understand. The settings experience will be divided into two parts: first, you can enable or disable data collection in Gmail, Google Chat, and Meet to be used to improve those specific experiences - with features such as automatic email categorization, smart compose, and so on; second, you can allow data from Gmail and its related services to personalize other Google experiences, such as Google Assistant reminders, restaurant reservations being displayed in Google Maps, and more. Google says this new experience should be available soon, though it didn't make it exactly clear whether users will see these options when logging into Gmail or if they'll have to look for them in the settings. Google is making it easier to disable Gmail data collection for smart features
  4. Data collection cheat sheet: how Parler, Twitter, Facebook, MeWe’s data policies compare CyberNews researchers analyzed data from multiple social platforms like Parler, Twitter, Facebook, MeWe’s to compare data policies. Original Post at https://cybernews.com/privacy/how-parler-twitter-facebook-mewe-data-policies-compare/ Alternative social media platforms, also known as “alt” or alt-tech, were catapulted into the spotlight near the end of 2020 due to US President Donald Trump’s claims of election interference. Twitter-alternative Parler in particular is in the spotlight after being banned from Google’s Play store and Apple’s App Store. Its hosting provider, Amazon Web Services, has also removed the platform from its services, meaning that at this moment, Parler’s platform is inaccessible. To make matters even worse for the platform, a security researcher was able to collect more than 70 terabytes, which equals 70,000 gigabytes, of Parler users’ messages, videos, audio, and all other activity. Due to this breach, it will be important to see whether promises made in Parler’s privacy policy will hold up with the data it actually collected and maintained in its servers. While these alt platforms largely position themselves as “free speech” alternatives, we at CyberNews were also interested in how these alt social platforms compare in terms of data collection. Therefore, for this research, we aimed to see how the mainstream platforms compare to their logical alt pairings: Twitter and Parler Facebook and MeWe Twitter and Parler YouTube and Rumble Reddit and Voat (offline) Tiktok and Triller As of this writing, Voat has been taken offline, apparently after an investor backed out in March, and Parler is inaccessible while it searches for hosting alternatives.However, our investigation will include their analysis as well. The biggest takeaway? Mainstream social platforms collect more data at the moment than alt-social platforms, but that is likely because mainstream social platforms have already reached their stable monetization phase and are selling ads. Only one alt-social platform, MeWe, makes promises to never sell ads. Highlights Here are the biggest takeaways from analyzing these 10 social platforms: Parler is the only platform that asks for a government-issued ID to verify its users’ general accounts (although unverified accounts can interact limitedly on the platform). While most platforms state they will disclose personal information in response to legal requests, Parler will also disclose information “for the avoidance of doubt” if the user posts “objectionable content” Parler, Reddit, Voat, Triller and TikTok (US) do not provide clear data retention policies, including how long they retain data after it has been deleted by the user Triller is the only social platform that outsources all messaging functionality to a third party service provider, Quickblox. Users would need to read both Triller’s and Quickblox’ privacy policies to get a good idea of how their data is being collected and processed. Triller ignores Do Not Track requests, a practice it claims is similar for “many websites and online services” Mainstream social platforms have data collection policies that are 6605 words in length on average, which would take roughly 50 minutes to read. Alt-social platforms’ policies are 4420 words in length on average, taking roughly 34 minutes to read. Facebook explicitly states that it collects data on users, including device and activity information, even if they don’t have an account The alt-social platforms don’t have an easy way for users to download all the data the platforms have on them. However, neither does TikTok, which tells users to send written “requests” to access their data Facebook and Twitter data collection policies do not have explicit sections or statements dedicated to security Along with the standard ways that these platforms collect and use the user’s data, both YouTube (Google) and TikTok also use publicly available information online to build a user’s profile on their platform TikTok makes 47 requests, the most of all platforms, when the Android app is launched, while Parler makes only 2 How this data was collected and processed In order to undertake this research, we analyzed all the data collection policies for a given platform. For most, we could get a comprehensive view of their data collection practices from the primary data collection document – their privacy policy. However, others required analyzing in addition their relative Terms of Use/Service document, and others, such as YouTube (Google) and Facebook, required even more documents. Besides analyzing the text, we also looked at word length for the given documents and the average reading time and difficulty of text. We also checked how many requests each platform’s app makes when it is launched. A common framework We took a common framework for analyzing privacy policies, which consists of the following sections (adapted for this research): First party collection or use Third party sharing or collection User choice and control User access, edit and delete Data retention Security We then looked at each platform’s primary data collection document, its privacy policy. In cases when the privacy policy did not provide a good overview of its data collection practices, we looked at supporting documents like its Terms of Use, and other platforms required even more document analysis. When possible, we looked at the US versions of these data collection documents. Keeping it simple In order to keep the analysis clear, we assessed each practice based on a three-point scale: Bad OK Good Therefore, while cookie collection would get an “OK” in terms of first party collection, not having a clear data retention policy would get a “Bad.” Having a section dedicated to security would get a “Good” (unless the section is useless by containing no information at all). There are two important considerations to make: These privacy policies are assessed based on an average user having a “good idea” of the specific platform’s data collection policies, which in an optimal case means the average reader would need to read the policy only once Some privacy policies, like Voat’s, are extremely sparse. However, just because Voat does not state that it collects, for example, user generated content, does not mean that it does not collect that data. In cases like these, we have to use common sense and not merely what’s stated in the data collection policies. For ease of understanding the differences between mainstream and alt social platforms, we’ll analyze them in their most logical pairs: Facebook and MeWe Twitter and Parler YouTube and Rumble Reddit and Voat (offline) Tiktok and Triller Common sense analysis When looking at the varying sections, it’s important that we apply practical or common sense to the analyses. For “First party collection and use,” the less data collected, the better it is. However, it’s logical for any social media platform to collect the following data: Account creation information Engagement activity User generated content (UGC) and metadata Messaging (although optimally this would be end-to-end encrypted) Feature-related data (related to camera, microphone, etc.) Device information The major difference then would be how much of the different types of data they collect, as well as any other interesting data collection practices. For “Third party sharing,” the less data shared, the better it is. However, it is expected that platforms will have service providers, such as hosting, and marketing and statistics, such as Google Analytics. They will share data if legally required, and send payment information to a third party if payments occur on their sites. For “User choice and control,” users should be able to control their account’s privacy settings, who gets to see their content, and have opt outs for ads or other tracking. For “User access, edit and delete,” users should be able to easily edit, update, retrieve or delete their accounts. They should also be able to easily delete their UGC. Optimally, they will be able to easily download all their account data. For “Data retention,” it is expected that data will not be deleted immediately. However, platforms should state how long data is stored after a delete request. For “Security,” we are not assessing the security of the particular platform. We are only looking at whether a platform discusses security-related issues, such as security measures used or breach notifications. Apple’s App Store privacy labels Apple recently introduced privacy labels to its App Store which helps to show what kind of data is being collected by apps. These are done in three different categories: Data Linked to You Data Used to Track You Data Not Linked to You We checked the data points being collected by the five mainstream and five alt social platforms by doing a simple count of the total number of data points. We were able to collect data on Parler before it was removed from the App Store: One thing that’s clear from this data: Facebook’s data collection eclipses most other mainstream social media platforms, and especially alt social platforms. One important thing to note however is that this data is self-reported, and it explicitly states that Apple has not reviewed these: Example for MeWe This could lead answers for some interesting insights, such as Rumble apparently collecting no data on its iOS users. Furthermore, some apps like YouTube have not yet reported their data handling: Tedium at a glance: average lengths and times We totaled the word counts or all documents that a user would have to read in order to get a “good idea” of a platform’s data collection policies. For some platforms, like Facebook, this includes three separate documents, while for most platforms this included only the privacy policy. Some platforms, like TikTok, included multiple versions of the privacy policies within one document, so we only counted length and time for the US version of the privacy policy. Average reading time was calculated using Grammarly’s Words to Time tool. As you can see, Facebook, YouTube and Triller had the highest lengths and reading times. What is interesting, however, is that for Facebook and YouTube, this is made up of multiple documents. However, Triller’s word count and average reading time come from just one document. With the exception of Triller, all alt social platforms had lower word counts and reading times. Text difficulty: English vs Legalese We measured the difficulty of the text using Flesch-Kincaid readability tests, which score difficulty from 0 – extremely difficult, understood by university graduates — to 100 – extremely easy, understood by an average 11-year old — so that a text with a higher score is easier to read. For social platforms with more than one text, we took the average. We noticed that all of the social platforms, regardless of length, scored within the 30-50 range, are difficult to read and normally require a college degree to fully understand: Rumble had the most challenging text, coming in at 36.6, and YouTube (Google) had the easiest text, coming in at 50.3. Network request for each platform’s app Lastly, we checked the network requests that these platforms’ mobile apps made immediately when the app was first launched (with no further interaction). Generally, the more network requests an app makes, the more data is being sent from your device to the platform. Note that Voat had no mobile app to analyze: TikTok had the most network requests on app launch (47), while Parler had the least with 2. In general, alt social platforms had fewer requests than their mainstream counterparts. Comparing the social platforms We will compare each pair of social platforms (the mainstream version and the alt version) and highlight interesting or noteworthy aspects of their various data collection policies. We rank each platform based on how well they perform in the specified categories, and at the end give a summary of the comparison and a final ranking. Twitter and Parler Parler is possibly the most popular alt social platform for conservatives and conspiracy theorists, with a look and style much like Twitter. Parler was said to have 10 million users (4 million active) as of November 2020. A false image circulated showing US President Donald Trump officially moving to Parler after he was temporarily suspended from Facebook and Twitter following posts that incited the US Capitol riots. After the riots, Parler was removed from multiple online services, including Google’s and Apple’s app stores, Amazon’s hosting, Twilio’s authentication, and others. At the moment, the alt social platform is inaccessible. Twitter Parler Document [1] [1] Words 5549 2157 Reading time 83.8 16.6 Reading ease 46.3 46.2 Network requests 9 2 First party collection and use Twitter: OK Parler: bad Twitter, for the most part, collects the standard personal information, content and device information. Twitter collects not only the search terms you submitted, but the ones you didn’t submit (typed, but didn’t hit ‘search’). Interestingly, Twitter, unlike Facebook, allows and even supports users creating multiple accounts: ”You can also create and manage multiple Twitter accounts, for example to express different parts of your identity.” Parler’s policy is a bit different. While other social platforms have some sort of verification, Parler’s verification, although optional, seems to be needed for basic platform features. For example, this FAQ suggests that users without a verified account will be unable to send private messages. In order to get verified, users will need to provide scans of their government-issued photo IDs, plus a selfie. Parler promises that it deletes the front and back scans of these IDs when they are no longer needed, retaining a “hash corresponding to the information the identification document contains.” The platform also retains the selfie but claims to store it “securely, in encrypted form” without mentioning which encryption is used. Additionally, Parler allows users to monetize their content through its “Influencer Network.” For that reason, they will “collect information on form W-9 as required by the IRS.” Third party sharing and collection Twitter: OK Parler: OK Twitter shares data with third parties: Vendors (such as hosting) and analytics Payment providers Ad engagement (anonymized data) Aggregated statistics for the platform (such as trending topics) In response to legal requests Parler’s documentation is less specific, but in general they share data with vendors and analytics, in response to legal requests, etc. It makes a point to “never rent, sell, or share information about you with nonaffiliated third parties for their direct marketing purposes unless we have your affirmative express consent.” User options Twitter: good Parler: bad Twitter users have many options through their privacy settings. They are able to opt-out of location sharing, targeted advertising, interest-based ads, etc. Twitter allows its users to easily access or delete their content or accounts. Twitter users are also able to download all the data that Twitter has collected on them. Parler’s documents don’t offer much in the way of user options. In terms of user choice and control, Parler users are only able to control limited aspects via their privacy settings. Users can also delete their accounts, but the platform doesn’t allow for them to download all the data collected on them. Data retention and security Twitter: OK Parler: OK Twitter keeps log data for up to 18 months. It offers users a standard 30-day period to reactivate their accounts. However, it doesn’t offer more specific information, such as Facebook offers, about how long it will take to delete content from its servers. Parler, on its part, also doesn’t offer any specific information about its data retention practices. It only notes the aforementioned government ID deletion information, but again without any time frame. While Twitter has no mention of its security practices, Parler has dedicated a two-sentence paragraph related to platform security. However, these sentences provide no real meaning or information: “We make reasonable efforts to protect your information by using physical and electronic safeguards designed to improve the security of the information we maintain. However, as our Services are hosted electronically, we can make no absolute guarantees as to the security or privacy of your information.” Summary Twitter: average Parler: bad Twitter is a better offering for users than Parler in terms of data collection and processing. Parler requires government-issued IDs for basic platform features and has limited user options. Facebook and MeWe MeWe is a privacy-focused, free speech platform that is often seen as a viable alternative to Facebook. It gained popularity after Facebook removed various QAnon and Stop the Steal groups at the end of 2020. MeWe’s Android app has been installed more than 5 million times. It is important to note that Facebook has a much larger surface, and many more apps and features in its ecosystem, than MeWe does. Facebook MeWe Documents [1],[2],[3] [1],[2] Words 10894 6157 Reading time 83.8 47.3 Reading ease 46.3 46.4 Network requests 34 11 First party collection and use Facebook: bad MeWe: good Facebook collects more data on its users than MeWe does. The first interesting point for Facebook is that it states it collects information about you even if you don’t have a Facebook account: “Facebook uses cookies and receives information when you visit those sites and apps, including device information and information about your activity, without any further action from you. This occurs whether or not you have a Facebook account or are logged in.” When a user agrees to import contacts, Facebook will collect not only the address book, but also a user’s call log and SMS log history: “We also collect contact information if you choose to upload, sync or import it from a device (such as an address book or call log or SMS log history)…” Another interesting point is that Facebook collects “device operations,” which includes “whether a window is foregrounded or backgrounded, or mouse movements.” It also collects device signals, including “Bluetooth signals, and information about nearby Wi-Fi access points, beacons, and cell towers.” Lastly, it collects network information about “other devices that are nearby or on your network.” Furthermore, we found it worth noting that Facebook requires that users have only one account and provide “accurate information” about themselves, including using the name they use in their everyday lives. Comparatively, MeWe’s first party collection is minimal: it collects the account creation information, UGC, engagement and usage, and log data that includes device information, IP address, OS, etc. Third party sharing and collection Facebook: OK MeWe: good Facebook shares a user’s data across its integrated products. It also provides aggregated data and insights to its partners and other businesses, for research and academic purposes, and provides anonymous engagement data for advertisers. Their Terms of Service make it clear that they don’t sell a user’s personal data or access to that personal data to advertisers: “We don’t sell your personal data to advertisers, and we don’t share information that directly identifies you (such as your name, email address or other contact information) with advertisers unless you give us specific permission.” MeWe also makes it clear what kind of data they share with third parties: “We don’t track you to sell your data to third parties, and we don’t track you to manipulate your newsfeed and we don’t track you when you are not on MeWe.“ They also emphasize that they don’t use third-party cookies “to target” or “market” to their customers. They provide data to operating partners, as well as any payment-related data. User options Facebook: good MeWe: OK While MeWe has the more attractive offering, Facebook has a larger list of options for users to choose, control, access, modify and delete data. Most options are included in the user’s privacy settings. Its cookie policy also provides options for users to control what kind of ads they see. While MeWe has these same features, Facebook allows for users to download all their account data, or delete all of their content by deleting their account. MeWe does not provide this option in its documentation, only stating that users have the “right to delete your account and take your content with you at any time” – without explicitly providing any mechanism to move that data. Data retention and security Facebook: bad MeWe: OK Facebook promises to delete user data within 90 days. MeWe does not specifically state a maximum time frame until it deletes a user’s data, only stating that it will delete the data from its production servers “as soon as is technically possible.” MeWe does state that it incorporates a 30-day delay for deletion requests, and that it will delete a user’s data from its backups within 7 months. It also states that it will delete Log Data, such as the username, IP address, or email address “after a maximum of 12 months.” Facebook does not have a clear or dedicated section for security in its privacy policy, providing only a small sentence in its ToS that it will “exercise professional diligence” to keep the service “a safe, secure and error-free environment.” MeWe dedicates three sentences to its security, including encrypting personal information (but not saying what kind of encryption), and using HTTPS for “most, if not all” requests. Summary Facebook: OK MeWe: good MeWe is better in terms of data collection and processing since it has no ads and collects and processes less data. Facebook also shares more data with third parties, and doesn’t offer any information about the platform’s security. Facebook does, however, have better user options than MeWe. YouTube and Rumble Rumble is a video-sharing platform and YouTube alternative that is largely filled with conservative content, regularly related to debunked conspiracy theories. Rumble’s Android app has been installed at least half a million times, and its website received 83 million visits in December, up from 1.5 million in August (according to SimilarWeb). YouTube Rumble Documents [1],[2],[3] [1] Words 9313 2987 Reading time 71.6 23 Reading ease 50.3 36.6 Network requests 21 5 First party collection and use YouTube: bad Rumble: OK Because YouTube is a Google product, all of the important data collection documents for YouTube are actually for Google at large. Perhaps because of this reason it is much wider, and each document contains less specific information since it seems written to apply to so many Google products. However, unless YouTube is specified, we assume these data collection policies apply to all Google products. YouTube’s personal information collection is similar to other platforms – account creation and any payment information – but it is distinguished in that publicly available information is also collected: “In some circumstances, Google also collects information about you from publicly accessible sources.“ Naturally, this applies to Google’s search engine, but how much is information shared across Google’s products? The UGC collected by YouTube is pretty standard, with the specification that YouTube users’ engagement activity offsite is also collected. Similarly, device information collected is pretty broad, covering Android-related analytics, log data, and location data – which includes GPS, IP address, device sensor data, plus wifi access points and Bluetooth-enabled devices near the user’s device. Rumble in comparison collects much less. It collects standard account creation information, plus any information collected when a user creates an account using a third-party social platform. Rumble doesn’t list collecting/processing UGC, and doesn’t directly state that the platform processes imported contacts. However, its “Changing or Deleting Your Information” section allows the user to delete “any imported contacts.” Third party sharing and collection YouTube: bad Rumble: OK YouTube’s (Google’s) third-party data sharing is largely confined to any account administrators that the user may have, Google’s business partners, anonymized ad reporting, and in response to legal requests. It allows third parties to collect users’ browser or device information for advertising and measurement, using their own third-party cookies, beacons, etc. Rumble’s sharing practices are pretty standard, but practically less than YouTube’s. It shares aggregate or non-identifying data with third parties for analysis, profiling, and other purposes. It also shares data with vendors, linked social media sites, and of course in response to legal requests. User options YouTube: good Rumble: bad YouTube (Google) allows users to control their privacy via their account/privacy settings. This includes ad setting and YouTube history settings. YouTube (Google) also allows users easy ways to manage, review and update their info, and delete their content or entire accounts.This includes the ability to download all collected account data. Rumble offers limited choices, at least in its privacy policy. Users can opt out of emails, change cookie settings, and remove linked social accounts. There is no option to download all accumulated account data, and Rumble’s allows users to “review, update, correct or delete the Personal Information” in their accounts. Data retention and security YouTube: good Rumble: bad YouTube (Google) gives good information on varying data retention periods. They specify that content data and activity information can be deleted whenever a user prefers, while advertising data is deleted or anonymized automatically at set periods of time. In order to get a clearer picture, we had to go to Google’s designated data retention page. Here, Google claims to delete information immediately from public view when the user requests it, and then begins the process to remove it from their systems, which generally takes two months, plus the standard 30-day waiting period – but it does not provide a maximum allowed time. Ad log data is anonymized by removing part of the IP address after 9 months and removing cookie information after 18 months. However, it appears that this data is never deleted. YouTube (Google) has a dedicated security section, the most in-depth of all the platforms here. Rumble has a less attractive data retention policy. It does not provide detailed information on what the retention periods are for various types of data. It also implies that not all the information may be deleted. Its entire data retention policy is concluded in a few sentences: The privacy policy directs users to go to their Terms of Services page (which is actually their “Terms & Conditions”) and section “Sharing Your Content” apparently for more information on data retention. However, no such section exists on its Terms & Conditions page, and there is no further information on data retention. Rumble does, at least, have a designated section for security, although the promises are sparse, as they commit to “use commercially reasonable safeguards” to protect user data. However, it also includes a breach notification section in which it will communicate to their users via email or “conspicuous posting” on Rumble as soon as possible. None of the other platforms have this information. Summary YouTube: OK Rumble: bad YouTube narrowly beats out Rumble in terms of its data collection and processing policies. YouTube (Google) collects and processes too much data, but it offers better user choices, offers data portability, and has clearer data retention policies. While Rumble collects less data, it doesn’t offer as many options for the user. Reddit and Voat (R.I.P.) Voat was a Reddit clone that allowed for “free speech” without moderation, except in extreme cases, and offered users the chance to share in ad revenue. Voat shut down its services on December 25, 2020, apparently after an investor backed out in March. It had about 3 million monthly visitors. Reddit Voat Documents [1] [1],[2] Words 4305 2173.0 Reading time 33.1 16.7 Reading ease 39.5 39.8 Network requests 14 N/A First party collection and use Reddit: OK Voat: bad Reddit collects the standard personal information (account creation information, payment data and other information provided by the user), UGC and engagement activity, and device information (log and usage data, cookies, and IP address, Bluetooth or GPS location data). Voat’s first party collection policy is non-standard, since it provides almost no real information. It claims to collect account creation information, log and usage data and cookies. But it doesn’t discuss the UGC or engagement data that a social platform normally collects. Third party sharing and collection Reddit: OK Voat: bad Reddit shares user data in a standard way. However, it also claims to share data with any “parents, affiliates, subsidiaries, and other companies under common control and ownership.” Beyond that, it interestingly notes that it will also share personal information in emergency situations “to prevent imminent and serious bodily harm to a person.” While common sense would dictate that Voat has similar data sharing practices to other platforms here, it only admits to using Google Recaptcha: “Voat uses Google Recaptcha in order to minimize spam. For more information about how Google handles recorded data, please consult the Google Privacy Policy.” User choice Reddit: good Voat: bad Reddit provides users with a detailed list of options, including editing and deleting information, removing linked services, changing cookie settings, opting out of ads and Do Not Track, mobile notifications and even location settings. Reddit also provides information on how to delete content or the entire account, plus it allows users to submit a request to get all their account and activity data. However, it may take up to 30 days to process the request. Unsurprisingly, Voat offers no information about any user choices to update settings or access, edit and delete their information. Data retention and security Reddit: bad Voat: bad Reddit’s data retention policy is very short and provides no practical information: “We store the information we collect for as long as it is necessary for the purpose(s) for which we originally collected it. We may retain certain information for legitimate business purposes or as required by law.” It does have a separate section for security, however, with information on HTTPS usage and access controls for its employees. Voat, again unsurprisingly, has practically no information on its data retention practices. In its Terms & Conditions, it discusses its security with the following: “Please don’t hack us We support the responsible reporting of security vulnerabilities. To report a Voat security issue, please send an email to [email protected]” Summary Reddit: OK Voat: bad Reddit is the clear winner here as Voat’s data collection documents are too short, vague and practically useless to give users a good idea of what data is collected and what happens to that data. TikTok and Triller Triller is a short-form video sharing platform similar to TikTok that was popularized when Trump first raised concerns about TikTok. Triller’s Android app has been installed more than 10 million times. TikTok’s data collection policies can be found in its comprehensive privacy policy, which lists three different versions for US, European and non-European/non-US users. It’s worth noting that the European version is 67% longer than the US version. TikTok Triller Document [1] [1] Words 2964 8629.0 Reading time 22.8 66.4 Reading ease 37.1 44.3 Network requests 54 32 First party collection and use TikTok: bad Triller: bad TikTok’s data collection is for the most part standard – account creation and payment information for the personal information category. The also list that they collect “information to verify an account,” which is common for Parler, Facebook, and other platforms at certain points (for example, Facebook will ask for verification if there is a problem or some suspicions around your account, whereas Parler will ask for verification information immediately when you join the platform). Interestingly, however, is that they also claim to collect information about users “from other publicly available sources.” This is understandable for YouTube (Google), since it’s a search engine, but less clear in TikTok’s case. Content-wise, they collect uploaded contact information, UGC, engagement, etc. They also collect device information and location data (from the SIM card and/or IP address, or GPS with the user’s permission). Triller seems to collect a similar amount of data. However, the one aspect that is worth notice is that Triller doesn’t handle its own messaging. Instead, it outsources all messaging functionality to a third-party known as Quickblox (even though Triller spells it “Quickblocks”). Triller still collects message-related data, including: “Personal Information, in the context of composing, sending, or receiving messages to other Users (that means the content as well as information about when the message has been sent, received and/or read and the participants of the communication) through our Service’s messaging functionality.” However, Triller’s privacy policy doesn’t state whether Quickblox collects and processes this data as well. When we approached Quickblox about this, a representative told CyberNews that “we no longer have a business relationship with Triller and we will be in contact with them to remove our mis-spelt name from their website.” Third party sharing and collection TikTok: OK Triller: OK TikTok has been accused of sharing user data with the Chinese government. However, inside its privacy policies there is nothing particularly salacious. They share data with third party vendors and analytics, payment processors, researchers, anonymized ad data, etc. They also share data in response to legal requests, and “with consent” linked social accounts. Lastly, they claim to share user information with “a parent, subsidiary, or other affiliate of our corporate group.” While its parent company is Chinese, TikTok has repeatedly claimed to not share user data with the Chinese government, or even store data in China. Triller has nearly the same data sharing policy, with the addition of allowing third-party tracking cookies and other technology from ad partners who “may collect Personal Information when you visit the Platform or other online websites and services.” User options TikTok: bad Triller: bad Users have a variety of choices on TikTok to control the amount of data being collected. This includes disabling cookies, opting out of ads, limiting location data, and accessing or editing account information; TikTok aso respects Do Not Track requests. However, TikTok doesn’t provide a way for users to download all their account data. Furthermore, there is no easy way to delete content besides doing so manually on a video-by-video basis or deleting the entire account. Even when deleting an account, it’s not clear if the account data is deleted from TikTok’s systems. Instead, they require users to send a request via email or physical post to view or delete all collected data: “You may submit a request to access or delete the information we have collected about you by sending your request to us at the email or physical address provided in the Contact section at the bottom of this policy. We will respond to your request consistent with applicable law and subject to proper verification.“ At least, this is the US version of their privacy policy. The EU version is longer, but it doesn’t present much better options: “You can ask us, free of charge, to confirm we process your personal data and for a copy of your personal data.” It is almost laughable, in view of the other social platforms in this research, that they mention the ability to ask them to confirm or download all account data as “free of charge,” or in general that they expect users to send physical mail to do so. Triller doesn’t fare much better. It allows users to change location settings, cookies, and access or edit their account information. However, it does not respect Do Not Track, instead claiming that “many websites and online services” follow the same practice. When it comes to data portability, or allowing the account holder to view and get a copy of the accumulated account information, they have a pretty similar position as TikTok’s EU version. In Triller’s version, data portability and data deletion requests are to be sent to an email address only, but the information that can be requested only covers “the past 12 months.” Data retention and security TikTok: bad Triller: bad TikTok and Triller also have similar approaches to data retention and security. That is to say: they do not have any clear data retention policies, but they do have a separate section on security. TikTok’s security section is small, with only three sentences and no practical information. While Triller’s security section is much larger at 8 sentences, the information is only vaguely helpful with promises of “generally accepted industry standards” for account security. Summary TikTok: bad Triller: bad Overall, both TikTok and Triller perform poorly, requesting too much data, providing too few user options, and a lack of clear data retention and difficult data portability. For Recommendations see the legitimate post at: https://cybernews.com/privacy/how-parler-twitter-facebook-mewe-data-policies-compare/ Source: Data collection cheat sheet: how Parler, Twitter, Facebook, MeWe’s data policies compare
  5. Senator Marco Rubio (R-Fla.) introduced a bill Wednesday aimed at creating federal standards of privacy protection for major internet companies like Facebook, Amazon, and Google. The bill, titled the American Data Dissemination Act, requires the Federal Trade Commission to make suggestions for regulation based on the Privacy Act of 1974. Congress would then have to pass legislation within two years, or the FTC will gain the power to write the rules itself (under current laws, the FTC can only enforce existing rules). While Rubio’s bill is intended to reign in the data collection and dissemination of companies like Facebook, Amazon, Apple, Google, and Netflix, it also requires any final legislation to protect small businesses from being stifled by new rules. “While we may have disagreements on the best path forward, no one believes a privacy law that only bolsters the largest companies with the resources to comply and stifles our start-up marketplace is the right approach,” Rubio wrote in an op-ed for The Hill, announcing his bill. The caveat comes when one considers states’ rights to create their own privacy laws. Under Rubio’s legislation, any national regulations would preempt state laws—even if the state’s are more strict. According to Rubio, “a state-by-state patchwork of laws is simply not an effective means of dealing with an issue of this magnitude.” This is a sentiment echoed by the major internet companies, who argue navigating widespread federal regulation is simpler than potentially managing dozens of different laws. Democrats have said they would only support federal regulation if it can hold a candle to state laws like those expected to go into effect in California in 2020. According to Axios, other privacy proposals are expected, including one from a bipartisan group of senators. Rubio’s bill reportedly has no co-sponsors at this time. Source
  6. An analysis of 11,430 Play Store apps found that 14.2% used a privacy policy with contradicting statements about user data collection practices. A large number of Android mobile apps listed on the official Google Play Store contain self-contradictory language in their privacy policies in regards to data collection practices. In an academic study published last year, researchers created a tool named PolicyLint that analyzed the language used in the privacy policies of 11,430 Play Store apps. They found that 14.2% (1,618 apps) contained a privacy policy with logical contradicting statements about data collection. Examples include privacy policies that stated in one section that they do not collect personal data, only to contradict themselves in subsequent sections, where they state they collect emails or customer names -- which are clearly personally-idenfiable information. In some cases, templates are to blame While the research team could not determine the app maker's intent in using contradicting statements in their privacy policy, researchers feel the primary purpose was to mislead users if they ever took the time to read the policies. However, they also discovered evidence of the contrary. For example, the research team found 59 apps that used online services to auto-generate a privacy policy. A deeper look at the online services revealed that the self-contradicting statements were part of the template itself, and not the app maker's addition. "I think we found four-five different templates," said Benjamin Andow, of IBM Research, and one of the study's authors. However, the vast majority of other privacy policies were unique to each app, and did not appear to be the result of an accident. In these cases, the research team says these app makers are susceptible to fines from EU and US privacy watchdogs. "Self-contradictions can lead to the identification of deceptive statements, which are enforceable by the FTC and the DPAs (data protection authorities) of the EU," Andow said, suggesting that their research could be used to track down GDPR abusers. Notifying vendors Furthermore, part of the process of verifying the accuracy of the PolicyLint tool, the research team also took a sample of 510 privacy policies with contradicting statements and manually verified their correctness. Since this process involved a careful analysis of the entire app's policy, the research team also took to notifying the app maker about its inaccurate privacy policy. From the 510 apps, the research team found contact emails for 260 developers, which they notified via email. Of the 260, 244 received the email, as 16 of the public contact email addresses ended up being either invalid or unreachable. Of the 244 emails they send, researchers said they only received 11 replies, following which, only three developers corrected their policies. More details are available in the team's white paper, entitled "PolicyLint: Investigating Internal Privacy Policy Contradictions on Google Play," available for download in PDF format from here or here. The team includes researchers and academics from North Carolina State University, University of Illinois at Urbana-Champaign, and IBM Research. The paper's findings are somewhat consistent to another 2019 study named "On The Ridiculousness of Notice and Consent:Contradictions in App Privacy Policies." This separate study analyzed a bigger sample of Play Store apps for inconsistencies between data collection practices and what was explicitly disclosed in privacy policies. The research team found out that 10.5% of 68,051 apps they analyzed shared personal data with third-party services, yet they did not declare it in their privacy policies. Further, only 22.2% of the 68,051 apps explicitly named third-party partners or affiliates in their privacy policies, with the vast majority of apps hiding where collected user data ends up. Source
  7. Don’t worry. They want it to be safe.🤣 Justin Paine sits in a pub in Oakland, California, searching the internet for your most sensitive data. It doesn't take him long to find a promising lead. On his laptop, he opens Shodan, a searchable index of cloud servers and other internet-connected devices. Then he types the keyword "Kibana," which reveals more than 15,000 databases stored online. Paine starts digging through the results, a plate of chicken tenders and fries growing cold next to him. "This one's from Russia. This one's from China," Paine said. "This one is just wide open." From there, Paine can sift through each database and check its contents. One database appears to have information about hotel room service. If he keeps looking deeper, he might find credit card or passport numbers. That isn't far-fetched. In the past, he's found databases containing patient information from drug addiction treatment centers, as well as library borrowing records and online gambling transactions. Paine is part of an informal army of web researchers who indulge an obscure passion: scouring the internet for unsecured databases. The databases -- unencrypted and in plain sight -- can contain all sorts of sensitive information, including names, addresses, telephone numbers, bank details, Social Security numbers and medical diagnoses. In the wrong hands, the data could be exploited for fraud, identity theft or blackmail. The data-hunting community is both eclectic and global. Some of its members are professional security experts, others are hobbyists. Some are advanced programmers, others can't write a line of code. They're in Ukraine, Israel, Australia, the US and just about any country you name. They share a common purpose: spurring database owners to lock down your info. The pursuit of unsecured data is a sign of the times. Any organization -- a private company, a nonprofit or a government agency -- can store data on the cloud easily and cheaply. But many software tools that help put databases on the cloud leave the data exposed by default. Even when the tools do make data private from the start, not every organization has the expertise to know it should leave those protections in place. Often, the data just sits there in plain text waiting to be read. That means there'll always be something for people like Paine to find. In April, researchers in Israel found demographic details on more than 80 million US households, including addresses, ages and income level. No one knows how big the problem is, says Troy Hunt, a cybersecurity expert who's chronicled on his blog the issue of exposed databases. There are far more unsecured databases than those publicized by researchers, he says, but you can only count the ones you can see. What's more, new databases are constantly added to the cloud. "It's one of those tip-of-the-iceberg situations," Hunt said. To search out databases, you have to have a high tolerance for boredom and a higher one for disappointment. Paine said it would take hours to find out whether the hotel room service database was actually a cache of exposed sensitive data. Poring over databases can be mind-numbing and tends to be full of false leads. It isn't like searching for a needle in a haystack; it's like searching fields of haystacks hoping one might contain a needle. What's more, there's no guarantee the hunters will be able to prompt the owners of an exposed database to fix the problem. Sometimes, the owner will threaten legal action instead. Database jackpot The payoff, however, can be a thrill. Bob Diachenko, who hunts databases from his office in Ukraine, used to work in public relations for a company called Kromtech, which learned from a security researcher that it had a data breach. The experience intrigued Diachenko, and with no experience he dove into hunting databases. In July, he found records on thousands of US voters in an unsecured database, simply by using the keyword "voter." "If me, a guy with no technical background, can find this data," Diachenko said, "then anybody in the world can find this data." In January, Diachenko found 24 million financial documents related to US mortgages and banking on an exposed database. The publicity generated by the find, as well as others, helps Diachenko promote SecurityDiscovery.com, a cybersecurity consulting business he set up after leaving his previous job. Publicizing a problem Chris Vickery, a director of cyberrisk research at UpGuard, says big finds raise awareness and help drum up business from companies anxious to make sure their names aren't associated with sloppy practices. Even if the companies don't choose UpGuard, he said, the public nature of discoveries helps his field grow. Earlier this year, Vickery looked for something big by searching on "data lake," a term for large compilations of data stored in multiple file formats. The search helped his team make one of the biggest finds to date, a cache of 540 million Facebook records that included user's names, Facebook ID numbers and about 22,000 unencrypted passwords stored in the cloud. The data had been stored by third-party companies, not Facebook itself. "I was swinging for the fences," Vickery said, describing the process. Getting it secured Facebook said it acted swiftly to get the data removed. But not all companies are responsive. When database hunters can't get a company to react, they sometimes turn to a security writer who uses the pen name Dissent. She used to hunt unsecured databases herself but now spends her time prompting companies to respond to data exposures that other researchers find. "An optimal response is, 'Thank you for letting us know. We're securing it and we're notifying patients or customers and the relevant regulators,'" said Dissent, who asked to be identified by her pen name to protect her privacy. Not every company understands what it means for data to be exposed, something Dissent has documented on her website Databreaches.net. In 2017, Diachenko sought her help in reporting exposed health records from a financial software vendor to a New York City hospital. The hospital described the exposure as a hack, even though Diachenko had simply found the data online and didn't break any passwords or encryption to see it. Dissent wrote a blog post explaining that a hospital contractor had left the data unsecured. The hospital hired an external IT company to investigate. Tools for good or bad The search tools that database hunters use are powerful. Sitting in the pub, Paine shows me one of his techniques, which has let him find exposed data on Amazon Web Services databases and which he said was "hacked together with various different tools." The makeshift approach is necessary because data stored on Amazon's cloud service isn't indexed on Shodan. First, he opens a tool called Bucket Stream, which searches through public logs of the security certificates that websites need to access encryption technology. The logs let Paine find the names of new "buckets," or containers for data, stored by Amazon, and check whether they're publicly viewable. Then he uses a separate tool to create a searchable database of his findings. For someone who searches for caches of personal data down between the couch cushions of the internet, Paine doesn't display glee or dismay as he examines the results. This is just the reality of the internet. It's filled with databases that should be locked behind a password and encrypted but aren't. Ideally, companies would hire experts to do the work he does, he says. Companies, he says, should "make sure your data isn't leaking." If that happened more often, Paine would have to find a new hobby. But that might be hard for him. "It's a little bit like a drug," he said, before finally getting around to digging into his fries and chicken. Source
  8. Faces for cookware: data collection industry flourishes as China pursues AI ambitions PINGDINGSHAN, China (Reuters) - In a village in central China’s Henan province, amid barking dogs and wandering chickens, villagers gather along a dirt road to trade images of their faces for kettles, pots and tea cups. At the front of the line, a woman stands in front of a camera zip-tied to a tripod. She holds a photograph of her head with the eyes and the nose cut out in front of her face and slowly rotates side to side. Villagers waiting their turn take a numbered ticket. Some of them say it’s the third or fourth time they’ve come to do this sort of work. The project, run out of a sleepy courtyard village house adorned with posters of former China leader Mao Zedong, is collecting material that could train AI software to distinguish between real facial features and still images. “The largest projects have tens of thousands of people, all of whom live in this area.” said Liu Yangfeng, CEO at Qianji Data Co Ltd, which collects and labels data for several of China’s largest tech firms and is based in the nearby city of Pingdingshan. “We are creating more data sets to serve more AI algorithm companies, so they can serve the development of artificial intelligence in China,” said Liu, declining to disclose his clients. The boom in demand for data to train AI algorithms is feeding a new global industry that gathers information such as photos and videos, which are then labeled to tell the machines what they are seeing. Companies involved in data labeling or data annotation as it is also called include crowdsourcing platforms such as Amazon.com’s (AMZN.O) Mechanical Turk which offer users small amounts of money in return for simple tasks, outsourcing firms such as India’s Wipro Ltd (WIPR.NS) as well as professional labellers like Qianji. Cognilytica, a U.S. research firm specializing in AI, estimates the global market for machine-learning related data annotation grew 66% to $500 million in 2018 and is set to more than double by 2023. Some industry insiders say, however, that much of the work done is not disclosed, making accurate estimates difficult. FILE PHOTO: Employees work on labeling different items for data collection on computer screens, which would serve for developing artificial intelligence (AI) and machine learning technology, at the Qian Ji Data Co in Jia county, Henan province, China March 20, 2019. REUTERS/Irene Wang WEAK PRIVACY LAWS, CHEAP LABOR China has emerged as a key hub for data collection and labeling thanks to insatiable demand from a burgeoning artificial intelligence sector backed by the ruling Communist Party, which sees AI as an engine of economic growth and a tool for social control. A plethora of firms have invested heavily in an area of AI known as machine learning, which is at the core of facial recognition technology and other systems based on finding patterns in data. These include tech giants Alibaba Group Holding Ltd (BABA.N), Tencent Holding Ltd (0700.HK), Baidu Inc (BIDU.O) as well as younger companies such as AI specialist SenseTime Group Ltd and speech recognition firm Iflytek Co Ltd (002230.SZ). The result has been a proliferation of AI products and services in China, from facial recognition-based payment systems to automated surveillance and even AI-animated state media news anchors. Chinese consumers mostly see these technologies as novel and futuristic, despite concerns raised by some over more invasive applications. Weak data privacy laws and cheap labor have also been a competitive advantage for China as it races to become a global leader in AI. The Henan villagers were happy to trade several sessions in front of a camera for a tea cup, or several hours for a stove-top pot. OVERSEAS CUSTOMERS Beijing-based BasicFinder, a leading data labeling firm with locations across Hebei, Shandong and Shanxi provinces, boasts a robust mix of domestic and overseas clients. At a recent visit to its Beijing offices, some staff were labeling images of sleepy people that will be used by an autonomous driving project to identify drivers who might be falling asleep at the wheel. Others were labeling British documents from the 1800s for a Western online ancestry service, marking fields for dates, names and genders on birth and death certificates. According to BasicFinder Chief Executive Du Lin, hiring trained labellers in China is cheaper than using Western crowdsourcing marketplaces. A Princeton University project related to autonomous driving initially put a task on Amazon’s Mechanical Turk but as the task became more complicated, people began making mistakes and BasicFinder was brought in to help correct the results, said Du. In that project, one trained BasicFinder labeler was able to do the work of three crowdsourced labellers, he added. “Gradually they saw they were paying less for labeling from us, so they hired us to label all the works from the very beginning,” said Du. Princeton declined to comment. For labeling employees, the reasons for joining China’s data industry are straightforward. The work, though sometimes tedious, is an upgrade on other jobs available to young workers who want to return home to small Chinese cities and villages. Labellers at Qianji make roughly 100 yuan ($14.50) a day marking data points on photographs of people, surveillance footage and street images. The work is usually simple, according to the employees, though some overseas content poses a challenge. “One time we thought we were classifying Europe-style cooker machines that have a washer attached,” said Jia Yahui, a labeler at Qianji. “Later we were told it’s actually two separate things, a stove and a dishwasher.” The labeling work brings some of the employment benefits of the tech sector to rural areas, but those benefits may prove short-lived if AI improves enough to perform many of the tasks labellers do. “We think this industry will still exist in three to five years. It may not be a long-term career - we can only think of the five-year plan for now,” said Qianji CEO Liu. Source: Faces for cookware: data collection industry flourishes as China pursues AI ambitions
  9. Over the weekend, privacy concern were raised regarding how Microsoft Edge is uploading the URLs to SmartScreen without hashing them first. After further testing by BleepingComputer, we learned that Windows 10 also transmits a great deal of potentially sensitive information about your applications to SmartScreen when you attempt to run them. Over the weekend, security researcher Matt Weeks spotted Microsoft Edge sending the URL of a site being visited to SmartScreen. When sent this, this URL was not obfuscated or hashed in any way. which raised concerns that Microsoft could track what sites you visit. When communicating with SmartScreen, Edge will send a JSON encoded POST request to https://nav.smartscreen.microsoft.com/windows/browser/edge/service/navigate/4/sync that includes information about the URL that is being checked. BleepingComputer was able to confirm this behavior using Fiddler that showed the following JSON being sent to Microsoft over a secure connection. Unhashed URL being sent to SmartScreen In addition to sending the URL in an unhashed form, Microsoft Edge for some reason also sent the logged in user's SID, or Security Identifier, to Microsoft. A SID is a unique identifier created by Windows when a new account is added to the operating system. Sending a users SID Many of the users in the Twitter thread have expressed concerns that sending the URL in an unhashed form is a privacy risk as it could allow Microsoft to see a user's browsing history. The addition of also sending a user's SID just added to the concerns. SmartScreen for applications exposes even more data While Weeks' research focused on how SmartScreen operates when browsing the web, in tests by BleepingComputer you can see that SmartScreen also exposes a great deal of private information when launching an executable. By default, Windows 10 will enables a feature called "Check apps and files" that uses Windows Defender SmartScreen to warn you if a file is malicious before you execute it. Check apps and files setting After downloading a file and attempting to open it, Windows 10 will connect to https://checkappexec.microsoft.com/windows/shell/service/beforeExecute/2 and send a variety of information about the file. In our tests, some of the information transmitted by Windows 10 includes the full path to the file on your computer and the URL you downloaded the file from. None of this information is hashed in any way. For example, I uploaded a small utility called md5sum.exe to WeTransfer.com. I then downloaded that file on another Windows 10 PC and tried to execute it. As you can see from the image below, Windows transmitted to the SmartScreen service the URL where the file was downloaded from and the full path to file's location on my test computer. File information sent to Microsoft This information could expose a tremendous amount of sensitive and private information to Microsoft. This includes private download URLs for sensitive files and the folder structure of internal Windows systems and networks. While we do not recommend you do this, the only way to prevent this information from being shared is to disable this feature. Microsoft has always disclosed that urls and file info are shared After reading Weeks' tweet, many users immediately cried foul at Microsoft, but the reality is that Microsoft is not doing anything they haven't said they were doing. As shown by Microsoft Edge developer Eric Lawrence, Microsoft has clearly stated from as early as 2005 and in more recent documentation that the URL and file information is being sent to Microsoft over a secure connection when using SmartScreen. Information sent to SmartScreen While they are not doing anything sneaky, Microsoft can modify how URLs are sent so that they are hashed in a similar way that Chrome SafeBrowsing does it. In a world where people are finally waking up to how little control they have over their data and how it is being used, this tradeoff may be worth it to put customers at ease. Chromium-based Microsoft Edge no longer sends SID The sending of the SID was an odd thing and does not seem to be referenced anywhere in Microsoft's SmartScreen documentation. The good news is that the new Chromium-based Microsoft Edge no longer sends the SID during a SmartScreen request. It does, though, continue to send an unhashed URL. That practice will only end if and when Microsoft decides to start hashing the URLs, which probably would require significant code changes across many of their products. Source
  10. Two House lawmakers are pushing an amendment that would effectively defund a massive data collection program run by the National Security Agency unless the government promises to not intentionally collect data of Americans. The bipartisan amendment — just 15 lines in length — would compel the government to not knowingly collect communications — like emails, messages and browsing data — on Americans without a warrant. Reps. Justin Amash (R-MI, 3rd) and Zoe Lofgren (D-CA, 19th) have already garnered the support from some of the largest civil liberties and rights groups, including the ACLU, the EFF, FreedomWorks, New America and the Sunlight Foundation. The Amash-Lofgren amendment Under the current statute, the NSA can use its Section 702 powers to collect and store the communications of foreign targets located outside the U.S. by tapping into the fiber cables owned and run by U.S. telecom giants. But this massive data collection effort also inadvertently vacuums up Americans’ data, who are typically protected from unwarranted searches under the Fourth Amendment. The government has consistently denied to release the number of how many Americans are caught up in the NSA’s data collection. For the 2018 calendar year, the government said it made more than 9,600 warrantless searches of Americans’ communications, up 28% year-over-year. In a letter to lawmakers, the groups said the amendment — if passed into law — would “significantly advance the privacy rights of people within the United States.” A coalition of tech giants — including Apple, Facebook, Google and Microsoft — also rallied behind the amendment. “RGS believes this amendment is a step in the right direction for U.S. foreign intelligence surveillance policy,” said the Reform Government Surveillance group in a statement. (Verizon Media, which owns TechCrunch, is also a coalition member.) Last year, Section 702 was reauthorized with almost no changes, despite a rash of complaints and concerns raised by lawmakers following the Edward Snowden disclosures into mass surveillance. The EFF said in a blog post Tuesday that lawmakers “must vote yes in order to make this important corrective.” Updated with statement from the tech coalition. Source
  11. A year on from launch, Click looks at the impact of GDPR, and how getting access to your data may still not be as easy as you think.
  12. Apple pitches itself as the most privacy-minded of the big tech companies, and indeed it goes to great lengths to collect less data than its rivals. Nonetheless, the iPhone maker will still know plenty about you if you use many of its services: In particular, Apple knows your billing information and all the digital and physical goods you have bought from it, including music, movie and app purchases. A different approach: But even for heavy users, Apple uses a number of techniques to either minimize how much data it has or encrypt it so that Apple doesn't have access to iMessages and similar personal communications. Between the lines: Apple is able to do this, in part, because it makes its money from selling hardware, and increasingly from selling services, rather than through advertising. (It does have some advertising business, and it also gets billions of dollars per year from Google in exchange for being Apple's default search provider.) But Apple maintains that its commitment to privacy is based not just on its business model but on core values. How it works: In order to collect less data, Apple tries to do as much work on its devices as possible, even if that sometimes means algorithms aren't as well tuned, processing is slower, or the same work gets done on multiple devices. Photos are a case in point. Even if you store your images in Apple's iCloud, Apple does the work of facial identification, grouping, labeling and tagging images on the Mac or iOS device, rather than on the service's own computers. Some of the most sensitive data that your device collects, including your fingerprint or Face ID, stay on the device. Maps While Apple does need to do some processing in the cloud, it takes a number of steps to protect privacy beyond its competitors. First, the identification and management of significant locations like your home and work is done on the device. And the location information that does get sent up to the cloud is tied to a unique identifier code rather than a specific individual's identity — and that identifier changes over time. Location information Beyond Apple's Maps program, other applications, including some from Apple, can make use of location data with user permission. Apple is adding new options with iOS 13, due this coming fall, including: The ability for users to share their location with an app just once, rather than giving ongoing access. For apps that are making routine background use of location, Apple is also letting users review a map of the locations these apps are seeing, so they can decide if that is information they really want to be sharing. Email If you get your mail provided by Apple (via icloud.com, mac.com, etc.), the company will store your email and will scan it for spam, viruses and child pornography, as is common in the industry. Email will also be made available to law enforcement when Apple is presented with a lawful warrant. iCloud This is the area where Apple stores potentially the most personal information, although it doesn't make use of it for advertising or other business purposes. iCloud backups can include messages, photos and Apple email, though Apple stresses it won't look at the information and will only hand it over to others if forced by a court to do so. Messages Apple messages, the ones with the blue bubble, are encrypted end-to-end, so that only the sender and recipient can see them — not Apple, nor a carrier or any other intermediary. However, if you back up your messages to iCloud, a copy is kept on Apple's servers so if you lose your device and need to replace it, Apple you can restore them. Users can make an encrypted back up using iTunes on a Mac or PC, or keep no backup at all. Safari If you use Apple's Safari browser, Apple stores your bookmarks tied to your Apple ID; they're encrypted, but Apple holds a key. Beginning in iOS 13 and Catalina, the next MacOS, Safari browsing history will be fully encrypted and Apple will have no access. There's also data that goes to Apple's search partners. Google is the default, but you can also choose Yahoo, Bing or DuckDuckGo. You can also choose whether to send each keystroke as you type in the search bar, enabling autocomplete, or just to send the data when you hit "enter." Siri Many Apple devices have a chip that is listening for the "Hey Siri" wake word, but it's only at that point that Apple starts recording audio. Some commands, like what's next on your schedule, can be processed locally, while others do get sent to Apple's servers. Apple doesn't tie this data directly to a person's Apple ID, but uses a unique identifier. A user can reset that identifier, but then Siri will lose the personalization it has gained. Per Apple, "User voice recordings are saved for a six-month period so that the recognition system can utilize them to better understand the user’s voice. After six months, another copy is saved, without its identifier, for use by Apple in improving 
and developing Siri for up to two years." Apple Pay Apple doesn't store your payment information or purchase record as part of Apple Pay (It does have history and payment information for your Apple purchases). Apple Pay merchants get a token, not your actual credit card information. TV and Music Apple knows the music, shows and apps you purchase. In addition, in order to deliver on the feature of the TV App that allows users to pick up where they left off across multiple shows, multiple apps, and multiple devices, and to make personalized recommendations, Apple does capture and store viewing history. But it says it notifies users, stores as little data as possible for as little time as possible, and allows users to opt out (although this prevents some features from fully working). What you can do Users have a number of choices to further minimize what Apple knows, though there are often downsides. You can choose to download an encrypted iCloud backup only to your Mac or PC rather than keep it on Apple's server, but if you lose that device or forget the password for the backup file, Apple won't be able to help recover lost data. You can also download the information Apple has on you at privacy.apple.com. You can delete data stored on your device, such as email, messages, photos, and Safari data like history and bookmarks. You can delete your data stored on iCloud. You can reset your Siri identifier by turning Siri and Dictation off and back on, which effectively restarts your relationship with Siri and Dictation. Source
  • Create New...