Daily Digest (11/23)

Apple Criticizes Facebook for Data Practices to Privacy Groups; US Military Bought Location Data From Apps, Including Muslim Prayer App; Chrome Extensions Will Be Required to Reveal Data-Collection Practices; Researchers: Household Vacuum Cleaners Can Be Remotely Hacked; Internet and Tech Companies Threaten to Leave Pakistan.

Apple Criticizes Facebook for Data Practices in Letter to Privacy Groups

Apple said Friday that it would proceed with its planned launch of a new privacy feature and attacked Facebook for taking a “very different approach” to how it handled user data.

In a letter to privacy groups, Apple’s director of global privacy, Jane Horvath, said that the App Tracking Transparency (ATT) feature, which allowed users to disable tracking between different applications, still would be launched despite objections from the advertising industry, The Guardian reports.

“We developed (ATT) for a single reason: because we share your concerns about users being tracked without their consent and (about) the bundling and reselling of data by advertising networks and data brokers,” Horvath wrote.

The letter also offered more insight into the delay of the feature announced in July.

“We delayed the release of ATT to early next year to give developers the time they indicated they needed to properly update their systems and data practices,” she said.

The letter also defended Apple’s approach to targeted advertisements while criticizing Facebook for its approach.

“Facebook and others have a very different approach to targeting,” Horvath wrote, according to the Guardian. “Not only do they allow the grouping of users into smaller segments, they use detailed data about online browsing activity to target ads.

“Facebook executives have made clear their intent is to collect as much data as possible across both first- and third-party products to develop and monetize detailed profiles of their users — and this disregard for user privacy continues to expand to include more of their products.”

Facebook rebuked the claims and accused Apple of “using their dominant market position to self-preference their own data-collection, while making it nearly impossible for their competitors to use the same data.”

US Military Bought Location Data From Apps, Including Muslim Prayer App

The U.S. military has purchased the location data from several apps, including a Muslim prayer app — used by 98 million people — and a Muslim dating app, with more than 100,000 downloads.

Other apps include a popular Craigslist app, one for following storms and a step-counting app, Vice’s Motherboard reports.

Through U.S. procurement data that it acquired, Motherboard uncovered two separate data streams that the military used, or once used, to obtain the location data of app users.

One of the Muslim apps relies on a company called Babel Street, which creates a location-data product called Locate X, while the other stream is through a company called X-Mode, which obtains location data directly from apps. It then sells the data to contractors — and, by extension — to the military.

The U.S. Special Operations Command (USSOCOM), a branch of the military tasked with counterterrorism and special reconnaissance, bought access to the Locate X data, according to the procurement records.

Navy Cmdr. Tim Hawkins, a Special Operations Command spokesperson, confirmed the purchase.

“Our access to the software is used to support Special Operations Forces mission requirements overseas,” he told Motherboard.

“We strictly adhere to established procedures and policies for protecting the privacy, civil liberties, constitutional and legal rights of American citizens,” he said.

X-Mode, the other data stream, sells access to location data from apps including Muslim Pro to several clients, including U.S. military contractors, Motherboard reports.

Contractors include the Sierra Nevada Corp. and Systems & Technology Research. 

Sen. Ron Wyden, D-Ore., told Motherboard in a statement that X-Mode said it was selling location data harvested from U.S. phones to U.S. military customers.

“In a September call with my office, lawyers for the data broker X-Mode Social confirmed that the company is selling data collected from phones in the United States to U.S. military customers, via defense contractors,” Wyden said in a statement to Motherboard.

“Citing non-disclosure agreements, the company refused to identify the specific defense contractors or the specific government agencies buying the data.”

In an email to Motherboard, X-Mode said that the company “does not work with Sierra Nevada or STR” but did not deny they were once customers.

“X-Mode licenses its data panel to a small number of technology companies that may work with government military services, but our work with such contractors is international and primarily focused on three use cases: counterterrorism, cybersecurity and predicting future COVID-19 hotspots,” X-Mode said.

Chrome Extensions Will Be Required to Reveal Data-Collection Practices

Chrome extension developers will have to reveal the data they collect and how that data is processed on the extension’s Chrome Web Store page, starting in January.

The company said via email and a blog post Wednesday saying that failure to reveal data collected by March 2021 would lead to the termination of the extension and its disabling on user devices, Ghacks reports.

The policy also requires developers to certify their data-use practices and to display that information directly on the Chrome Web Store listing to help users understand an extension’s privacy practices.

The official extensions store will also include a new feature called the Privacy Practices tab, which lists the data the extension collects, when they open individual extensions.

Google also introduced a new data-privacy policy that limited how extension developers might use collected data.

Researchers: Household Vacuum Cleaners Can Be Remotely Hacked

University of Maryland researchers have uncovered a new attack that allows hackers to snoop in on conversations through popular household robot vacuums.

The attack, called “LidarPhone,” targets vacuums with LiDAR sensors, Threatpost reports.

The Lidar navigation system allows a bot to map out a home by shining a laser beam around a room to sense the reflection of the laser as it bounces off nearby objects.

The research shows that any device using light detection and ranging technology can be manipulated to collect sound, despite not having a microphone, according to Science Daily.

“We welcome these devices into our homes, and we don’t think anything about it,” said researcher Nirupam Roy, an assistant professor at Maryland’s Department of Computer Science.

He holds a joint appointment in Maryland’s Institute for Advanced Computer Studies (UMIACS).

“But we have shown that even though these devices don’t have microphones, we can repurpose the systems they use for navigation to spy on conversations and potentially reveal private information.”

Internet and Tech Companies Threaten to Leave Pakistan

Internet and technology companies have threatened to leave Pakistan after the government of Prime Minister Imran Khan granted enhanced powers Wednesday to government media regulators to censor digital content.

The warning came from the Asia Internet Coalition (AIC), which represents global technology giants including Google, Facebook and Twitter a day after the rules were announced, The Associated Press reports.

The coalition said it was “alarmed by the scope of Pakistan’s new law targeting internet companies, as well as the government’s opaque process by which these rules were developed.”

Under the new “Removal and Blocking of Unlawful Online Content Rules 2020,” social media companies or internet service providers can be fined as much as $3.14 million for failing to stop the sharing of content deemed to be defamatory of Islam, including “hate speech,” pornography or any content viewed as endangering national security.

Social media companies also now must provide Pakistan’s designated investigation agency “with any information or data in decrypted, readable and comprehensible format,” according to Pakistan’s DAWN newspaper.

“The draconian data localization requirements would damage the ability of people to access a free and open internet and shut Pakistan’s digital economy off from the rest of the world,” AIC said.

Khan’s government did not return request for comment, AP reports.

By DPN Staff