We’re all familiar with the 3 basic categories of authentication.

  1. Knowledge factors (passwords, PINs)

  2. Possession factors (a software/hardware token - Yubikey/Google Authenticator/SecureID)

  3. Inherence factors (fingerprint, heartbeat, iris/retina scanning)

While the vast majority of sites use knowledge factors, a growing number are turning to multi-factor solutions in an effort to bolster security; to the detriment of the user experience.

Cue continuous authentication / behavioral biometrics… the process of identifying a user based on the subtle nuances in their voice, typing patterns, facial features and location.

Read More
Jan 12

German police used a contact tracing app to track down witnesses in a local crime case. The scandal has data protection advocates up in arms, with politicians warning that abuse of the app could undermine public trust.

Philip Zimmermann released the first version of Pretty Good Privacy in 1991. With support for encrypting email messages, PGP offered confidentiality, but also raised concerns related to United States export regulations. After navigating the legal issues, Zimmermann founded PGP Inc, which proposed the creation of a public standard named OpenPGP in 1997. The OpenPGP Working Group codified format requirements under RFC 2440 in 1998, and released the current specification under RFC 4880 in 2007. Three decades after initial publication, Pretty Good Privacy is not without detractors, but it still provides a common protocol for message encryption and digital signatures.

In conjunction with the standardization of OpenPGP, Werner Koch developed GNU Privacy Guard, which has served as the de facto open source implementation of the format since the initial version in 1997. With the PGP trademark and commercial ownership changing hands over the years, GnuPG became common enough that some applications use the acronym GPG in place of PGP. In addition to various commercial products, numerous open source projects, plugins, and libraries have grown up around the OpenPGP standard.

Read More

Finally, the new German government wants to change the German data retention regulation so that it complies with European and German constitutional privacy rights. Any storage of telecommunications data without any reason should be prohibited. This is very good news and it sends a clear signal to the world: Your right to privacy is being respected in Germany!

On November 2, 2021, Ministry of Commerce of China (“MOFCOM”) officially released the revised Catalogue of Technologies Subject to Import Prohibition and Restriction (“Technology Catalogue”), effective immediately, which identifies, among others, foreign “data encryption technology employing a key length greater than 256 bits” as a technology that requires import permit when transferred to a Chinese party.

This new development may significantly impact multinational corporations’ supply chain operations that involve cross-border transfer of encryption technologies. As of January 2021, the licensable “dual-use” encryption items that require an import license are only limited to the four types of physical encryption devices described by the “Dual-use” Import Control List (“Dual-use List”) published by the export control arm of MOFCOM (known as the Bureau of Industry, Security, Import and Export Control). Essentially, intangible transfer of encryption technology or software is excluded from the scope of import control under China’s “dual-use” import and export control regime.

Read More

Oftentimes when governments announce plans to weaken citizens’ privacy rights for the sake of ‘security’, the public outcry is loud and clear: If you weaken security in online services to catch criminals, you weaken the security online for all citizens. However, oftentimes this warning is ignored by governments. But this is not the story we want to share with you today; this one is a different story.

Dec 10, 2021

A January 2021 FBI document outlines what types of data and metadata can be lawfully obtained by the FBI from messaging apps. Rolling Stone broke the story and it’s been written about elsewhere.

I don’t see a lot of surprises in the document. Lots of apps leak all sorts of metadata: iMessage and WhatsApp seem to be the worst. Signal protects the most metadata. End-to-end encrypted message content can be available if the user uploads it to an unencrypted backup server.

The coalition contract of the new German government (SPD, Grüne, FDP) satisfies a lot of expectations by digital rights activists. A ‘right to encryption’, ‘a right to anonymity’, ‘increased IT security’, ‘public money for public code’ are just some of the digital promises contained in the contract that give reason to celebrate to all privacy enthusiasts.

Apple today filed a lawsuit against NSO Group and its parent company to hold it accountable for the surveillance and targeting of Apple users. The complaint provides new information on how NSO Group infected victims’ devices with its Pegasus spyware. To prevent further abuse and harm to its users, Apple is also seeking a permanent injunction to ban NSO Group from using any Apple software, services, or devices.

Nov 22, 2021

EU Commission plans to proactively involve telecommunications providers in the surveillance of their customers’ e-mail and chat messages has been a contentious issue for some time. mailbox.org has reported on this repeatedly, criticised the proposals, and contributed to open letters. Instead of taking the public response into account, the EU has opted to double down and tighten their surveillance requirements even further than was originally planned – to an extent that data protection professionals have denounced the plans as a blatant attempt to abolish the legal protection of private correspondence in the digital realm. The proposed changes include a ban of properly encrypted communication, disguised as a measure to combat child pornography. We believe this would open the door to the widespread surveillance of all telecommunication activity, threaten the privacy of all people and shake the foundations of our values and fundamental rights as European and German citizens.

Read More

Fingerprint authentication is a convenient alternative to passwords and PIN codes. Who wants to spend time typing in a lengthy string of numbers, letters and characters when a simple tap will suffice?

Unfortunately, that convenience comes at a cost. Because, unlike a regular password, you leave your fingerprint on taxi doors, iPhone screens, and glasses of wine at your local restaurant.

In this article, the Kraken Security Labs Team demonstrates just how easy it is for malicious actors to bypass your favorite login method.

Read More
Nov 12, 2021

At the meeting of EU interior ministers in Brdo, Slovenia, the government representatives today spoke out in favour of mandatory screening of our private communications. In the final declaration[1] of the two-day conference convened by the Slovenian Council Presidency, the participants welcome the EU Commission’s intention to present draft legislation early 2022. It would oblige providers of messenger services such as Whatsapp and email services to automatically search encrypted and unencrypted communications, private messages and attached photos for suspected content and report it to the police.

Read More

Hacker ‘Andrew,’ who had close ties with American intelligence services, accessed thousands of hotel reservations in Middle-Eastern countries. Booking.com did not report the data breach to customers or authorities.

Nov 8, 2021

Signal still knows nothing about you, but the government still continues to ask us if we do.

Because everything in Signal is end-to-end encrypted by default, the broad set of personal information that is typically easy to retrieve in other apps simply doesn’t exist on Signal’s servers. This order requested a wide variety of information we don’t have, including the target’s correspondence, contacts, groups, calls, address.

As usual, we couldn’t provide any of that. It’s impossible to turn over data that we never had access to in the first place. Signal doesn’t have access to your messages; your chat list; your groups; your contacts; your stickers; your profile name or avatar; or even the GIFs you search for. In this case, the order identified the user by their profile name, which is encrypted and inaccessible to Signal, so we were not able to even identify the user in question.

Read More
Nov 8, 2021

Signal Private Messenger, commonly used by human rights defenders worldwide, is widely considered the state-of-the-art app for private and secure communications. But as its popularity surged recently, we have started to observe its blocking in several countries.

In this report, we share our analysis of OONI network measurement data on the blocking of the Signal Private Messenger app in Iran, China, Cuba, and Uzbekistan.

Oct 30, 2021

The aim of this report is to establish a problematised overview of what we know about what is currently being done in Europe when it comes to remote biometric identification (RBI), and to assess in which cases we could potentially fall into forms of biometric mass surveillance.

Privacy

Discussions about privacy, digital rights, etc.

Sections
Created on Sep 16, 2020
By @gurlic
Administered by: @zed