iT Rumors

Today, the much-anticipated findings of President Obama’s National Security Agency task force have hit the wire [PDF]. The non-binding 200 page report of 40-plus recommendations calls for the end of many of the most controversial programs.

Here are the big takeaways:

1. The government would no longer hold on to phone records in bulk. Instead, phone companies might warehouse the data for individual requests from the government. The recommendations say that the government should only access such data with a specific purpose, so it’s unknown how the NSA would continue to mine networks for patterns — or if it would be allowed to at all.

Here’s the important quote, “We recommend that legislation should be enacted that terminates the storage of bulk telephony meta-data by the government.”

2. Stop undermining global security standards. The NSA likes to maintain undiscovered hacking tools (“zero-day exploits“) and force loopholes in Internet security standards. The work it’s doing to crack basic encryption falls along those lines as well. It helps them monitor more traffic, but makes the web overall a less safe place.

3. No tech company “backdoors”. Google and other major tech companies have vigorously denied that they create special backdoor access for NSA spying, but the report recommends they cease this supposedly non-existent practice anyway. It is unclear whether such backdoors were currently being built out or already in existence.

4. Organizational changes: The director of the NSA should be confirmed by the Senate and open to civilians, there should be a new privacy board to review strategies, and the secret court should have a special public advocate. This differs from previous leaks to the Wall Street Journal, which implied that the panel recommend a civilian director.

5. More transparency: The government should disclose the number of users who the NSA has requested to examine.

The panel follows a torrent of new developments, any of which may significantly alter the way U.S. intelligence agencies gather private data en masse. 

[Image Credit: Flickr user nolifebeforecoffee]

Source : TechCrunch

Google's practice of combining privacy policies across its various services has been found to be in violation of the Dutch law by the Netherlands' privacy regulator CBP (College BeschermingPersoonsgegevens) after extensive research on the matter.

In 2012, Google implemented a significant change in its privacy policy, merging the individual policies from its numerous services into one uniform document — which, according to the search giant, was convenient and easier to understand.

However, although presented as a measure to accommodate its users, the move immediately caught the attention of regulators across Europe, because it also allowed Google to combine user data from diverse services.

That in turn, allowed Google to put together an extremely detailed user profile, all without asking its users for their permission. After all, users don't have the ability to opt out of the process of their different data sets being combined, can contain extremely sensitive information, such as their payment details, location data and details about online behaviour.

Insufficiently informed

CBP chairman Jacob Kohnstamm strongly condemned the way Google handles its user data: "The way Google has combined personal data since the introduction of the revised privacy conditions on 1 March 2012 is in violation with the Dutch Data Protection Act," he said in a statement.

"Google combines personal data of internet users obtained via different kinds of Google services without properly informing its users and without asking them for permission. Our research shows that Google does not sufficiently inform its users about what personal data the company gathers and to what end. Google is creating an invisible web of our personal data, without our permission and that, by definition, is forbidden according to Dutch law."

No legal action… yet

Although Google's practices have found to be violation of Dutch Law, the privacy regulator said it currently has no intention to fine Google, provided that the company is willing to make changes.

"We have meanwhile invited Google for a hearing, after which we will decide if and how we are going to deploy any means necessary with regard to enforcement of the law," the CBP said. 

Meanwhile, the Dutch branch of Google has responded to the allegations: "Our privacy policy respects European legislation and allows us to create simpler and more efficient services. During this process, we have seized each and every opportunity to engage in discussion with the CBP and we will continue to do so."

That in turn, allowed Google to put together an extremely detailed user profile, all without asking its users for their permission. After all, users don't have the ability to opt out of the process of their different data sets being combined, can contain extremely sensitive information, such as their payment details, location data and details about online behaviour.

Insufficiently informed

CBP chairman Jacob Kohnstamm strongly condemned the way Google handles its user data: "The way Google has combined personal data since the introduction of the revised privacy conditions on 1 March 2012 is in violation with the Dutch Data Protection Act," he said in a statement.

No legal action… yet

Although Google's practices have found to be violation of Dutch Law, the privacy regulator said it currently has no intention to fine Google, provided that the company is willing to make changes.

"We have meanwhile invited Google for a hearing, after which we will decide if and how we are going to deploy any means necessary with regard to enforcement of the law," the CBP said. 

Meanwhile, the Dutch branch of Google has responded to the allegations: "Our privacy policy respects European legislation and allows us to create simpler and more efficient services. During this process, we have seized each and every opportunity to engage in discussion with the CBP and we will continue to do so."

Via: ZDNet

Are you shopping for the perfect holiday gift for your conspiracy theorist friend who harbors a deep, seething rage for Google's "Your face in ads" policy? Good news! Microsoft's got you covered with a new Scroogled store stocked with mean-spirited gems like the coffee mug above.

The new wares—found in a corner of the virtual Microsoft Store—is an expansion into the physical realm for Scroogled, Microsoft's FUD-spreading smear campaign against Google. Over the past year, Scroogled has levelled its guns at Google Shopping's pay-to-play system, Gmail's automated ads, and Google Search's practice of placing ads next to results. (You know, like the ones Bing has, too.)

Yeah, it's sad. But Microsoft claims the low blows are working, for what it's worth (which probably isn't much, considering Bing's paltry 18 percent share of the search market).

And while we're talking For What It's Worths, the Electronic Frontier Foundation's recent "Encrypt the Web" report gave Google a perfect score for trying to keep your data safe from prying eyes. Microsoft, meanwhile, scored 1 out of 5 on the testing criteria—just like MySpace.

Via : PCWorld

You may have been one of the many Facebook users contacted by the company last week about the demise of the "Who can look up your Timeline by name" search setting. The Facebook e-mail announcing the discontinuation of the feature goes on to explain how to limit what information you share on the service. Unfortunately, there's no longer a way to limit globally the personal information Facebook shares with everyone; you can do so only for each separate post using the audience selector.

The Facebook Help Center states the following:

Facebook users are installing apps from developers who help themselves to the users' private information without offering a clear mechanism for retrieving the data. Users have no way of knowing what the information includes or how it will be used, let alone whether it is accurate. Nope, no privacy risk there.

The Facebook App Settings page lets you control the information about you that friends can share when they use apps. You can uncheck any or all of the 17 categories of information presented.

The App Settings page indicates that you can prevent apps and Web sites from accessing other categories of information by "turning off all Platform apps." To do so, click Edit to the right of "Apps you use" on the App Settings page, and click the Turn Off Platform button.

Privacy promises to European users come up empty
Imagine if Facebook, Google, and other services had to notify you of the information they collect about you, how the companies will use the information, the third parties they will share the information with, and how you can restrict use and disclosure of the information.

Now imagine you're given the ability to opt out of the collection and use of your information beyond what is necessary to transact your business with the companies. Even better, imagine having to opt in to the use of your personal information in any way other than the original purpose for which you supplied the information.

These are two of the seven Safe Harbor Privacy Principles that US companies agree to comply with for their customers residing in European Union countries. Export.gov provides an overview of the Safe Harbor requirements. The principles specify that individuals be afforded access to the personal information the companies collect about them and be able to correct, amend, or delete the information.

As Politico's Erin Mershon points out, the Safe Harbor Framework is intended to allow US companies to comply with the EU's stringent privacy regulations. The rules have been a sticking point in light of the National Security Agency's widespread surveillance. Some Europeans believe US firms use the Safe Harbor Framework to avoid complying with the EU's privacy requirements.

While Federal Trade Commission Commissioner Julie Brill defends the Safe Harbor Framework, EU officials point out the lack of enforcement efforts by the FTC. Safe Harbor guidelines rely on companies self-certifying, so to a great extent the framework operates on the honor system.

At a meeting last month of the European Parliament's Civil Liberties, Justice and Home Affairs committee, an executive at Galexia, an Australian management consulting firm that researches Safe Harbor compliance, highlighted the program's lax enforcement. According to InfoSecurity, Galexia's Chris Connolly told the committee that 427 US companies make false claims about their Safe Harbor compliance.

A more-widespread compliance shortcoming relates to the Safe Harbor regulations' dispute-resolution requirements. Connolly testified that about 30 percent of the 3,000 self-certifying organizations offer no dispute-resolution options, and a large number of those companies that claim to provide dispute resolution, instead refer customers to the American Arbitration Association, which charges complainants from $120 to $1,200 per hour, with a minimum of 4 hours, on top of a $950 administration fee.

Several advocacy groups are calling for an investigation into Internet companies Yahoo and Google whose networks were secretly accessed by the National Security Agency (NSA).

In a letter sent last week, the groups asked the U.S. Federal Trade Commission (FTC) find out how the NSA could extract so much data without the knowledge of Google and Yahoo.

"The Commission should pursue this investigation because it routinely holds itself out as the defender of consumer privacy in the United States," the authors said. "It is inconceivable that when faced with the most significant breach of consumer data in U.S. history, the Commission could ignore the consequences for consumer privacy."

The letter, signed by officials from the Electronic Privacy Information Center, Privacy Rights Clearinghouse, Center for Digital Democracy, and other organizations, follows recent reports that the NSA gained access to millions of consumer records by secretly tapping directly into data streams from major Internet companies.

The reports prompted fresh concern about NSA surveillance activities and of the privacy of data being held by the world's largest Internet companies.

Google, Yahoo, Microsoft and others have insisted that they divulge consumer information to the NSA and other government agencies only under appropriate court orders. Each has denied providing any help to the NSA and other spy agencies gathering data on Internet users.

In fact, in a court filing last week the companies demandedthat the government release more information about the kind of data that Internet companies are being asked to provide the NSA.

The letter from the privacy groups stands out because it seeks to hold Google and Yahoo responsible for the NSA's data collection activities because of a lack of network security controls.

Rotenberg said consumer privacy groups have long urged Internet companies to adopt better privacy and security practices to safeguard the information they collect. He noted that privacy groups have asked Internet companies to minimize data collection when possible and to delete unneeded data."We are saying that the companies should do more to protect the privacy of user data and that the FTC has a responsibility to police these practices, particularly since both Google and Facebook are subject to consent orders concerning privacy," said Marc Rotenberg, executive director of EPIC.

Therefore, Internet companies must be held responsible for breaches of data they store, he said.

Via: PCWorld

Detection rate for the malicious attachment: MD5: 0458a01e42544eacf00e6f2b39b788e0 – detected by 31 out of 48 antivirus scanners as Trojan.Win32.Sharik.qhd

Once executed, the sample creates the following Registry Keys on the affected hosts:
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.sewwe
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.sewwe\ShellNew
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\S6.Document
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\S6.Document\DefaultIcon
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\S6.Document\shell
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\S6.Document\shell\open
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\S6.Document\shell\open\command
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\S6.Document\shell\print
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\S6.Document\shell\print\command
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\S6.Document\shell\printto
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\S6.Document\shell\printto\command
HKEY_CURRENT_USER\Software\Local AppWizard-Generated Applications
HKEY_CURRENT_USER\Software\Local AppWizard-Generated Applications\S6
HKEY_CURRENT_USER\Software\Local AppWizard-Generated Applications\S6\Settings

It then attempts to download additional malware from the well known C&C server at networksecurityx.hopto.org

Source : Webroot

One person who dislikes Canonical's search tool is Micah Lee, a technologist at the Electronic Frontier Foundation who maintains the HTTPS Everywhere project and is CTO of the Freedom of the Press Foundation. Lee set up a website called "Fix Ubuntu," which provides instructions for disabling the Internet search tool.

"If you're an Ubuntu user and you're using the default settings, each time you start typing in Dash (to open an application or search for a file on your computer), your search terms get sent to a variety of third parties, some of which advertise to you," the website says.

According to Lee, Canonical sent him an e-mail this morning asking him to stop using the Ubuntu logo and also to stop using the word "Ubuntu" in his domain name. Lee reprinted the entire e-mail in a blog post titled, "Canonical shouldn’t abuse trademark law to silence critics of its privacy decisions." To prove its point, the e-mail showed a screenshot of Lee's site with the Ubuntu logo:

The policy Canonical pointed to does say that permission from the company is required to use "any Trademark in a domain name or URL or for merchandising purposes." Lee argued that his use of the Ubuntu logo and the name in his domain is "nominative use" and thus not a trademark violation. "Although I’m perfectly within my rights to continue using both, I’ve decided to remove the Ubuntu logo from the website, but add a disclaimer—because it seems like a nice thing to do," he wrote. (The EFF, for what it's worth, has published this list of tips to help makers of parody sites avoid getting shut down.)

His website still has the same domain name that includes the word "Ubuntu." Canonical doesn't seem to have a problem with other websites using the word Ubuntu in their domain names, such as "OMG! Ubuntu!," a news site that writes enthusiastically about the operating system.

Canonical's registered trademark doesn't specifically mention domain names, but it claims broad rights over the word Ubuntu for use in "Telecommunication, communication, and broadcasting services provided online, via the Internet, or via other communications networks," and "transmission of information, data, text, images, graphics, sound and/or audio-visual material online, via the Internet or via other communications networks."

We've contacted Canonical about the e-mail sent to Lee, but haven't heard back yet.

While Ubuntu's code is open source and free to everyone, Canonical obviously hasn't given up its right to enforce its trademarks. Lee argued that the company's stance against his website "isn't very much in the spirit of open source," though. The code for Fixubuntu.com is also open source—Lee invited Canonical to "submit a patch" if it decides to help out "in a more productive way."

The EFF has already sent a response to Canonical, in a letter from EFF Staff Attorney Daniel Nazer. "While we appreciate the polite tone of your letter, we must inform you that your request is not supported by trademark law and interferes with protected speech," the letter says. "The website criticizes Canonical Limited for certain features of Ubuntu that Mr. Lee believes undermine user privacy and teaches users how to fix these problems. It is well-settled that the First Amendment fully protects the use of trademarked terms and logos in non-commercial websites that criticize and comment upon corporations and products. Mr. Lee's site is a clear example of such protected speech. Neither Mr. Lee, nor any other member of the public, must seek your permission before engaging in such constitutionally protected expression."

Source : Ars Technica

Image : Ars Technica

“Apple’s main business is not about collecting information,” the company said in the report. In detailing its interactions with governments, both in the United States and around the world, Apple hoped to provide more transparency about the processes. Moreover, the company says that it has repeatedly made the case for more openness in its meetings with government officials; along with the report, Apple is also filing an amicus brief with the Foreign Intelligence Surveillance Court (FISA), supporting other cases requesting more transparency.

“We feel strongly that the government should lift the gag order and permit companies to disclose complete and accurate numbers regarding FISA requests and National Security Letters,” the company said in its report. “We will continue to aggressively pursue our ability to be more transparent.”

With this move, Apple joins the likes of Facebook, Microsoft, and Google; earlier this year, all three of the companies voiced their desire to be more open with the public about government requests.

In the report, Apple explained that the U.S. government prohibits the company from disclosing “except in broad ranges” the precise number of requests it receives or the number of accounts affected, making it difficult to get a full picture of the government’s actions.

But the report suggested that the U.S. government’s requests for information dwarf that of any other country in which Apple does business.

During the time period surveyed, Apple said it received between 1000 and 2000 requests for information involving between 2000 and 3000 user accounts. Fewer than 1000 requests resulted in any content from accounts disclosed—such as information from iCloud email, contacts, calendar, or Photo Stream content—and fewer than 1000 requests resulted in any data about those accounts being shared.

By comparison, the United Kingdom generated just 127 requests for account information—the next-most active government on the list—resulting in just one case where actual content from an account was disclosed.

“The most common account requests involve robberies and other crimes or requests from law enforcement officers searching for missing persons or children, finding a kidnapping victim, or hoping to prevent a suicide,” Apple said in the report. “In very rare cases, we are asked to provide stored photos or email. We consider these requests very carefully and only provide account content in extremely limited circumstances.”

Source : Macworld

The Chocolate Factory has been slowly buttoning down its Chrome extension policies for the last few years. Initially, extensions could be installed from anywhere on the web, just by pointing the browser at the right URL. But beginning with Chrome 21 in 2012, Google established a policy that only URLs pointing to the Chrome Web Store are valid for extension installs.

In Chrome 21 and later, including current builds, users can still install extensions from other sites if they download the files to their desktops, manually drag them to the browser's Extensions window, then click OK in a dialog box to confirm they know what they're doing. But come January, even this won't be an option for either the stable or developer branches.

According to a blog post by Chrome engineering director Erik Kay, that's because too many extension writers have been figuring out ways to evade Chrome's security measures and silently install adware or other malicious code into unsuspecting users' browsers – something Kay says is a leading cause of complaints from Chrome users on Windows.

"Since these malicious extensions are not hosted on the Chrome Web Store, it's difficult to limit the damage they can cause to our users," Kay explains.

So, no more. Beginning with what will probably be Chrome 33 (Google doesn't set fixed dates for Chrome releases, so it's hard to be sure of the version number), extension developers will need to host their wares in the Chrome Web Store, whether the extensions are intended for a wide audience or just a few users.

That doesn't mean they have to charge for their extensions, or even let the general public know they exist.

"There will be no impact to your users, who will still be able to use your extension as if nothing changed," Kay explains. "You could keep the extensions hidden from the Web Store listings if you like."

For those developers who really, really want to use their own websites as the primary source to download their extensions, Google offers a feature called Inline Installationthat allows outside sites to make it seem as if extensions are being installed from their own pages, even though the actual extension files are hosted by the Chrome Web Store. This will still be supported after the policy change.

Also, the new rules won't interfere with enterprises that have set up group policies to allow Chrome to install extensions from their own servers. It's strictly meant to stem malicious downloads from the open internet.

Finally, a Chrome browser that has been put into developer mode will still be able to load unpacked extensions from the local drive – just not packed .crx files. This may be the best option for people, such as this Reg hack, who occasionally write one-off Chrome extensions for obscure purposes.

Source : The Register

A French court has ordered Google to block from its search results pictures of former Formula One motor racing president Max Mosley participating in a sado-masochistic sex party with five women.

Google’s lawyers are still studying Wednesday’s ruling and plan to appeal. They say the Paris High Court wants the company to build a censorship machine.

The pictures were initially published under the headline “F1 BOSS HAS SICK NAZI ORGY WITH 5 HOOKERS” on March 30, 2008, by now-defunct British newspaper News of the World, which paid one of the women to record the event using a hidden video camera.

A subsequent court case found that, while the video showed participants speaking German and wearing modern German military uniforms or playing the role of prisoners, there was no evidence of a Nazi theme. In the same ruling, the High Court of England and Wales found that the newspaper had infringed Mosley’s right to privacy and awarded him £60,000 (then $120,000) in damages.

Mosley has also had publication of the photos declared illegal in separate cases in France and Germany, according to a statement released by his U.K. lawyers, Collyer Bristow.

“This is a welcome decision. The action was brought in respect of a small number of specific images ruled illegal in the English and French courts several years ago. Despite their illegality and my repeated notifications to them, Google continued to make the images available on its own webpages,” Mosley said in the statement.

However, the company maintains that it has responded to Mosley’s notifications by removing links to the photos.

Although it has been six months since the first disclosure by Edward Snowden, the public revelations of the scope and scale of the capabilities of the National Security Agency do not appear to be slowing down.

Based on new leaked information, the NSA has recently been accused of eavesdropping on the telephone conversations of Angela Merkel, the Chancellor of Germany.

This information, along with accusations of intercepting phone calls by other high-ranking foreign officials, comes at a critical time as the European Union deliberates new data protection regulations. For over a decade, the data protection regulations of the European Union and its member states have represented the most stringent of their type in the world.

Germany, in particular, has been at the forefront in enforcing these laws. These regulations generally prohibit the transfer of personal data of EU citizens to any country that lacks adequate data protection safeguards unless approved by the citizen's member state.

Beginning in 2012, the EU initiated a process to further strengthen its approach to the protection of personal data and to ensure unified treatment and enforcement across all of its member states. In response to these new reports of government surveillance, the US can expect a critical review of its status as a permitted recipient of EU personal data.

In 2000, the European Commission and the US Department of Commerce instituted a "Safe Harbor" framework to prevent the EU's then-newly enacted data protection regulations from interrupting data flows between the US and the EU member states. Under the Safe Harbor framework, eligible US companies may self-certify to the US Federal Trade Commission that their internal policies and safeguards comply with the data protection principles enshrined in the EU regulations.

Failure to comply opens a company to a potential enforcement action by the FTC. This framework, along with the use of EU-approved contractual clauses, has been a resounding success for international e-commerce. Today, over 3,000 US companies participate in Safe Harbor, including Apple and Google. However, officials in the European Commission and the EU member states have publicly questioned the viability of the Safe Harbor framework, potentially to the detriment of every US company doing business in the EU.

According the to the European Commission Vice President, Viviane Reading, "The Safe Harbor agreement may not be so safe after all." Earlier this year, in the wake of the information leaked by Edward Snowden , German data protection officials notified the European Commission that Germany would no longer grant new approvals for the transfer of German data to non-EU countries.

Even though the Safe Harbor framework itself contemplates a national security exception, the official European Commission advisory group for data protection announced that it will formally consider "to what extent protection provided by EU data protection legislation is at risk." The results of this assessment will be released at the end of this year and will likely inform EU deliberations on the proposed enhanced data protection regulations.

Because the Safe Harbor framework automatically permits data transfers for the whole of the EU, Germany's refusal to grant new permissions has not impacted participating US companies. However, the consequences to US businesses of any disruption to the Safe Harbor framework could range from increased compliance costs and bureaucratic headaches to a complete suspension of services to Europe and the payment of fines and penalties.

At the very least, the regulatory uncertainty caused by the rhetoric in Europe may act to discourage future expansion of EU-based operations. If the Safe Harbor framework is suspended, the EU would deem the US's current data protection laws as inadequate. Each US company with the need to access and use EU personal data would then be subject to the data protection regulations (and associated penalties) of each EU member state.

Fortunately, many of the regulations provide workable exceptions to the permission requirement. However, the administrative burden of either navigating the permission process (if allowed at all) or determining if an exception applied to each data transfer would be highly disruptive to any company's operations.

Source : USA Today