Category: Mobile Security

Facebook admits it collects users’ audio data and has it reviewed

Data Management & Networks, General, Mobile Security, Networking, Social Media

Facebook pays hundreds of contractors to transcribe bits of audio taken from its users, according to a report in Bloomberg.

Disturbing enough, but get this: the people contracted by Facebook to do this … shady work have no idea what the purpose of such work is. These contractors, who spoke to Bloomberg on condition of anonymity lest they face some kind of disciplinary action, have no information about where the recordings come from, how they were collected, nor why Facebook wants them transcribed. They are simply given audio of Facebook users’ conversations and told to write it down.

After hearing of the practice, the Irish Data Protection Commission announced that it would be performing an investigation to see whether Facebook is in violation of the European Union’s privacy laws.

Caught red-handed (like Apple was in recent weeks), Facebook said it has already stopped the activity. Surprise, surprise. “Much like Apple and Google, we paused human review of audio more than a week ago,” the tech giant said, the operative word being “human.” In another surprise (not), Facebook claims its users consented to having their audio recorded and transcribed. I’m sure they did so freely, voluntarily and knowingly, and not because they didn’t understand the implications of such a policy.

Founder Mark Zuckerberg was grilled about this, and many other things, during his testimony to the US Congress in 2018. He didn’t have answers of the lawmakers then, but his company submitted a few after the fact. With regard to the audio collection, Facebook said it “only accesses users’ microphone if the user have given our app permission and if they are actively using a specific feature that requires audio.”

Here’s a question for Facebook: if this is such an innocuous thing, to which users are voluntarily submitting, why discontinue it? Maybe because, as Bloomberg reports, “Facebook hasn’t disclosed to users that third parties may review their audio.”

It’s high time people initiated a mass boycott of Facebook. The company needs us far more than we need it.

MoviePass left thousands of user card numbers exposed in unprotected database

Data Management & Networks, Digital Systems Technology, General, Mobile Security

MoviePass, a subscription-only move ticket service, exposed tens of thousands of its users’ credit card information due to insufficient security of a server, TechCrunch reports. The exposed database, discovered by cybersecurity company SpiderSilk, reportedly contained 161 million records, many of which included credit card numbers and other private information. TechCrunch explains:

“These MoviePass customer cards are like normal debit cards: they’re issued by Mastercard and store a cash balance, which users who sign up to the subscription service can use to pay to watch a catalog of movies. For a monthly subscription fee, MoviePass uses the debit card to load the full cost of the movie, which the customer then uses to pay for the movie at the cinema.”

The tech publication examined a sample of 1,000 of the aforementioned records and found that more than half showed MoviePass debit card numbers, expiration dates, account balances and the time of activation. Also contained in the records were personal credit card numbers, including expiration date and billing information (names and addresses).

MoviePass has since closed the database, which was accessible for months. TechCruch says it reached out to MoviePass with a number of specific questions but that the company’s only response was the following generic statement:

“MoviePass recently discovered a security vulnerability that may have exposed customer records. After discovering the vulnerability, we immediately secured our systems to prevent further exposure and to mitigate the potential impact of this incident. MoviePass takes this incident seriously and is dedicated to protecting our customers’ information. We are working diligently to investigate the scope of this incident and its potential impact on our customers. Once we gain a full understanding of the incident, we will promptly notify any affected subscribers and the appropriate regulators or law enforcement.”

SpiderSilk’s Mossab Hussein, the researcher who first discovered the vulnerable database, told TechCrunch that there is no excuse for MoviePass’ negligence in this scenario, which is one we keep seeing played out over and over again across the digital world.

“We keep on seeing companies of all sizes using dangerous methods to maintain and process private user data,” he said. “In the case of MoviePass, we are questioning the reason why would internal technical teams ever be allowed to see such critical data in plaintext—let alone the fact that the data set was exposed for public access by anyone.”

Apple to suspend Siri ‘grading program’ that allows contractors to hear private user info

Artificial Intelligence, Big Data, Mobile Security

Recently the Guardian reported that, thanks to “Siri,” Apple contractors have access to private conversations and personal information. This includes medical information, criminal behavior and even the sound of people have sex.

According to the report:

“Although Apple does not explicitly disclose it in its consumer-facing privacy documentation, a small proportion of Siri recordings are passed on to contractors working for the company around the world. They are tasked with grading the responses on a variety of factors, including whether the activation of the voice assistant was deliberate or accidental, whether the query was something Siri could be expected to help with and whether Siri’s response was appropriate.”

In other words, whether Apple intended it or not, Siri serves as a covert surveillance tool. Apple stated for the record that the private data “is used to help Siri and dictation … understand you better and recognize what you say.” That, of course, doesn’t change the fact that Apple users’ most private information is being recorded and listened to by strangers.

Unsurprisingly, the Guardian story lit up the internet and Apple found itself defending a frankly indefensible policy. Seeing, owing to a significant backlash, that it is indeed indefensible, Apple has reportedly suspended the program.

“Apple says it will review the process that it uses, called grading, to determine whether Siri is hearing queries correctly, or being invoked by mistake,” TechCrunch reports. “In addition, it will be issuing a software update in the future that will let Siri users choose whether they participate in the grading process or not.”

I’m sure this update will transparently spell out what precisely the “grading process” entails so that users can make a truly informed decision. It definitely won’t be misleading or opaque at all, and there definitely won’t be any fine print …

Here’s the standard issue corporate mumbo jumbo from Apple:

“We are committed to delivering a great Siri experience while protecting user privacy. While we conduct a thorough review, we are suspending Siri grading globally. Additionally, as part of a future software update, users will have the ability to choose to participate in grading.”

Talk to Siri at your own risk. Or, you know, use the keyboard.