Daily Digest (12/4)

Irish Watchdog to Publish Ruling on Twitter Breach Probe; Report: 25 Countries Use Surveillance Technology to Track Locations by Phone; US States to File Facebook Antitrust Lawsuit; Mass. Lawmakers Ban Police Facial Recognition Statewide

Irish Watchdog to Publish Ruling on Twitter Breach Probe

Irish authorities expect to publish the results of an investigation into Twitter’s handling of a data breach that occurred last year, the country’s privacy watchdog said Wednesday. 

Privacy regulators from 11 European Union states objected to a proposed ruling by the Irish Data Protection Commission in May, kicking off a review process under the General Data Protection Regulation (GDPR) privacy law, The Wall Street Journal reports. 

“Seven months later, we’re ready to adopt the final decision,” Helen Dixon, who leads Ireland’s data-protection office, told the WSJ Pro Cybersecurity Executive Forum.

Twitter will be fined for the breach, which under GDPR could reach up to 4% of the company’s annual revenue. 

“We will see fines soon enough,” Dixon said. “As to whether they’re big, that I can’t say at this point.”

Twitter declined to comment, the Journal reports. 

Sources (all links external):

Report: 25 Countries Use Surveillance Technology to Track Locations by Phone

A surveillance technology that can identify the location of a cellphone anywhere in the world with only a telephone number has been detected in 25 countries, according to research released Tuesday.

The technology has been supplied by the Circles, an Israeli-based company, according to Citizen Lab at the University of Toronto.

Circles is a sister company of NSO Group, an iPhone and Android spyware developer that has been sued by Facebook over attacks on the WhatsApp accounts of 1,400 users, Forbes reports. 

Circles claims it only sells to nation-states, but leaked documents obtained by Citizen Lab showed that customers could buy a system that connected to their local telecommunications companies’ infrastructure.

They also could use a separate system called the “Circles Cloud,” which interconnects with telecommunications companies around the world.

Circles surveillance technology uses Signaling System 7 (SS7) exploitation to send commands to a subscriber’s “home network” to falsely indicate that the subscriber is roaming, according to the report.

The commands then allow the attacker to track the victim’s location and intercept voice calls and SMS text messages.

The leaked documents also revealed that Circles had been sending targets’ locations and phone records (Call Detail Records, or CDRs) to the United Arab Emirates Supreme Council on National Security (SCNS). 

Citizen Lab alleged that several countries, both Western and democratic, were using the technology. 

The full list included:  Australia, Belgium, Botswana, Chile, Denmark, Ecuador, El Salvador, Estonia, Equatorial Guinea, Guatemala, Honduras, Indonesia, Israel, Kenya, Malaysia, Mexico, Morocco, Nigeria, Peru, Serbia, Thailand, the United Arab Emirates, Vietnam, Zambia and Zimbabwe. 

“Given Circles’ affiliation with NSO Group, and repeated spyware abuse by NSO customers, it’s disappointing to see Western governments patronizing the company,”  Bill Marczak, a Citizen Lab researcher, told Forbes. 

In April 2017, a U.S. Department of Homeland Security (DHS) report concluded: “All U.S. carriers are vulnerable to these exploits, resulting in risks to national security, the economy, and the federal government’s ability to reliably execute national essential functions.”

The report said that “SS7 and Diameter vulnerabilities can be exploited by criminals, terrorists, and nation-state actors/foreign intelligence organizations” and that “many organizations appear to be sharing or selling expertise and services.”

In a response from NSO and Circles to Forbes, an NSO spokesperson said: “NSO and Circles are separate companies within the same corporate family, both of which lead their industries in a commitment to ethical business and adhere to strict laws and regulations in every market in which they operate.

“As we have previously stated, Circles is involved in search and rescue and tactical geolocation technology,” they said.

The spokesperson declined to comment on the countries listed by Citizen Lab as customers, Forbes reports. 

US States Plan to File Antitrust Lawsuit Against Facebook

More than 40 U.S. states, led by New York, have been investigating Facebook for possible antitrust violations and plan to file a joint lawsuit against the company, four sources familiar with the matter said Wednesday.

The complaint would be the second major lawsuit filed against a Big Tech company this year, Reuters reports.

A source told the news service that more than 40 states planned to sign onto the court action but did not name the states. 

It was unclear what would be included in the complaint.

But one allegation made against Facebook was that it had sought to buy small potential rivals, often at a large premium, including its purchase of Instagram in 2012 and WhatsApp in 2014.

Facebook CEO Mark Zuckerberg has argued in congressional testimony that the company has a range of competitors, including other tech giants. 

He has also defended the company’s acquisition of Instagram and WhatsApp.

Facebook declined to comment, Reuters reports, and a spokesman for the New York attorney general’s office also did not comment.

Mass. Lawmakers Pass Statewide Ban on Police Facial-Recognition Use

Massachusetts lawmakers voted Tuesday to ban facial-recognition use by law-enforcement and public agencies across the state.

If signed into law by Republican Gov. Charlie Baker, Massachusetts would become the first state to fully ban the technology, The Verge reports. 

However, the ban would allow police to run searches against the state’s driver’s license database —  but only with a warrant. 

It also requires that law-enforcement agencies publish an annual transparency report about their use of the technology. 

Massachusetts would join cities like Portland, Me., and Portland, Ore. —  as well as San Francisco and Oakland, Calif. — in banning police use of facial recognition.

The bill was passed by both the Massachusetts Senate and House.

“No one should have to fear the government tracking and identifying their face wherever they go, or facing wrongful arrest because of biased, error-prone technology,” said Kade Crockford, who leads the Technology for Liberty program for the ACLU of Massachusetts.

  By DPN Staff