Nationwide facial recognition ID program underway in France

By Lisa Vaas

France is creating – and speeding up the rollout of – a nationwide program using facial recognition to create legal digital identities for its citizens.

The program is called Alicem – an acronym for “certified online authentication on mobile”. It was developed jointly by the Ministry of the Interior and the National Security Title Agency (ANTS), which maintain that it’s going to a) simplify getting online services while b) fighting identity theft, c) keeping the biometric data safe on the phone, making it disappear after validating identity, and d) not letting third parties get at the data.

France had planned to launch the Android-only app by Christmas. But now, it’s greasing the wheels and plans to have it up and running in November 2019, Bloomberg reports.

Privacy watchdogs are not pleased

The country’s privacy regulator, CNIL, says the program breaches the EU’s rule of consent. Europe’s General Data Protection Regulation (GDPR) mandates free choice. Bloomberg spoke to Emilie Seruga-Cau, the head of law enforcement at CNIL, who said that the independent regulator has made its concerns “very clear.”

The publication, which was able to check out the app, reports that Alicem will be the only way for French citizens to create a legal digital ID, and facial recognition will be the only way to do it.

It will require that residents use an Android app to take one-time selfie videos that capture their expressions and movements at different angles, to compare with photos of themselves stored in their biometric passports.

Meanwhile, the French privacy rights group La Quadrature du Net (LQDN) has filed a lawsuit over the program in France’s highest administrative court.

Read more at https://nakedsecurity.sophos.com/2019/10/08/nationwide-facial-recognition-program-underway-in-france/

Facebook’s Libra cryptocurrency dealt blow by PayPal’s departure

By John E Dunn

Has PayPal just dealt a body blow to Facebook’s Libra cryptocurrency?

In emails sent to journalists last week, the company abruptly announced that it was leaving the Libra Association, the 28-strong organization of global companies and non-profits, including Facebook, set up to oversee its roll out.

Given that Libra was only announced in June, with a proposed launch in 2020, to the untrained eye this will look like an unexpected change of heart.

Adopting the principle of the less said the better, the company offered no explanation as to why it decided to bail from Libra so quickly, stating only that:

PayPal has made the decision to forgo further participation in the Libra association at this time and to continue to focus on advancing our existing mission and business priorities as we strive to democratize access to financial services for underserved populations.

But, of course:

We remain supportive of Libra’s aspirations and look forward to continued dialogue on ways to work together in the future.

While it’s true that Libra still has 27 backers, losing PayPal at this stage is a bit like discovering your quarterback has gone on vacation the night before the Super Bowl.

Adding to the instability is an unconfirmed report in The Wall Street Journal that two other founder members, MasterCard and Visa, might also be reconsidering their involvement.

Read more at https://nakedsecurity.sophos.com/2019/10/08/facebooks-libra-cryptocurrency-dealt-blow-by-paypals-departure/

Android devices hit by zero-day exploit Google thought it had patched

By John E Dunn

Google has admitted that some Android smartphones have recently become vulnerable to a serious zero-day exploit that the company thought it had patched for good almost two years ago.

The issue came to light recently when the Google’s Threat Analysis Group (TAG) got wind that an exploit for an unknown flaw, attributed to the Israeli NSO Group, was being used in real-world attacks.

Digging deeper into the exploit’s behavior, Project Zero researcher Maddie Stone said she was able to connect it to a flaw in Android kernel versions 3.18, 4.14, 4.4, and 4.9 that was fixed in December 2017 without a CVE being assigned.

Somehow, that good work was undone in some later models – or never applied in the first place – leaving a list of vulnerable smartphones running Android 8.x, 9.x and the preview version of 10.

The flaw is now identified as CVE-2019-2215 and described as a:

Kernel privilege escalation using a use-after-free vulnerability, accessible from inside the Chrome sandbox.

The result? Full compromise of unpatched devices, probably served from a malicious website without the need for user interaction, in conjunction with one or more other exploits. It also requires that the attacker has installed a malicious app.

Read more at https://nakedsecurity.sophos.com/2019/10/07/android-devices-hit-by-zero-day-exploit-google-thought-it-had-patched/

Facebook urged by governments to halt end-to-end encryption plans

By Danny Bradbury

Tensions between Facebook and three governments escalated last week after the US, the UK, and Australia officially urged Facebook to halt its plans for end-to-end encryption.

The row concerned Facebook CEO Mark Zuckerberg’s publication of a privacy manifesto in March this year, in which he promised to extend the company’s end-to-end encryption work and introduce the technology into its core Facebook Messenger product.

A thorn in their sides

An online messaging service can encrypt your data in two ways. It can store the encryption key on the provider’s own servers, enabling law enforcement to subpoena it and unlock your messages. Alternatively, end-to-end encryption stores the key to a messaging session exclusively on the participating computers, meaning that the tech company has nothing to give the authorities. This means that even if law enforcement accesses a person’s messages, they wouldn’t be able to read the contents.

End-to-end encryption is a thorn in the side of governments who want to track criminals. On Friday, US Attorney General William Barr published an open letter to Zuckerberg, cosigned by UK Home Secretary Priti Patel, acting United States Secretary of Homeland Security Kevin McAleenan, and Australian Home Affairs Minister Peter Dutton. It laid out its demands clearly in the first paragraph:

We are writing to request that Facebook does not proceed with its plan to implement end-to-end encryption across its messaging services without ensuring that there is no reduction to user safety and without including a means for lawful access to the content of communications to protect our citizens.

Read more at https://nakedsecurity.sophos.com/2019/10/07/governments-urge-facebook-to-hit-pause-on-end-to-end-encryption/

Social media platforms can be forced to delete illegal content worldwide

By Lisa Vaas

Individual countries can order Facebook and similar content providers to take down posts, photos and videos worldwide, not just in their own countries, Europe’s top court said on Thursday.

Facebook can’t challenge this decision, which extends the EU’s internet-related laws beyond its own borders.

In Thursday’s decision, the EU Court of Justice said that platforms can be ordered to remove not just a copy of illegal content that somebody’s complained about. They can also be ordered to proactively seek out all identical copies of the content and scrub them too, rather than sitting back and waiting for every instance to be reported.

What it means: copies of defamatory or other illegal content that’s posted to secret places – private groups on Facebook, for example – can’t hide away from the scrub brush.

The ruling stemmed from a case filed in 2016. It involved a comment made on Facebook about an Austrian politician – Eva Glawischnig-Piesczek, former leader of the Austrian Green Party – that an Austrian court decreed was insulting and defamatory. As the New York Times reports, she sued the social network to expunge online comments that called her a “lousy traitor,” “corrupt oaf” and member of a “fascist party.”

Facebook initially refused to take down the post. Glawischnig-Piesczek started in Austrian courts, suing Facebook over the matter. After Austrian courts concluded that the comments were defamatory and reputation-damaging, Glawischnig-Piesczek demanded that Facebook erase the original comments worldwide, not just within the country, as well as posts with “equivalent” remarks.

She took the case on up to the top EU court, the European Court of Justice.

Read more at https://nakedsecurity.sophos.com/2019/10/07/social-media-platforms-can-be-forced-to-delete-illegal-content-worldwide/