Visual microphone reconstructs nearby sound from silent videos of ordinary objects

Princeton’s WebTAP privacy project recently found that Google’s trackers are installed on 75% of the top million internet websites.

We're excited to launch a new browser extension and mobile app, extending DuckDuckGo's protection beyond the search box to wherever the Internet takes you.

Similar to Uber's "God View" scandal, Lyft staffers have been abusing customer insight software to view the personal contact info and ride history of the..

Researchers at Checkmarx decided to measure how securely Tinder handles all those images it sends you. Answer: not so much.

Privacy experts believe tens of millions of Americans are already being monitored by automakers.

If you use both WhatsApp and Facebook, this change allows Facebook access to several pieces of your WhatsApp information, including your WhatsApp phone number, contact list, and usage data (e.g. when you last used WhatsApp, what device you used it on, and what OS you ran it on). With confusing wording, the update correctly points out that your phone number and messages will not be shared onto Facebook. This means that your data will not be shared publicly on your Facebook page or anywhere else on Facebook’s platform. Instead, it will be shared with Facebook—that is, Facebook systems and the “Facebook family of companies.” While WhatsApp’s privacy-friendly end-to-end encryption remains, and the company assures users it will not share their data directly with advertisers, this nevertheless presents a clear threat to users’ control of how their WhatsApp data is shared and used.

[...]

Most critically for user privacy, however, sharing this kind of metadata also gives Facebook an enhanced view of users’ online communication activities, affiliations, and habits, and runs the risk of making private WhatsApp contacts into more public Facebook connections. The new privacy policy, for example, permits Facebook to suggest WhatsApp contacts as Facebook friends. Facebook can also use the data to show “more relevant” ads. In an announcement accompanying the privacy policy update, WhatsApp offers the example of “an ad from a company you already work with, rather than one from someone you’ve never heard of”—a frightening prospect considering the data coordination and sharing required for Facebook to know the companies with whom you do business.

Metadata equals surveillance data, and collecting metadata on people means putting them under surveillance.

An easy thought experiment demonstrates this. Imagine that you hired a private detective to eavesdrop on a subject. That detective would plant a bug in that subject's home, office, and car. He would eavesdrop on his computer. He would listen in on that subject's conversations, both face to face and remotely, and you would get a report on what was said in those conversations.

[...]

Now imagine that you asked that same private detective to put a subject under constant surveillance. You would get a different report, one that included things like where he went, what he did, who he spoke to -- and for how long -- who he wrote to, what he read, and what he purchased. This is all metadata, data we know the NSA is collecting. So when the president says that it's only metadata, what you should really hear is that we're all under constant and ubiquitous surveillance.

What they are trying to say is that disclosure of metadata—the details about phone calls, without the actual voice—isn't a big deal, not something for Americans to get upset about if the government knows. Let's take a closer look at what they are saying:

• They know you rang a phone sex service at 2:24 am and spoke for 18 minutes. But they don't know what you talked about.
• They know you called the suicide prevention hotline from the Golden Gate Bridge. But the topic of the call remains a secret.
• They know you spoke with an HIV testing service, then your doctor, then your health insurance company in the same hour. But they don't know what was discussed.
• They know you received a call from the local NRA office while it was having a campaign against gun legislation, and then called your senators and congressional representatives immediately after. But the content of those calls remains safe from government intrusion.
• They know you called a gynecologist, spoke for a half hour, and then called the local Planned Parenthood's number later that day. But nobody knows what you spoke about.

Sorry, your phone records—oops, "so-called metadata"—can reveal a lot more about the content of your calls than the government is implying. Metadata provides enough context to know some of the most intimate details of your lives. And the government has given no assurances that this data will never be correlated with other easily obtained data. They may start out with just a phone number, but a reverse telephone directory is not hard to find. Given the public positions the government has taken on location information, it would be no surprise if they include location information demands in Section 215 orders for metadata.

WhatsApp messenger is arguably the most popular mobile app available on all smart-phones. Over one billion people worldwide for free messaging, calling, and media sharing use it. In April 2016, WhatsApp switched to a default end-to-end encrypted service. This means that all messages (SMS), phone calls, videos, audios, and any other form of information exchanged cannot be read by any unauthorized entity since WhatsApp. In this paper we analyze the WhatsApp messaging platform and critique its security architecture along with a focus on its privacy preservation mechanisms. We report that the Signal Protocol, which forms the basis of WhatsApp end-to-end encryption, does offer protection against forward secrecy, and MITM to a large extent. Finally, we argue that simply encrypting the end-to-end channel cannot preserve privacy. The metadata can reveal just enough information to show connections between people, their patterns, and personal information. This paper elaborates on the security architecture of WhatsApp and performs an analysis on the various protocols used. This enlightens us on the status quo of the app security and what further measures can be used to fill existing gaps without compromising the usability. We start by describing the following (i) important concepts that need to be understood to properly understand security, (ii) the security architecture, (iii) security evaluation, (iv) followed by a summary of our work. Some of the important concepts that we cover in this paper before evaluating the architecture are - end-to-end encryption (E2EE), signal protocol, and curve25519. The description of the security architecture covers key management, end-to-end encryption in WhatsApp, Authentication Mechanism, Message Exchange, and finally the security evaluation. We then cover importance of metadata and role it plays in conserving privacy with respect to whatsapp.

In the privacy domain, there have been concerns related to user metadata as well. WhatsApp encrypts the communication channel between users using end-to-end encryption. The metadata of the user is encrypted as well when data is in motion on the communication channel between various parties. It is essential to understand that information stored in metadata is just as important in preserving privacy of the users, as is the data itself. The company's legal terms allow them to store information associated with successfully delivered messages such as time of delivery, mobile phone numbers involved in the messages, size of any digital content swapped between the two parties (Bernstein 2006). Also, the app persists the user to share one's entire contact list with the app. This is a way to further gather information about who is in a particular social network of a user. It is like trading the convenience of having the app to figure out who uses it amongst one's contacts for giving up the entire list of which one contacts regularly, including those who don't use the app. There is still no option of selectively adding contacts to the WhatsApp list. Any addition of this feature in the future will not help existing users as they have already shared this detail with the app.

A smartphone metadata reflects a wealth of details both at the level of individual calls and when analyzed in aggregate. Computer scientists and researchers have proved this a number of times in the past. It is here where WhatsApp falters. While the metadata is encrypted during transit, phone numbers, timestamps, connection duration, connection frequency, as well as user location are being stored on the company's servers. This metadata is sufficient to create a profile and draw some strong inferences between the communicating parties. And as we've seen very often, both governments and hackers can get their hands on the metadata if they realty go after it.

What advantage would Facebook, the parent company has in addition to the metadata related information coming via WhatsApp? WhatsApp had vowed that it would not be selling advertisements. However, there is no condition that can stop its parent company from doing so by using information gathered through the whatsapp. In combination to one's activities on Facebook, it can potentially help create a more accurate understanding of the user behavior, and social interactions thereby serving as a strong measure of profiling for some targeted ads. This is not truly a major concern as long as the user sees ads that make sense to them. Any change in the content delivery algorithm can lead to a very different user experience, where in some cases the user may outright stop using the app.

For group chat, the communication initiator sends message to the whatsapp server, which in turn distributes it to all the group members. This is a very easy way of for Facebook to learn all about ones social interactions and communities. A lot can be deduced by performing some kind of traffic analysis just by using the metadata like from the message volume exchanged.

In August 2016, WhatsApp changed its terms of privacy where it stated that it plans to transfer user data to its parent company, Facebook. It had earlier promised that this data would not be disclosed or used for marketing purposes. But now it will share user account information with Facebook and the Facebook family of companies, like the phone number the user used as a primary identifier. The companies intend to use WhatsApp account information to show users "more relevant ads on Facebook" and to send users marketing messages via WhatsApp. A phone number is like a digital social security number (EPIC - WhatsApp). It can uniquely identify a person as this information is provided every time when filling up forms for various purposes. It can also connect various sources of data, like health records, financial data, and education, online presence, etc. and create a full profile of a person.

Matthew Green and I had a bet for the last year, which just ended, over libotr's security; I bet him that nobody would find a sev:hi flaw in it all year, and, of course, won, because at this point all the low-hanging fruit in libotr has been shaken out.

That bet was a reaction to the release of the EFF scorecard, which at the time gave Cryptocat(†) a perfect score but dinged ChatSecure, which is a libotr client, for not having an audit done.

I told Matthew Green I'd write up something about the bet, and what did get reported to me about libotr; I'll probably spend a few thousand words critiquing the scorecard there. A brief outline, though:

• There are places where the scorecard is factually misleading. For instance: there seems to be no coherence to what "source code available for inspection" means; it still lists Telegram as being open source!

• It's oversimplified in misleading ways as well. Systems which technically have the capability of verifying peers are given big green checkmarks even when that feature is so broken as to be useless. And, of course, there's the "been audited recently" checkmark, which, as anyone familiar with software security auditing will tell you, means absolutely fuck-all (again: ponder the fact that libotr, which has been a high-profile target for something like a decade and is more or less frozen stable, was counted as "not audited", while projects that got a 1-week drive-by from a firm specializing in web security got a big green checkmark).

• What does "security design properly documented" even mean? Where's the methodology behind the chart? A few paragraphs of text aimed at laypeople isn't a documented methodology! The one place they eventually did add documentation --- "what's a good security audit" --- tries to explain a bunch of stuff that has almost nothing to do with the quality of software security inspection, and then throws up its hands and says "we didn't try to judge whether projects got good audits". Why? Why didn't they consult any named outside experts? They could have gotten the help if they needed it; instead, they developed this program in secret and launched it all at once.

• The project gives equal time to systems that nobody uses (at one point, Cryptocat was near the top of the list, and ChatSecure was actually hidden behind a link!), and is ranked alphabetically, so that TextSecure, perhaps the only trustworthy cryptosystem on this list (with the possible exception of the OTR clients) is buried at the bottom.

• If the point of this chart is to educate laypeople on which cryptosystem to use, how is anyone supposed to actually evaluate it? They don't really say. Is it ok to use Jitsi's ZRTP, despite missing the "recent audit" checkbox? What about Mailvelope, which is missing the forward-secrecy checkbox? Can anyone seriously believe it's a better idea to use Telegram or Cryptocat, both flawed ad-hoc designs, than TextSecure or ChatSecure?

I guess I can't be brief about this after all. Grrr. This scorecard drives me nuts.

I am not saying that these flaws in any way impacted your particular research project.

ghacks-user.js - An ongoing comprehensive user.js template for configuring and hardening Firefox privacy, security and anti-fingerprinting

Where Am I Right Now, Asking 'Where Am I?' or 'My Current Location?'. This web detects your location, and display your location on google map (latitude, longitude, and LOCATION NAME).

Ad-tech firm Criteo likely to cut its 2018 revenue by more than a fifth after Apple blocked ‘pervasive’ tracking on web browser Safari

Inox patchset tries to provide a minimal Chromium based browser with focus on privacy by disabling data transmission to Google.