Android phones gather your location data and send it to Google, even if you’ve turned off location services and don’t have a SIM card, Quartz reported today.

Online tracking gets more accurate and harder to evade.

The start-up Alphonso collects viewing data for advertisers through mobile gaming apps that can track users on the devices’ microphones, even when the apps aren’t in use.

Some smartphone games are listening to what your mic picks up — but not to hear what you say. Instead, they’re trying to hear what you’re watching.
This is something smartphone apps have been doing...

We show how third-party scripts exploit browsers’ built-in login managers (also called password managers) to retrieve and exfiltrate user identifiers without user awareness. To the best of our knowledge, our research is the first to show that login managers are being abused by third-party scripts for the purposes of web tracking.

Using only publicly available information, we have been able to decrypt the service provider ID numbers in the 10% sample of Medicare Benefits Schedule (MBS) published recently at the Federal Government’s data.gov.au website. We did not decrypt Patient ID numbers.

This research work is aimed at understanding mathematical facts about encryption and anonymization, in order to ensure that the security of government data is preserved in the face of the inevitable efforts of external parties who may be prepared to break the law and attempt to re-identify the data. There are numerous benefits to open government data, but it’s important to understand the mathematical techniques for protecting that data, so that the benefits can be derived with a clear understanding that individual privacy is not breached.

Update: someone pointed out that PayPal actually reveals the last four digits of the phone numbers, so this technique may work for large countries as well if the target has its phone linked to its PayPal account.

Last month, I discovered it is relatively simple to reveal private phone numbers on Facebook, uncovering some phone numbers of Belgian celebs and politicians. Even though this trick only seems to work in small countries such as Belgium (+/- 11.2 million people), a significant number of people is affected by this simple, yet effective privacy leak.

The CNIL said WhatsApp did not have the legal basis to share user data with Facebook and had violated its obligation to cooperate with the French authority.

WhatsApp, bought by Facebook in 2014, said it would begin sharing some user data with the social media group in 2016, drawing warnings from European privacy watchdogs about getting the appropriate consent.

In October, European Union privacy regulators criticized WhatsApp for not resolving their concerns over the messaging service’s sharing of user data with Facebook a year after they first issued a warning.

The French regulator said WhatsApp had not properly obtained users’ consent to begin sharing their phone numbers with Facebook for “business intelligence” purposes.

“The only way to refuse the data transfer for “business intelligence” purpose is to uninstall the application,” the CNIL said in a statement.

[...]

The CNIL said it had repeatedly asked WhatsApp to provide a sample of French users’ data transferred to Facebook but the company had explained it could not do so as it is located in the United States and “it considers that it is only subject to the legislation of this country.”

It is the most comprehensive such study ever conducted: more than 144 million page loads were examined during the analysis. The research covered more than 12 countries, including the United States, Canada, Great Britain, France, Germany, Austria and Switzerland.

The study found that at least one tracker was prowling around 77.4 percent of the tested page loads. With the help of cookie or fingerprinting processes, these trackers tag along as users surf the Web, carefully recording their every move. In the most benign cases, this information is used only for statistical and advertising purposes. As a rule, a number of third-party tracking scripts hang out on popular websites, and they hitch a ride with users as they pass through domains. Ten or more trackers that amass personal data were found on 21.3 percent of the sites(unique domains) analyzed in the study.

[...]

The study also identified the most widely used trackers online. Google and Facebook stood out in particular, here. Google ranks in the top ten of the most widely used trackers based on page loads with five services. Facebook has three. Google Analytics was found on nearly half of all loaded pages (46.4 percent). Facebook Connect was on more than a fifth (21.9 percent).

There are some 269 billion emailssent and received daily. That’s roughly 35 emails for every person on the planet, every day. Over 40 percent of those emails are tracked, according to a study published last June by OMC, an “email intelligence” company that also builds anti-tracking tools.

Lenovo has only just settled a massive $3.5 million fine for preinstalling adware on laptops without users' consent, and now it seems HP is getting in on the stealth installation action, too. According to numerous reports gathered by Computer World, the brand is deploying a telemetry client on customer computers without asking permission.

Big Brother knows what you're getting for the Holidays.

<Thread> Hi @WikoMobile 👋! Let's talk about the ApeSaleTracker and ApeStsMonths apps found in your phones. These apps are pre-installed system apps which send regularly and silently the user infos to a Chinese 3rd party called Tinno by HTTP or SMS without user consent

You may know that most websites have third-party analytics scripts that record which pages you visit and the searches you make. But lately, more and more sites use “session replay” scripts. These scripts record your keystrokes, mouse movements, and scrolling behavior, along with the entire contents of the pages you visit, and send them to third-party servers. Unlike typical analytics services that provide aggregate statistics, these scripts are intended for the recording and playback of individual browsing sessions, as if someone is looking over your shoulder.

The stated purpose of this data collection includes gathering insights into how users interact with websites and discovering broken or confusing pages. However the extent of data collected by these services far exceeds user expectations [1]; text typed into forms is collected before the user submits the form, and precise mouse movements are saved, all without any visual indication to the user. This data can’t reasonably be expected to be kept anonymous. In fact, some companies allow publishers to explicitly link recordings to a user’s real identity.

A direct consequence of my attending Capitol du Libre 2016 was to redo Pepper&carrot website over the last weeks. I wanted to solve something important: remove all the CDN libraries I was using. It took me long to accept the challenge. It was like cleaning the Augean Stables and of course it was longer and harder than I expected because I'm no Hercules... This work was full of challenges and contraints but also creativity and happy accidents. Here are my notes about it.

Android phones are tracking your location even if you actively turn off location services, haven't used any apps, and haven't even inserted a carrier SIM card.

Targeted advertising is at the heart of the largest technology companies today, and is becoming increasingly precise. Simultaneously, users generate more and more personal data that is shared with advertisers as more and more of daily life becomes intertwined with networked technology. There are many studies about how users are tracked and what kinds of data are gathered. The sheer scale and precision of individual data that is collected can be concerning. However, in the broader public debate about these practices this concern is often tempered by the understanding that all this potentially sensitive data is only accessed by large corporations; these corporations are profit-motivated and could be held to account for misusing the personal data they have collected. In this work we examine the capability of a different actor -- an individual with a modest budget -- to access the data collected by the advertising ecosystem. Specifically, we find that an individual can use the targeted advertising system to conduct physical and digital surveillance on targets that use smartphone apps with ads.