Facebook shines a little light on ‘shadow profiles’

By John E Dunn

Mark Zuckerberg, CEO of supposed surveillance titan Facebook, has apparently never heard of shadow profiles.

Of all the things learned during Zuckerberg’s questioning by a succession of politicians in Congress this week, for privacy campaigners this was one of the most unexpected.

We have Congressman Ben Luján to thank for a discovery that might come to hang around Zuckerberg as he battles to save his company’s image.

After asking Zuckerberg about the company’s practice of profiling people who had never signed up for the service, said Luján:

So, these are called shadow profiles – is that what they’ve been referred to by some?

Replied Zuckerberg:

Congressman, I’m not, I’m not familiar with that.

For anyone unsure of its meaning, shadow profiles are the data Facebook collects on people who don’t have Facebook accounts.

Zuckerberg’s ignorance was presumably limited to the term and its usage rather than the concept itself, since Facebook offers non-members the ability to request their personal data.

It seems that all web users are of interest to Facebook for security and advertising.

During the exchange Zuckerberg explained that Facebook needs to know when two or more visits come from the same non-user in order to prevent scraping:

…in general, we collect data on people who have not signed up for Facebook for security purposes to prevent the kind of scraping you were just referring to … we need to know when someone is repeatedly trying to access our services

A little later he implied that non-users are also subject to data gathering for targeted advertising:

Anyone can turn off and opt out of any data collection for ads, whether they use our services or not

You can opt of targeted advertising by Facebook and a plethora of other advertisers using the Digital Advertising Alliance’s Consumer Choice Tool or by blocking tracking cookies with browser plugins.

Read more at https://nakedsecurity.sophos.com/2018/04/13/facebook-shines-a-little-light-on-shadow-profiles/

Fake Hillary porn just the tip of Russia’s Reddit penetration

By Lisa Vaas

A fake porn video that claimed to show Hillary Clinton engaging in a sex act has been traced back to a Reddit account which the platform acknowledged on Tuesday is linked to a Russian troll farm.

The account, u/rubinjer, was banned but is being kept up for the time being for purposes of transparency, Reddit said. The account was used to post pro-Trump, racially divisive, anti-Clinton messages.

The fake porno was titled “This is How Hillary gets black votes.” It linked to an animated gif that NBC News said was still available on the platform as of Tuesday. Links to the video and gif have now been deleted, according to the BBC.

NBC News said that the same faux gif was posted five times to PornHub under the name “Leaked Hillary Clinton’s Hotel Sex Tape with Black Guy,” and also onto the porn site SpankBang.

NBC News reports that it had been viewed more than 250,000 times on PornHub.

Read more at https://nakedsecurity.sophos.com/2018/04/13/fake-hilary-porn-just-the-tip-of-russias-reddit-penetration/

Interview: Sarah Jamie Lewis, Executive Director of the Open Privacy Research Society

By Maria Varmazis

This article is an interview with Sarah Jamie Lewis, Executive Director of the Open Privacy Research Society, a new privacy advocacy and research non-profit based in Vancouver, Canada.

Its goal is to make it easier for people, especially marginalized groups (including LGBT persons), to protect their privacy and anonymity online by helping app and technology firms more easily build privacy-by-default services via open source software that they’re spearheading.

We asked Sarah a few questions about the Open Privacy Research Society and the state of privacy in tech in general, and have reprinted her responses in full below.

What was the impetus for this project?

Last year I published a book, Queer Privacy, it’s a collection of essays written by people in queer and trans communities. While all the essays were ostensibly about technology, they cover broad topics like coming out, dating, sex work, intimate partner violence and even death and media representation.

It was a hard project to work on, but my goal was to finally start documenting how modern technology fails to protect the privacy, or uphold the consent of, marginalized people.

I’m not a fan of simply documenting though, and it’s no coincidence that Open Privacy emerged roughly a year after I finished the first cut of Queer Privacy.

I have had a year to sit and think about the kinds of technology we need to build, as well as the kind of organization we need to ensure that technology exists. And I’ve also had a year to find some amazing people to work with me and help guide that.

Read more at https://nakedsecurity.sophos.com/2018/04/13/interview-sarah-jamie-lewis-executive-director-of-the-open-privacy-research-society/

Instagram bends to GDPR – a “download everything” tool is coming

By Lisa Vaas

Following criticism about lack of data portability – unlike parent Facebook, it doesn’t have a Download Your Data tool – Instagram now says it’s building a tool to let users download everything they’ve ever shared.

Everything, as in everything? We’re still waiting to hear details.

An Instagram spokesperson told TechCrunch that the new tool – available “soon” – will enable users to download a copy of their photos, videos and messages. What’s not clear yet is if the tool will also enable users to export following and follower lists, Likes, comments, Stories, and the captions they put onto posts.

Nor was it clear what quality the downloadable photos and videos will have: will they export with the high resolution that they’re uploaded or displayed in, or will they come through compressed?

Hang tight, Instagram told TechCrunch: more details are coming soon.

We’ll share more details very soon when we actually launch the tool. But at a high level it allows you to download and export what you have shared on Instagram.

If the tool launches by 25 May, it will help Instagram to comply with the European Union’s upcoming General Data Protection Regulation (GDPR) privacy law, which requires data portability.

The new law requires that individuals be able to demand deletion of data, to opt out of future data collection, to view what personal data a company holds, and to download that data in a format that they can move to competitors.

Read more at https://nakedsecurity.sophos.com/2018/04/13/instagram-bends-to-gdpr-a-download-everything-tool-is-coming/

The ransomware that says, “I don’t want money” – play a violent game instead!

By Paul Ducklin

Not all ransomware is made equal.

To be clear, we’re not for a moment suggesting that any form of ransomware is technically, ethically, morally or legally acceptable.

After all, ransomware is guilty of unauthorized access as soon as it reads your files, and of the more serious crime of unauthorized modification as soon as it overwrites them.

Worse still, most ransomware follows up those offences with the yet more odious crime of demanding money with menaces – what is known on the street as blackmail, extortion, standover, or plain old criminal b*****dry.

But it’s Friday the Thirteenth today, historically the “day of madness” for computer virus writers, so we thought we’d feature a recent ransomware sample with an unusual twist.

This one explicitly and unusually says, “I don’t want money.”

Instead, the PUBG Ransomware has a weirder aim: to get you to play a recently-released online game called PLAYERUNKNOWN’s Battleground, or PUBG for short.

Read more at https://nakedsecurity.sophos.com/2018/04/13/the-ransomware-that-says-i-dont-want-money-play-a-violent-game-instead/