Chicken Soup and the IT Privacy and Security Weekly Update for the week ending March 7th., 2023


This week we start on page 7 and finish in with the chickens.

We get a little bit of activity from Zoom and a TL;DR for US President Biden’s new National Cybersecurity Strategy.

We have a story on AirB&Bs new “banned by association” program and the German government finally pulling the plug on one company’s networking equipment.

Then we have an update on the state of video surveillance and ended up surprising ourselves with what we found just outside our own office doors.

We close the update with a silly title and a somber realization.

**Click on the chicken this week for an audio version of this week’s update. **

Yes, it’s a real pot of soup this week. So as any good chef would advise, when you find yourself over the fire it’s time to start dishing out.

Let’s dish!

EU: What? You mean you don’t understand the statement on page 7 of our updated 13-page Privacy Policy?

Meta Platforms’ WhatsApp has agreed to be more transparent about changes to its privacy policy introduced in 2021, the European Commission said on Monday, following complaints from consumer bodies across Europe.

The European Consumer Organisation (BEUC) and the European Network of consumer authorities told WhatsApp last year that it had not clarified the changes in plain and intelligible language, violating the bloc’s laws.

EU members’ national regulators can sanction companies for breaches. WhatsApp has now agreed to explain changes to EU users’ contracts and how these could affect their rights, and has agreed to display prominently the possibility for users to accept or reject the changes and ensure that users can easily close pop-up notifications on updates.

So what’s the upshot for you? The surprise was that the company also confirmed users’ personal data would not be shared with third parties or other Meta companies, including Facebook, for advertising purposes if deselected.

US: US Fed Reserve Zoom Conference Canceled After ‘Porn-Bombing’

A Federal Reserve Zoom event with more than 220 people was canceled after a user hijacked proceedings and displayed pornographic content, Reuters reports.

The hijack left Fed Governor Christopher Waller unable to deliver his opening remarks because graphic images from a call participant named “Dan” began to pop up on the screen.

In a statement to Reuters, Brent Tjarks, executive director of the Mid-Size Bank Coalition of America (MBCA), which hosted the Zoom event, said: "We were a victim of a teleconference or Zoom hijacking and we are trying to understand what we need to do going forward to prevent this from ever happening again.

It is an incident we deeply regret.

We have had various programs and this is something that we have never had happen to us."

Tjarks adds that he suspects a security switch for the Zoom event that would have muted users and prevented them from sharing their screens was incorrectly set, though he could not confirm.

The MBCA, whose roughly 100 members include banks with between $10 billion and $100 billion in assets, made the decision to cancel the event minutes after it was scheduled to commence, citing “technical difficulties.”

So what’s the upshot for you? Oooh, OK that could be embarrassing…

Global: Zoom fires its president, a former Google employee, after only 10 months

Zoom has sacked its president, Greg Tomb, a former Google employee who only began working at the company around 10 months ago.

Zoom said in a filing with the Securities and Exchange Commission that Tomb’s termination was effective as of Friday.

He will receive severance benefits in line with his employment arrangements, which are payable upon a “termination without cause,” according to the SEC filing.

A spokesperson from Zoom told Insider the company won’t find a replacement for Tomb and declined to comment further.

Tomb’s LinkedIn profile shows that he joined Zoom as president in June 2022.

Before this, he worked at Google for more than a year as the vice president of sales for Google Workspace, Security, and Geo Enterprise.

So what’s the upshot for you? Everyone has a bad day (or 10 months ) every once in a while…

US: Biden Administration Releases National Cybersecurity Strategy

The TL;DR (too long didn’t read) to last weeks’ National Cybersecurity Strategy 2023 document in which the Biden administration is promising to hold software developers and critical infrastructure to tougher security standards and apply more pressure on ransomware gangs as part of its first national cybersecurity strategy, was released last Thursday.

The nearly 40-page document provides a roadmap for new laws and regulations over the next few years aimed at helping the United States prepare for and fight emerging cyber threats.

The strategy – which was crafted by the two-year-old Office of the National Cyber Director (ONCD) – has five “pillars”:

  1. defend critical infrastructure;
  2. disrupt and dismantle threat actors;
  3. shape market forces to drive security and resilience;
  4. invest in a resilient future; and
  5. forge international partnerships.

The strategy includes a wide range of tasks, from modernizing federal systems’ cybersecurity defenses to increasing offensive hacking capabilities in the intelligence community.

The administration will start working with Congress and the private sector on legislation that would hold software makers liable for security flaws if they fail to follow security best practices, like those developed by the National Institute of Standards and Technology.

So what’s the upshot for you? While the last line of that update may have software and application giants sweating, there is a carve-out for the open-source community where the government is looking at other initiatives to actually help out.

DE: Germany Planning To Ban Huawei, ZTE From Parts of 5G Networks

Germany’s government is planning on forbidding telecoms operators from using certain components from Chinese companies Huawei and ZTE in their 5G networks, the German paper Zeit Online reported on Monday.

The ban could include components already built into the networks, requiring operators to remove and replace them, Zeit Online wrote, citing government sources.

The government, which is now in the midst of a broader re-evaluation of its relationship with top trade partner China, did not immediately reply to a request for comment. A source, however, confirmed the report to Reuters.

Critics of Huawei and ZTE say that their close links to China’s security services mean that embedding them in the ubiquitous mobile networks of the future could give Chinese spies and even saboteurs access to swathes of essential infrastructure.

Huawei, ZTE, and the Chinese government rejected these claims, saying that they are motivated by a protectionist desire to support non-Chinese rivals.

Zeit Online said the government’s cybersecurity agency and interior ministry had for months been checking if there were components in the growing 5G networks that could put German security at risk.

The survey had not officially been ended, but the result was already clear, the paper said, citing government sources.

The government would ban operators from using certain controlling elements from Huawei and ZTE in 5G networks.

So what’s the upshot for you? Aggressive Intellectual property theft across broad commercial and government sectors while remaining protectionist is a strategy that can have repercussions…

US: Hackers Claim They Breached T-Mobile More Than 100 Times In 2022

Three different cybercriminal groups claimed access to internal networks at communications giant T-Mobile in more than 100 separate incidents throughout 2022, new data suggests.

In each case, the goal of the attackers was the same: Phish T-Mobile employees for access to internal company tools, and then convert that access into a cybercrime service that could be hired to divert any T-Mobile user’s text messages and phone calls to another device.

The conclusions above are based on an extensive analysis of Telegram chat logs from three distinct cybercrime groups or actors that have been identified by security researchers as particularly active in and effective at “SIM-swapping,” which involves temporarily seizing control over a target’s mobile phone number.

Countless websites and online services use SMS text messages for both password resets and multi-factor authentication.

This means that stealing someone’s phone number often can let cybercriminals hijack the target’s entire digital life in short order — including access to any financial, email and social media accounts tied to that phone number.

All three SIM-swapping entities that were tracked for this story remain active in 2023, and they all conduct business in open channels on the instant messaging platform Telegram.

So what’s the upshot for you? T-Mobile said this type of activity affects the entire wireless industry. “We have continued to drive enhancements that further protect against unauthorized access, including enhancing multi-factor authentication controls, hardening environments, limiting access to data, apps or services, and more.”

But why so many times for T-Mobile? Perhaps the others didn’t wait until after the data breach to put the security in place.

US: Interested in trying online mental health services? BetterHelp Sold Customer Data While Promising It was Private

Online counseling company BetterHelp has agreed to pay $7.8 million to settle charges from the Federal Trade Commission that it improperly shared customers’ sensitive data with companies like Facebook and Snapchat, even after promising to keep it private.

The proposed order, announced by the FTC on Thursday, would ban the same behavior in the future and require BetterHelp to make some changes to how it handles customer data.

According to the regulator, the sign-up process for the company’s service “promised consumers that it would not use or disclose their personal health data except for limited purposes.”

However, the FTC alleges that the company instead “used and revealed consumers’ email addresses, IP addresses, and health questionnaire information to Facebook, Snapchat, Criteo, and Pinterest for advertising purposes.”

The FTC also says that the company gave customer service agents false scripts to try and reassure users that it wasn’t sharing personally identifiable or personal health information after a February 2020 report from Jezebel exposed some of its practices.

The commission’s complaint accuses the company of misleading customers by putting a HIPAA seal on its website, despite the fact that “no government agency or other third party reviewed [BetterHelp]'s information practices for compliance with HIPAA, let alone determined that the practices met the requirements of HIPAA.”

If the FTC’s order ends up going through, the $7.8 million would go to customers who signed up for the service between August 1st, 2017, and December 31st, 2020.

So what’s the upshot for you? It’s when you are at your weakest that you should have the strongest protections.

Global: Airbnb Is Banning People Who Are ‘Closely Associated’ With Already-Banned Users

Airbnb is banning people from using its site because of their mere association with other users the short-term rental company has deemed a safety risk and removed from the platform, a decision that highlights the imperfect security protocols that Airbnb employs.

In instances where a user is banned because of their association with another user deemed problematic, the user can only return to the platform if their problematic acquaintance successfully appeals the ban or if they are able to prove they are not “closely associated.”

In a statement, Airbnb confirmed to Motherboard that it does sometimes ban users because the company has discovered that they “are likely to travel” with another person who has already been banned, though a spokesperson wouldn’t say when this practice started or how often it occurs.

The company said it does this as a “necessary safety precaution,” and a spokesperson said referring to such bans as merely a result of association is overly “simplistic.”

But the process appears opaque; just this month, the company apologized and said it had made a “mistake” in banning the parents of right-wing activist Lauren Southern.

Airbnb has said that it understands the system is imperfect and employs an appeals process for people who feel they have been unfairly banned.

But that process is often limited and frustrating, according to conversations Motherboard has had with banned users.

The bans by association underscore the difficulty (and perhaps impossibility) of keeping dangerous parties completely out of Airbnb hosts’ homes without slighting associated users who feel their own bans are unjustified.

So what’s the upshot for you? Not sure how they would determine who we might likely be traveling with, but we are sure the AirB&B AI has that all figured out.

US: The Privacy Loophole in Your Doorbell

Police were investigating his neighbor. A judge gave officers access to all his security-camera footage, including inside his home.

The week of last Thanksgiving, Michael Larkin, a business owner in Hamilton, Ohio, picked up his phone and answered a call.

It was the local police, and they wanted footage from Larkin’s front door camera. Larkin had a Ring video doorbell, one of the more than 10 million Americans with the Amazon-owned product installed at their front doors.

His doorbell was among 21 Ring cameras in and around his home and business, picking up footage of Larkin, neighbors, customers, and anyone else near his house.

The police said they were conducting a drug-related investigation on a neighbor, and they wanted videos of “suspicious activity” between 5 and 7 p.m. one night in October.

Larkin cooperated and sent clips of a car that drove by his Ring camera more than 12 times in that time frame.

He thought that was all the police would need. Instead, it was just the beginning. They asked for more footage, now from the entire day’s worth of records.

And a week later, Larkin received a notice from Ring itself: The company had received a warrant, signed by a local judge.

The notice informed him it was obligated to send footage from more than 20 cameras – whether or not Larkin was willing to share it himself.

Questions of who owns private home security footage, and who can get access to it, have become a bigger issue in the national debate over digital privacy.

And when law enforcement gets involved, even the slim existing legal protections evaporate.

“It really takes the control out of the hands of the homeowners, and I think that’s hugely problematic,” said Jennifer Lynch, the surveillance litigation director of the Electronic Frontier Foundation, a digital rights advocacy group.

In the debate over home surveillance, much of the concern has focused on Ring in particular, because of its popularity, as well as the company’s track record of cooperating closely with law enforcement agencies.

The company offers a multitude of products such as indoor cameras or spotlight cameras for homes or businesses, recording videos based on motion activation, with the footage stored for up to 180 days on Ring’s servers.

They amount to a large and unregulated web of eyes on American communities – which can provide law enforcement valuable information in the event of a crime, but also create a 24/7 recording operation that even the owners of the cameras aren’t fully aware they’ve helped to build.

So what’s the upshot for you? Still thinking of installing Ring security cameras in and around your home? You’ll have to start sleeping with your makeup on.

US: San Diego wants to record your “Smile”!

Almost three years ago, the city of San Diego cut off access to its broad network of Smart Streetlights – more than 3,000 devices perched atop light poles that could collect images and other data, some of which the Police Department used to solve criminal cases.

The city removed that access, at least without a warrant, because of concerns from the public about surveillance and privacy issues.

Last Wednesday, the San Diego Police Department said it wanted access to 500 of those devices to be restored – and they want to add another crime-solving tool to the network: automated license plate readers.

Because the Smart Streetlight cameras had not been well maintained over the years, the city would need to install new cameras.

Adding the license plate reader technology would mark the first time the city of San Diego would have the readers in fixed locations.

This is the first big push for surveillance technology in San Diego since the city approved ordinances last year specifically setting rules to govern this kind of technology in light of privacy concerns.

So what’s the upshot for you? It’s not just San Diego, in our 300 meter walk from the office to the nearest subway station we are captured on a minimum of 7 CCTV cameras (with facial recognition software running) and at least triple that number of private ones.

We cover these types of stories for a feel for how this tech is encroaching on all our lives so that one day when you no longer have any privacy, you can perhaps think back on a time when someone wasn’t constantly scanning, photographing, or tracking you.

US: FBI, Pentagon Helped Research Facial Recognition for Street Cameras, Drones

The FBI and the Defense Department were actively involved in the research and development of facial recognition software that they hoped could be used to identify people from video footage captured by street cameras and flying drones, according to thousands of pages of internal documents that provide new details about the government’s ambitions to build out a powerful tool for advanced surveillance.

The documents revealed in response to an ongoing Freedom of Information Act lawsuit the American Civil Liberties Union filed against the FBI, show how closely FBI and Defense officials worked with academic researchers to refine artificial intelligence techniques that could help in the identification or tracking of Americans without their awareness or consent.

Many of the records relate to the Janus program, a project funded by the Intelligence Advanced Research Projects Agency, or IARPA, the high-level research arm of the U.S. intelligence community modeled after the Pentagon’s Defense Advanced Research Projects Agency, known as DARPA. Program leaders worked with FBI scientists and some of the nation’s leading computer-vision experts to design and test software that would quickly and accurately process the “truly unconstrained face imagery” recorded by surveillance cameras in public places, including subway stations and street corners, according to the documents, which the ACLU shared with The Washington Post.

In a 2019 presentation, an IARPA program manager said the goal had been to “dramatically improve” the power and performance of facial recognition systems, with “scaling to support millions of subjects” and the ability to quickly identify faces from partially obstructed angles.

One version of the system was trained for “Face ID … at target distances” of more than a half-mile. To refine the system’s capabilities, researchers staged a data-gathering test in 2017, paying dozens of volunteers to simulate real-world scenarios at a Defense Department training facility made to resemble a hospital, a subway station, an outdoor marketplace and a school, the documents show.

The test yielded thousands of surveillance videos and images, some of which were captured by a drone.

The improved facial recognition system was ultimately folded into a search tool, called Horus, and made available to the Pentagon’s Combating Terrorism Technical Support Office, which helps provide military technologies to civilian police forces, the documents show.

So what’s the upshot for you? The Horus tool has since been offered for use to at least six federal agencies, and their feedback is “continuing to be used to refine the tool,” Department of Homeland Security officials said last year.

Global: Stay away from the Sneezing Chickens

Minks in Spain, seals in Scotland, sea lions, and dolphins in South America: a number of mammal species have recently been found to be infected with H5N1, a highly pathogenic strain of avian influenza.

Avian flu is not new; epidemiologists have been studying it for decades. But the detection of the virus in mammals has many concerns about the potential that it could spill over to humans and cause a larger outbreak.

As the world enters the fourth year of a global pandemic caused by a virus that likely came from an animal, concern over another virus potentially uprooting our lives is valid.

And while the World Health Organization (WHO) reports that the mortality rate of avian flu in humans is around 56 percent, many experts believe it’s likely to be much lower if the virus becomes more transmissible.

One reason avian flu is so lethal is that it infects the lower respiratory tract, which can lead to respiratory failure.

Bird flu has spilled over to humans already—in fact, just last week a girl in Cambodia died from H5N1 (although not the same strain as the one that is sickening birds worldwide).

“Each time we see this happen, we get these spurts of cases, [and] people say, ‘Here it comes; it’s going to happen,’” says Michael Osterholm, director of the University of Minnesota’s Center for Infectious Disease Research and Policy.

So what’s the upshot for you? “It’s a really dangerous time to be a bird,” Andrew Pavia, chief of the division of pediatric infectious diseases at the University of Utah, adds. “But as of today, the risk to humans remains very low. Our concern is what’s going to happen as it circulates more and more.”

It’s unfortunately nearly impossible to predict when this jump could happen. “None of us know when the next influenza pandemic will emerge. It could be tomorrow [or] it could be years from now, and we don’t know which of the viruses will become the next pandemic virus,” Osterholm says. “At the outset, you have to say there is uncertainty, with one exception: there will be a pandemic.”

chicken noodle soup

Our Quote of the week: “A woman had two chickens. One got sick, so the woman made chicken soup out of the other one to help the sick one get well.” - Henny Youngman

That’s it for this week. Stay safe, stay secure, finish your soup, and see you in se7en.