Spinning the IT Privacy and Security Update for the Week ending August 30th, 2022


From outer space to inner space and a few rotations in between, we spin you right round.

Space may be “Where No Man Has Gone Before”, but one woman has and will again.

We discover why you are less likely to be locked in a compartment and blasted with targeted ads during your next train ride to Delhi and what Google will track while you are on the tracks.

We learn about all the cameras you can buy access to in China, and then we see the full database of photos in the second largest data exposure in China.

We have the FTC getting tough on data brokers and a Judge getting tough on Elon and the punch-weary Twitter.

We suggest a new way to send untracked e-mail and learn the EU’s complaining that Google is swapping out other junk mail for their own.

And finally, we get a story about upcoming phones that will be better, faster, and never lose a connection, like the one you left in the back of the taxi.

We’ll spin you right round… like a record.

Outer Space: Nichelle Nichols’ ashes will voyage to space aboard a Vulcan rocket

The ashes of Nichelle Nichols, the actress who played Lieutenant Nyota Uhura in the original Star Trek, will get sent into deep space on a rocket that memorializes her and several other Star Trek veterans.

Nichols’ ashes will head to space on a rocket fittingly called the Vulcan Centaur, with the memorial spaceflight company, Celestis, running the “Enterprise Flight” mission.

During the mission, Nichols will be joined by the remains of Star Trek creator Gene Roddenberry and his wife, Majel Barrett, who starred as the series’ nurse Christine Chapel.

James Doohan, who played the Enterprise’s engineer, Scotty, and the visual effects artist Douglas Trumbull, who’s known for his work on Star Trek: The Motion Picture, Blade Runner, and more will also be on board.

When the rocket takes off from Cape Canaveral, it will carry over 200 capsules containing ashes, DNA samples, as well as names, messages, and pictures provided by users from around the globe.

So what’s the upshot for you? When we featured a story about Nichelle’s passing, we certainly didn’t see this updated, uplifting, ending.

IN: India Railway Firm Scraps Plan To Monetize Customer Data

Indian Railway Catering and Tourism Corporation (IRCTC), a state-run firm with a monopoly on online booking of train tickets, has scrapped its plan to monetize customer data after its tender drew concerns from many.”

The Indian firm informed the local stock exchange Friday that it was scrapping its proposal because the Indian government had withdrawn the personal data protection bill.

In a tender earlier, the firm had proposed appointing a consultant for digital data monetization on rail passengers’ data.

The tender sought to explore studying customers’ behavioral data, their frequency of journeys, as well as geography, the kind of ticket they purchase, and mobile number and gender.

The plan, had it been approved, would have helped the firm increase its revenue by more than $125 million, according to an estimation by the firm.

So what’s the upshot for you? Wait, what? Do you mean we can’t buy tickets from Mumbai to Delhi where we become a captive audience for almost a day, get behaviorally profiled, and be bombarded with unsolicited targeted ads?

Where’s the fun in that?

Global: Google Tracks 39 Types of Personal Data, Apple Tracks 12

First, a warning. This is a story from Apple Insider.

OK and now the dirt: New research claims that of five major Big Tech firms, Google tracks more private data about users than any other – and Apple tracks the least.

Apple has previously introduced App Tracking Transparency specifically to protect the privacy of users from other companies.

However, a new report says that Apple is also avoiding doing any more tracking itself than is needed to run its services.

According to StockApps.com, Apple “is the most privacy-conscious firm out there.”

“Apple only stores the information that is necessary to maintain users’ accounts,” it continues.

“This is because their website is not as reliant on advertising revenue as are Google, Twitter, and Facebook.”

The StockApps.com report does not list what it describes as the “data points” that Big Tech firms collect for every user.

However, it says they include location details, browser history, activity on third-party websites, and in Google’s case, also emails in Gmail.

It also doesn’t detail its methodology but does say that it used the marketing firm “digital information world” to investigate Apple, Amazon, Facebook, Google, and Twitter.

Of these five, Google reportedly tracks 39 separate data points per user, while Apple tracks only 12.

Unexpectedly, Facebook is stated as tracking now only 14 data points, while Amazon tracks 23, and Twitter tracks 24.

So what’s the upshot for you? Could this be a little research by Apple to discover where they rate just before they move forward to announce ad-supported services…

EU: Privacy Complaint Targets Google Over Unsolicited Ad Emails

Google has breached a European Union court ruling by sending unsolicited advertising emails directly to the inbox of Gmail users, Austrian advocacy group noyb.eu said last Wednesday in a complaint filed with France’s data protection watchdog.

The Alphabet unit, whose revenues mainly come from online advertising, should ask Gmail users for their prior consent before sending them any direct marketing emails, noyb.eu said, citing a 2021 decision by the Court of Justice of the European Union (CJUE).

While Google’s ad emails may look like normal ones, they include the word “Ad” in green letters on the left-hand side, below the subject of the email, noyb.eu said in its complaint.

Also, they do not include a date, the advocacy group added. “It’s as if the postman was paid to remove the ads from your mailbox and put his own instead,” said Romain Robert, program director at noyb.eu, with reference to Gmail’s anti-spam filters that put most unsolicited emails in a separate folder.

While any (CNIL)court decision would be only applicable in France, it could compel Google to review its practices in the region.

So what’s the upshot for you? We love it… “It’s as if the post-person was paid to remove the junk mail from your mailbox and put in their own instead.” And if you asked anyone in the US what they commonly found in their mailbox they would tell you, “Junk mail and Bills" and that’s why they only go out the check the post once a month…

Global: The Duck Quacks back with privacy-centric email forwarding.

Last year, DuckDuckGo announced a free service designed to fend off email trackers and help people protect their privacy.

The Email Protection beta was initially available through a waitlist.

Now, it’s now in open beta, meaning everyone can try it without having to wait for access.

Email Protection is a forwarding service that removes trackers from messages.

DuckDuckGo will tell you which trackers it scrubs as well.

During the waitlist beta, DuckDuckGo says it found trackers in 85 percent of testers’ emails.

Anyone can now sign up for an @duck.com email address, which will work across desktop, iOS, and Android.

DuckDuckGo says you can create unlimited private email addresses, including a throwaway one for every website if you prefer.

You can also deactivate an address at any time.

So what’s the upshot for you? We had to laugh that you can’t even apply for this without the DuckDuckGo Privacy Essentials extension added into your browser… and that wants full access to all web traffic. We then were able to easily secure the forwarding addresses we wanted. Get in early for the good ones… and then remove the extension if you wish.

Global: Websites Can Identify If You’re Using iPhone’s New ‘Lockdown’ Mode

Once Apple launches the new iPhone and iPad operating system early next month, users will be able to turn on a new privacy mode that the company calls “extreme.”

It’s made for journalists, activists, politicians, human rights defenders, and anyone else who may be worried about getting targeted by sophisticated hackers, perhaps working for governments armed with spyware made by companies such as NSO Group.

Apple calls it “Lockdown Mode” and it works by disabling some regular iPhone features that have been exploited to hack users in the past.

But if users turn on Lockdown Mode, they will be easy to fingerprint and identify, according to a developer who created a proof of concept website that detects whether you have Lockdown Mode enabled or not.

John Ozbay, the CEO of privacy focused company Cryptee, and a privacy activist, told Motherboard that any website or online ad can detect whether some regular features are missing, such as loading custom fonts, one of the features that Lockdown Mode disables.

Let’s say you’re in China, and you’re using Lockdown Mode.

Now, any website that you visit could effectively detect you are using Lockdown Mode, they have your IP address as well.

So they will actually be able to identify that the user with this IP address is using Lockdown Mode. Ozbay said in a call.

“It’s a tradeoff between security and privacy. [Apple] chose security.”

So what’s the upshot for you? Just hope loads of people start using lockdown mode. Then you have some level of security and privacy through the obscurity of the sheer numbers.

Global: Interested in a different search engine? Here are 10

  1. DuckDuckGo gets its indexing from Microsoft’s Bing and is one of the most successful privacy-oriented search engine alternatives to Google. DuckDuckGo, unlike Google, uses the traditional method of sponsored ads and affiliate commissions to monetize the platform. The ads are privacy-friendly and sometimes even relevant. The quality of search results is pretty good.

  2. Qwant - claims to ensure neutrality, privacy, and digital freedom while you search for something on the Internet. This is a dynamic search engine with trending topics and well-organized news stories.

  3. Startpage - the UI is like Google’s. So, if you want a familiar experience with added privacy benefits, this can be your pick. To protect your privacy, it offers an “Anonymous view“. You can select to visit the web pages using a proxy to hide your IP. You can retain your browser settings by generating a custom URL.

  4. Swisscows - You may have heard about it as Hulbee– Like DuckDuckGo uses Bing to deliver the search results as per your query. It lets you preview a web page before visiting the site so you don’t end up tracked.

  5. Mojeek - has been around for a long time now. They’re an independent ‘crawler-based’ search engine, based in the UK, with its own algorithm and index of web pages.

  6. searX - is technically defined as an open source “metasearch engine”. It uses other search engines and accumulates the results of your queries in one place. It does not store the returned search data. You can review the source code, contribute, or even customize it as your own metasearch engine hosted on your server. If you use Torrent clients to download, this search engine will help you find the magnet links to the exact files. General tweaks include – adding/removing search engines, rewriting HTTP to HTTPS, removing tracker arguments from URL, and so on. It’s all yours to control. The user experience may not be the best here but if you want to utilize multiple search engines while keeping your privacy in check, searX is an interesting alternative to Google with some pretty cool features.

  7. Peekier - When you type in a search query, it not only fetches a list of results but also displays the preview images of the web pages listed. While Peekier does not store your data, the web portals you visit may (and generally do) track you. So, Peekier accesses the site and generates a preview image and you can decide whether it’s the one you want without being tracked.

  8. MetaGer - is another open-source metasearch engine. However, it uses the Tor network for anonymous access to search results from a variety of search engines. They claim that their servers run on 100% renewable energy.

  9. Ecosia - is an eco-friendly privacy-focused search engine that plants trees if you use it. They use an interface similar to Google but with Bing’s search results at the core. They make money from sponsored ads on search result pages. However, they contribute a significant amount of money to notable organizations and activists helping plant more trees. They share monthly financial reports and claim that their servers run on 100% renewable energy.

  10. Gibiru - a privacy-friendly search engine that aims for uncensored search results. It doesn’t enforce any trackers, but it recommends you utilize a VPN of their choice in addition to their search engine service, in order to prevent other websites from tracking your activity. The search results may not be the best around – but you may find some interesting uncensored results."

So what’s the upshot for you? …that’s about all we’ll be saying on search engines for the immediate term.

US: FTC Sues ‘Massive’ Data Broker for Selling Location Info on Abortion Clinics

In its lawsuit, the Federal Trade Commission (or FTC) describes how with a sample of data obtained from Kochava it was possible to pinpoint a device that visited a women’s reproductive health clinic and then trace that phone back to a single family home.

The news is a dramatic move from the FTC in a post-Roe United States, and signals that the agency will take steps against what it identifies as privacy violations around reproductive health and location data.

“Defendant’s violations are in connection with acquiring consumers’ precise geolocation data and selling the data in a format that allows entities to track the consumers’ movements to and from sensitive locations, including, among others, locations associated with medical care, reproductive health, religious worship, mental health temporary shelters, such as shelters for the homeless, domestic violence survivors, or other at risk populations, and addiction recovery,” the lawsuit reads.

So what’s the upshot for you? That companies like Kochava would even consider doing this is stunning and demonstrates how far things have fallen in the US.

We hope that women across the world are watching and that when it comes time to act, action is taken. We’ll be right there with you.

CN: Cybercriminals Are Selling Access to Chinese Surveillance Cameras

New research indicates that over 80,000 Hikvision surveillance cameras in the world today are vulnerable to an 11-month-old command injection flaw.

Hikvision – is a Chinese state-owned manufacturer of video surveillance equipment. Their customers span over 100 countries.

Last Fall, a command injection flaw in Hikvision cameras was revealed to the world as CVE-2021-36260. The exploit was given a “critical” 9.8 out of 10 rating by NIST.

Despite the severity of the vulnerability, and nearly a year into this story, over 80,000 affected devices remain unpatched. In the time since, the researchers have discovered “multiple instances of hackers looking to collaborate on exploiting Hikvision cameras using the command injection vulnerability,” specifically in Russian dark web forums, where leaked credentials have been put up for sale.

So what’s the upshot for you? Between weak security, insufficient visibility, and oversight, it’s unclear when or if these tens of thousands of cameras will ever be secured.

CN: Huge Chinese Database of Faces and Vehicle License Plates Spilled Online

A massive Chinese database storing millions of faces and vehicle license plates was left exposed on the internet for months before it quietly disappeared in August.

While its contents might seem unremarkable for China, where facial recognition is routine and state surveillance is ubiquitous, the sheer size of the exposed database is staggering.

At its peak the database held over 800 million records, representing one of the biggest known data security lapses of the year by scale, second to a massive data leak of 1 billion records from a Shanghai police database in June.

In both cases, the data was likely exposed inadvertently and as a result of human error.

The exposed data belongs to a tech company called Xinai Electronics based in Hangzhou on China’s east coast.

The company builds systems for controlling access for people and vehicles to workplaces, schools, construction sites, and parking garages across China.

Its website touts its use of facial recognition for a range of purposes beyond building access, including personnel management, like payroll, monitoring employee attendance and performance, while its cloud-based vehicle license plate recognition system allows drivers to pay for parking in unattended garages that are managed by staff remotely.

It’s through a vast network of cameras that Xinai has amassed millions of face prints and license plates, which its website claims the data is “securely stored” on its servers.

But it wasn’t.

Security researcher Anurag Sen found the company’s exposed database on an Alibaba-hosted server in China and asked for TechCrunch’s help in reporting the security lapse to Xinai.

Sen said the database contained an alarming amount of information that was rapidly growing by the day and included hundreds of millions of records and full web addresses of image files hosted on several domains owned by Xinai.

So what’s the upshot for you? Smile!

US: The latest in the Musk vs.Twitter punchup: Judge orders both sides to turn over more documents

Chancellor Kathaleen St. Jude McCormick on Thursday ordered Twitter to provide Musk’s attorneys more data regarding the company’s estimates that less than 5% of the accounts on its platform are fake.

The judge also rejected Musk’s attempts to shield details about analyses he used in his attempt to terminate the deal.

Musk claims that Twitter has failed to provide enough detail about the number of fake accounts on its platform, and argues that up to 30% of Twitter’s “monetizable daily active users,” could be spam or bot accounts.

So what’s the upshot for you? Elon may end up with a costly prize for all his braggadocio. The worst would be that he establishes that 30% of the Twitter accounts are fake, understands that they have poor security, and … still has to pay top dollar for a company whose value started to plunge the day after he agreed on the share price.

Global: Why the Twilio Breach hurts

The communication company Twilio suffered a breach at the beginning of August that it says impacted 163 of its customer organizations.

Out of Twilio’s 270,000 clients, 0.06 percent might seem trivial, but the company’s particular role in the digital ecosystem means that that fractional slice of victims had an outsized value and influence.

The secure messaging app Signal, two-factor authentication app Authy, and authentication firm Okta are all Twilio customers that were secondary victims of the breach.

Twilio provides the platform through which organizations manage their two-factor authentication text messaging systems for sending one-time authentication codes.

Though it’s long been known that SMS is an insecure way to receive these codes, it’s definitely better than nothing, and many organizations haven’t been able to move away from the practice completely.

Even a company like Authy, whose core product is an authentication code-generating app, uses some of Twilio’s services (Twilio does own them)

The Twilio hacking campaign, by an actor that has been called “0ktapus” is significant because it illustrates that smishing / phishing attacks can not only provide attackers valuable access into a target network, but they can even kick off supply chain attacks in which access to one company’s systems provides a window into those of their clients.

So what’s the upshot for you? Attackers compromised Twilio as part of a massive, yet tailored smishing campaign against more than 130 organizations in which attackers sent phishing SMS text messages to employees at the target companies.

The texts often claimed to come from a company’s IT department or logistics team and urged recipients to click a link and update their password or log in to review a scheduling change.

Twilio says that the malicious URLs contained words like “Twilio,” “Okta,” or “SSO” to make the URL and the malicious landing page it linked to seem more legitimate.

Inner Space - Back into orbit: T-Mobile and SpaceX want to connect regular phones to satellites

During a media event Thursday evening, T-Mobile’s Mike Sievert and SpaceX’s Elon Musk announced a new partnership that’s intended to connect the mobile phones that T-Mobile currently sells to a new batch of SpaceX’s Starlink satellites.

The result, according to the companies, will be the elimination of all cellular dead zones around the US.

“It’s a lot like putting a cellular tower in the sky,” Sievert said, adding that the “vast majority” of T-Mobile’s existing phones would be supported by the service.

Meaning, that customers will not need to purchase new phones in order to connect them to Starlink’s second-generation satellites.

The executives said they hope to begin testing the technology in late 2023.

So what’s the upshot for you? Beyond that, satellite operator Globalstar has been widely rumored to be involved in some kind of agreement with Apple that could see the satellite company provide services directly to Apple iPhones.

Iridium, a satellite operator based in Virginia, recently announced that it “entered into a development agreement to enable Iridium’s technology in smartphones.”

EchoStar continues to hint at interest in working with Dish Network on hybrid satellite-terrestrial services.

Apple is scheduled to unveil its next Phone next month, and it could potentially announce a phone-to-satellite service with Globalstar then.


and our quote of the week: “Hackers? Never underestimate the determination of a kid who is time-rich and cash-poor.” Cory Doctorow

That’s it for this week. Stay safe, stay secure, stay grounded, and see you in se7en.