e dot dot dot
a mostly about the Internet blog by

January 2020
Sun Mon Tue Wed Thu Fri Sat
     
 


UL Pushes Security Standards For The Internet Of Broken Things

Furnished content.


If you hadn't noticed yet, the internet of things is a security and privacy shit show. Millions of poorly-secured internet-connected devices are now being sold annually, introducing massive new attack vectors and vulnerabilities into home and business networks nationwide. Thanks to IOT companies and evangelists that prioritize gee-whizzery and profits over privacy and security, your refrigerator can now leak your gmail credentials, your kids' Barbie doll can now be used as a surveillance tool, and your "smart" tea kettle can now open your wireless network to attack.Security analysts like Bruce Schneier have been warning for a while that the check is about to come due for this mammoth dumpster fire, potentially resulting in human fatalities at scale -- especially if these flaws are allowed to impact integral infrastructure systems. But Schneier has also done a good job noting how nobody in the production or consumer cycle has any incentive to take responsibility for what's happening:

"The market can't fix this because neither the buyer nor the seller cares. Think of all the CCTV cameras and DVRs used in the attack against Brian Krebs. The owners of those devices don't care. Their devices were cheap to buy, they still work, and they don't even know Brian. The sellers of those devices don't care: they're now selling newer and better models, and the original buyers only cared about price and features. There is no market solution because the insecurity is what economists call an externality: it's an effect of the purchasing decision that affects other people. Think of it kind of like invisible pollution."
Enter consumer groups and other independent operations, who are trying to finally step in with solutions. One is the open source standards system Consumer Reports has been pushing that would require that security and privacy issues be clearly highlighted in product reviews. Underwriters Laboratories (UL), the electronics safety organization, is also now joining the fray, proposing a five tier certification process to help consumers better avoid products and vendors who view privacy and security standards as an unnecessary afterthought:
"These days, when you look at products, they have been moving from an analog function to a digital function," said Andrew Jamieson, UL's director of security and technology. "From that context, the security of the software directly affects the safety of the product, so we have to really start thinking about that."There is no unified standard for connected gadgets, which means that the smart TV you buy could be a hacking concern waiting to get plugged in. Unless you researched all your connected gadgets yourself, there'd be no way of knowing without a standard."
The UL's white paper on the proposal is worth a read. Granted such a system isn't going to get a lot of help from industry, which won't want to a.) lose revenues because some informed consumer avoided their products, or b.) be forced to spend money to improve privacy and security standards on current and past products. Similarly, captured regulators and well-lobbied lawmakers aren't likely to want to upset apathetic corporations. Which brings us back full circle, waiting for security scandals of unprecedented scale that will finally prompt action in this indisputably broken space.

Permalink | Comments | Email This Story


Read more here

posted at: 12:00am on 03-Jan-2020
path: /Policy | permalink | edit (requires password)

0 comments, click here to add the first



Court (Barely) Allows Class Action Lawsuit Over Google's Location Tracking To Move Forward

Furnished content.


A 2018 lawsuit [PDF] against Google over location tracking survives, but only just. The lawsuit -- filed after a report showed Google was still collecting location data even after users shut off location services on Android phones -- alleges Google violated California laws and privacy protections by tracking users (including children) after it had been told not to.The lawsuit has been dismissed [PDF], but the court is giving the plaintiffs a chance to amend the lawsuit and suggesting there are issues the court alone can't decide. (via FourthAmendment.com)The plaintiffs allege they were led to believe Google would no longer collect and store location data when "Location History" was shut off. They cite Google's own support page, which (formerly) stated "With Location History off, the places you go are no longer stored." The court says this language could have misled users, no matter what Google's Privacy Policies and Terms of Services actually said about location data.

Drawing all inferences in favor of Plaintiffs, a reasonable user could believe that disabling Location History prevented Defendant from collecting and storing geolocation data. This conclusion is bolstered by the fact that many people were mislead by the effect of disabling Location History. See, e.g., Compl. ¶ 4. Moreover, the support page Defendant points the Court to was created after this litigation had already commenced. At the time Plaintiffs’ original complaints were filed, the page described Web & App Activity as merely a means to “[s]ave your search activity on apps and in browsers to make searches faster.” Id., Ex. 28. The page did not expressly state that geolocation data may be collected.
Google argues that users consent to sending location info to Google when using some of its services. That may be, but the court points out people agreeing to send some data to Google when using products like Google Maps is not the same thing as granting Google permission to store that data indefinitely. No good, says the court.
The Court thus rejects Defendant’s contention that by consenting to transitory use, Plaintiffs consented to geolocation collection. To the contrary, it is plausible that Plaintiffs gave a narrow consent to geolocation tracking, exclusive of data storage.
Either way, it's probably not going to be settled at this stage of litigation, which is already in its sixteenth month.
It is plausible that Plaintiffs only consented to transitory use tracking and revoked any consent to the storage of their geolocation history. It is also plausible that they did not revoke such consent. The Court cannot conclude either way—factual disputes remain. “This is an issue for the jury.” Opperman, 205 F. Supp.3d at 1073 (holding that the plaintiffs produced sufficient evidence showing they did not consent to the defendants’ actions). For these reasons, the Court holds Plaintiffs have plead sufficient facts to show they did not consent to the storage of their geolocation information
The court does dismiss the plaintiffs' CIPA (California Invasion of Privacy Act) claims. By conceding they gave Google permission to collect location data when using Maps or checking "showtimes for movies playing nearby," the litigants have undercut this claim.
Hence, Plaintiffs issue is not with Defendant tracking them during application use, rather their issue is with the storage of that data. See Opp. at 3–4 (“[I]n accepting the transitory use of location information for an immediate, discrete purpose, Plaintiffs in no way consented to indefinite storage of their daily locations and movements . . . .”). For this reason, Plaintiffs’ CIPA claim fails as a matter of law because CIPA, by its plain terms, is not concerned with data storage but focuses on unconsented data tracking, which is not at issue.
That claim is dismissed with prejudice as the court sees no way the plaintiffs can amend this particular claim to make it actionable.The California-based invasion of privacy claim fails as well, but not as badly. Invasion of privacy claims are Fourth Amendment-related, but the court sees nothing in Google's actions that could possibly be a Fourth Amendment issue, even with recent Supreme Court decisions expanding citizens' expectations of privacy.
Plaintiffs contend that Defendant’s surreptitious collection and storage of comprehensive and highly sensitive location data violates their information privacy rights. Opp. at 15. Even if the collection of granular and specific location data establishes an information privacy interest, Plaintiffs’ theory is undercut by the admission that Defendant only tracked and collected data during use of Google services. Accordingly, Defendant’s “profile” of a user is only as specific as their use of Google services. Carpenter v. United States and United States v. Jones do not undercut this conclusion.
What Google collected was far less than what the plaintiffs' cellphone providers collected, and yet, the lawsuit only alleges a violation by Google.
First, there was no claim that MetroPCS and Sprint, the phone companies holding the cell-site location information, violated the plaintiff’s right of privacy by having such robust geolocation records. Id. at 2212. The case thus does not stand for the proposition that geolocation collection violates the right of privacy.Second, the cell-site location information discussed in Carpenter was comprehensive—the cell-site location information provided cellular companies with a rough “map” of a customer’s fluid movements. Id. at 2211. Such comprehensive data collection is not at issue here; Plaintiffs’ geolocation information depends on how often they use Google’s services. Defendant’s collection of geolocation data is not automatic; it does not happen by the routine “pinging” of a cell-phone tower.[...]Here, unlike the continual GPS tracking in Jones, not all of Plaintiffs movements were being collected, only specific movements or locations. Such “bits and pieces” do not meet the standard of privacy established in Carpenter or Jones.
This allegation is being allowed to move forward, though. But it probably won't live on for long if the plaintiffs can't find something more specific to allege than a theoretical "mosaic" of the plaintiffs' movements, which possibly included visits to "sensitive or confidential locations."It's not that Google is in the right if it misled phone users into thinking they weren't being tracked when they were being tracked. It's also not right just because cellphone service providers track location almost continuously. But if the claim is that Google collected users' location data when users utilized services they knew would send that data to Google, then the lawsuit should fail.

Permalink | Comments | Email This Story


Read more here

posted at: 12:00am on 03-Jan-2020
path: /Policy | permalink | edit (requires password)

0 comments, click here to add the first



January 2020
Sun Mon Tue Wed Thu Fri Sat
     
 







RSS (site)  RSS (path)

ATOM (site)  ATOM (path)

Categories
 - blog home

 - Announcements  (0)
 - Annoyances  (0)
 - Career_Advice  (0)
 - Domains  (0)
 - Downloads  (3)
 - Ecommerce  (0)
 - Fitness  (0)
 - Home_and_Garden  (0)
     - Cooking  (0)
     - Tools  (0)
 - Humor  (0)
 - Notices  (0)
 - Observations  (1)
 - Oddities  (2)
 - Online_Marketing  (0)
     - Affiliates  (1)
     - Merchants  (1)
 - Policy  (3743)
 - Programming  (0)
     - Bookmarklets  (1)
     - Browsers  (1)
     - DHTML  (0)
     - Javascript  (3)
     - PHP  (0)
     - PayPal  (1)
     - Perl  (37)
          - blosxom  (0)
     - Unidata_Universe  (22)
 - Random_Advice  (1)
 - Reading  (0)
     - Books  (0)
     - Ebooks  (0)
     - Magazines  (0)
     - Online_Articles  (5)
 - Resume_or_CV  (1)
 - Reviews  (2)
 - Rhode_Island_USA  (0)
     - Providence  (1)
 - Shop  (0)
 - Sports  (0)
     - Football  (0)
          - Cowboys  (0)
          - Patriots  (0)
     - Futbol  (0)
          - The_Rest  (0)
          - USA  (0)
 - Technology  (1049)
 - Windows  (1)
 - Woodworking  (0)


Archives
 -2024  March  (164)
 -2024  February  (168)
 -2024  January  (146)
 -2023  December  (140)
 -2023  November  (174)
 -2023  October  (156)
 -2023  September  (161)
 -2023  August  (49)
 -2023  July  (40)
 -2023  June  (44)
 -2023  May  (45)
 -2023  April  (45)
 -2023  March  (53)
 -2023  February  (40)


My Sites

 - Millennium3Publishing.com

 - SponsorWorks.net

 - ListBug.com

 - TextEx.net

 - FindAdsHere.com

 - VisitLater.com