Facebook is discussing building facial recognition into its upcoming smart glasses product and has been weighing the legal implications of the controversial technology, Buzzfeed News reported citing remarks from executives at an internal meeting Thursday. From a report: During a scheduled companywide meeting, Andrew Bosworth, Facebook's vice president of augmented and virtual reality, told employees that the company is currently assessing whether or not it has the legal capacity to offer facial recognition on devices that are reportedly set to launch later this year. Nothing had been decided, he said, and he noted that current state laws may make it impossible for Facebook to offer people the ability to search for others based on pictures of their face. "Face recognition ... might be the thorniest issue, where the benefits are so clear, and the risks are so clear, and we don't know where to balance those things," Bosworth said in response to an employee question about whether people would be able to "mark their faces as unsearchable" when smart glasses become a prevalent technology. The unnamed worker specifically highlighted fears about the potential for "real-world harm," including "stalkers."

The Economic Security Project is trying to make a point about big tech monopolies by releasing a browser plugin that will block any sites that reach out to IP addresses owned by Google, Facebook, Microsoft, or Amazon. From a report: The extension is called Big Tech Detective, and after using the internet with it for a day (or, more accurately, trying and failing to use), I'd say it drives home the point that it's almost impossible to avoid these companies on the modern web, even if you try. Currently, the app has to be side-loaded onto Chrome, and the Economic Security Project expects that will remain the case. It's also available to side-load onto Firefox. By default, it just keeps track of how many requests are sent, and to which companies. If you configure the extension to actually block websites, you'll see a big red popup if the website you're visiting sends a request to any of the four. That popup will also include a list of all the requests so you can get an idea of what's being asked for.

Apple Chief Executive Officer Tim Cook fielded questions on mergers and acquisitions, the impact of Covid-19, and the company's supply chain during a virtual shareholder meeting on Tuesday. From a report: Narrating a slide show, Cook summarized many of the company's new products and initiatives announced over the past year. He spoke about the latest iPhones and the growing potential of the Apple Watch, while noting that the AirPods Max headphones have quickly become "hugely popular" with users. He also discussed Apple's efforts to combat the pandemic, climate change, and the San Francisco Bay Area housing crisis. During a question and answer session, Cook said Apple is on track to meet its environment goals, including becoming carbon neutral by 2030 and transitioning its products to using recycled materials. He also reiterated Apple's recent privacy changes, including an imminent plan to limit ad targeting on its devices. Cook said the company bought almost 100 smaller companies over the past six years and makes a deal about every three to four weeks. Asked about gender pay equity, the CEO said Apple pays men and women equally across the world and has stopped asking applicants about their salary history to help ensure equity.

As part of its war on web tracking, Mozilla is adding a new tool to Firefox aimed at stopping cookies from keeping tabs on you across multiple sites. From a report: The "Total Cookie Protection" feature is included in the web browser's latest release -- alongside multiple picture-in-picture views -- and essentially works by keeping cookies isolated between each site you visit. Or, in Mozilla's words: "By creating a separate cookie jar for every website." Firefox's new feature pares with last month's network partitioning tool, which works by splitting the Firefox browser cache on a per-website basis to prevent tracking across the web, itself targeted at blocking more stubborn "supercookies." According to Mozilla, these types of cookies are more difficult to delete and block as they are stored in obscure parts of the browser, including in Flash storage, ETags, and HSTS flags. Both tools are available as part of Firefox's enhanced tracking protection suite in "strict mode" on desktop and Android.

Google today quietly added App Privacy labels to its Gmail app, marking the first of its major apps to receive the privacy details aside from YouTube. From a report: Though App Privacy information has been added to Gmail, Google has done so server side and has yet to issue an update to the Gmail app. It has been two months since the Gmail app last saw an update. Earlier in February, the Gmail app was displaying warnings about the app being out of date as it has been so long since new security features were added, but Google eliminated that messaging without pushing an update to the app. Apple has been enforcing App Privacy labels since December, and Google has been slow to support the feature. Google said in early January that it would add privacy data to its app catalog "this week or next week," but by January 20, most apps still had not been updated with the App Privacy. Google has since been adding App Privacy labels to apps like YouTube and some of its smaller apps, but of major apps like Google Search, Google Photos, and Google Maps, Gmail is the first to get the new labeling.

A week after popular audio chatroom app Clubhouse said it was taking steps to ensure user data couldn't be stolen by malicious hackers or spies, at least one attacker has proven the platform's live audio can be siphoned. From a report: An unidentified user was able to stream Clubhouse audio feeds this weekend from "multiple rooms" into their own third-party website, said Reema Bahnasy, a spokeswoman for Clubhouse. While the company says it's "permanently banned" that particular user and installed new "safeguards" to prevent a repeat, researchers contend the platform may not be in a position to make such promises. Users of the invitation-only iOS app should assume all conversations are being recorded, the Stanford Internet Observatory, which was first to publicly raise security concerns on Feb. 13, said late Sunday. "Clubhouse cannot provide any privacy promises for conversations held anywhere around the world," said Alex Stamos, director of the SIO and Facebook's former security chief. Stamos and his team were also able to confirm that Clubhouse relies on a Shanghai-based startup called Agora to handle much of its back-end operations. While Clubhouse is responsible for its user experience, like adding new friends and finding rooms, the platform relies on the Chinese company to process its data traffic and audio production, he said.

Apple is going to make one of the most powerful types of attacks on iPhones much harder to pull off in an upcoming update of iOS. From a report: The company quietly made a new change in the way it secures the code running in its mobile operating system. The change is in the beta version of the next iOS version, 14.5, meaning it is currently slated to be added to the final release. Several security researchers who specialize in finding vulnerabilities in and crafting exploits for iOS believe this new mitigation will make it much harder for hackers to take control of an iPhone with a technique known as a zero-click (or 0-click) exploit, which allows a hacker to take over an iPhone with no interaction from the target. Apple also told Motherboard it believes the changes will impact 0-click attacks.

"It will definitely make 0-clicks harder. Sandbox escapes too. Significantly harder," a source who develops exploits for government customers told Motherboard, referring to "sandboxes" which isolate applications from each other in an attempt to stop code from one program interacting with the wider operating system. Motherboard granted multiple exploit developers anonymity to speak more candidly about sensitive industry issues. Like the name suggests, zero-click attacks allow hackers to break into a target without needing the victim to interact with anything, such as a malicious phishing link. This means that the attack is generally harder for the targeted user to detect. These are generally very sophisticated attacks. These attacks may now become much rarer, according to several security researchers who look for vulnerabilities in iOS.

ZDNet reports: A handful of technology giants operating in Australia have agreed on a code of practice that aims to stem disinformation on their respective platforms. All signatories — Facebook, Google, Microsoft, Redbubble, TikTok, and Twitter — have committed to the Australian Code of Practice on Disinformation and Misinformation. They have also committed to releasing an annual transparency report about their efforts under the code...

[The Code] provides seven guiding principles, with the first aimed at protecting freedom of expression. "Signatories should not be compelled by governments or other parties to remove content solely on the basis of its alleged falsity if the content would not otherwise be unlawful," the code said. Another is centred on protecting user privacy and notes that any actions taken by digital platforms to address the propagation of disinformation and misinformation should not contravene commitments they have made to respect the privacy of Australian users...

"Empowering users" is another principle, that is to enable users to make informed choices about digital media content that purports to be a source of authoritative current news or of factual information. Signatories also commited to supporting independent researchers and having policies and processes concerning advertising placements implemented.

AmiMoJo writes: The use of "invisible" tracking tech in emails is now "endemic", according to a messaging service that analysed its traffic at the BBC's request. Hey's review indicated that two-thirds of emails sent to its users' personal accounts contained a "spy pixel", even after excluding for spam. Its makers said that many of the largest brands used email pixels, with the exception of the "big tech" firms. Defenders of the trackers say they are a commonplace marketing tactic. And several of the companies involved noted their use of such tech was mentioned within their wider privacy policies. Emails pixels can be used to log: if and when an email is opened, how many times it is opened, what device or devices are involved, the user's rough physical location, deduced from their internet protocol (IP) address - in some cases making it possible to see the street the recipient is on.

This information can then be used to determine the impact of a specific email campaign, as well as to feed into more detailed customer profiles. Hey's co-founder David Heinemeier Hansson says they amount to a "grotesque invasion of privacy". And other experts have also questioned whether companies are being as transparent as required under law about their use.

The North Dakota state senate voted 36-11 on Tuesday not to pass a bill that would have required app stores to enable software developers to use their own payment processing software and avoid fees charged by Apple and Google. From a report: The vote is a victory for Apple, which says that the App Store is a core part of its product and that its tight control over its rules keeps iPhone users safe from malware and scams. North Dakota's bill is the first major U.S. state-level legislation to address the Apple and Google app stores, which take fees from app store sales up to 30%, including in-app purchases of digital items. If the state senate had passed it, it would still have been debated and voted on in the North Dakota house. The North Dakota bill targeted Apple's fees by requiring companies that make more than $10 million per year in the state through app stores -- essentially, just Apple and Google -- would be required to offer alternative payment processors for purchases through the app store, allowing developers to avoid Apple or Google's cut. It would only apply to companies based in North Dakota. Further reading, from last week: Apple Privacy Chief: North Dakota Bill 'Threatens To Destroy the iPhone As You Know It'

Epic CEO Tim Sweeney said: "The Coalition for App Fairness organized the outreach, lobbying, and developer participation. Can't take credit for it, but Epic is proud to be a part of it!"

TikTok is facing a fresh round of regulatory complaints in Europe where consumer protection groups have filed a series of coordinated complaints alleging multiple breaches of EU law. From a report: The European Consumer Organisation (BEUC) has lodged a complaint against the video sharing site with the European Commission and the bloc's network of consumer protection authorities, while consumer organisations in 15 countries have alerted their national authorities and urged them to investigate the social media giant's conduct, BEUC said today. The complaints include claims of unfair terms, including in relation to copyright and TikTok's virtual currency; concerns around the type of content children are being exposed to on the platform; and accusations of misleading data processing and privacy practices. Details of the alleged breaches are set out in two reports associated with the complaints: One covering issues with TikTok's approach to consumer protection, and another focused on data protection and privacy.

"The developers of audio chat room app Clubhouse plan to add additional encryption to prevent it from transmitting pings to servers in China," reports The Verge, "after Stanford researchers said they found vulnerabilities in its infrastructure." In a new report, the Stanford Internet Observatory (SIO) said it confirmed that Shanghai-based company Agora Inc., which makes real-time engagement software, "supplies back-end infrastructure to the Clubhouse App." The SIO further discovered that users' unique Clubhouse ID numbers — not usernames — and chatroom IDs are transmitted in plaintext, which would likely give Agora access to raw Clubhouse audio. So anyone observing internet traffic could match the IDs on shared chatrooms to see who's talking to each other, the SIO tweeted, noting "For mainland Chinese users, this is troubling."

The SIO researchers said they found metadata from a Clubhouse room "being relayed to servers we believe to be hosted in" the People's Republic of China, and found that audio was being sent to "to servers managed by Chinese entities and distributed around the world." Since Agora is a Chinese company, it would be legally required to assist the Chinese government locate and store audio messages if authorities there said the messages posed a national security threat, the researchers surmised...

The company told SIO that it was going to roll out changes "to add additional encryption and blocks to prevent Clubhouse clients from ever transmitting pings to Chinese servers" and said it would hire an external security firm to review and validate the updates.

Amazon is using AI cameras to monitor drivers of its delivery vans for safety issues — but also a second driver safety app on their phones.

Though it's named Mentor, Mashable reports that "it doesn't seem to be helping..." CNBC talked to drivers who said the app mostly invades their privacy or miscalculates dangerous driving behavior. One driver said even though he didn't answer a ringing phone, the app docked points for using a phone while driving. Another worker was flagged for distracted driving at every delivery stop she made.

The incorrect tracking has real consequences, ranging from restricted payouts and bonuses to job loss. The app gives a safety score which is used to rank drivers and compare them to colleagues.

The App Store description calls this "a little friendly competition!"
CNBC reports that one driver even created a YouTube video showing how Amazon's delivery van drivers could appease the app: by wrapping their cellphone in a sweater and then shoving it in their glovebox.

Otherwise, "If your device moves at all, it's going to count against you."

How does the trendy new audio-chatroom app Clubhouse handle user privacy? Recode reports: What if you didn't give Clubhouse access to your contacts, specifically because you didn't want all or any of them to know you were there? I regret to inform you that Clubhouse has made it possible for them to know anyway, encourages them to follow you, and there isn't much you can do about it. When I joined, I didn't give Clubhouse access to my contacts; as has been my policy since childhood, only I may decide who enters my clubhouse. Nevertheless, a few minutes later, I had a bunch of followers from my contacts. Even worse: I got followers who weren't in my contacts at all — but I was in theirs.

It turns out that your privacy on Clubhouse depends not just on what you do but also on what those who have your information in their contacts do. For now, you can only get invited to Clubhouse through your phone number, which is attached to your account and can't be removed. So if someone has your phone number in their contacts, and they've given Clubhouse access to those contacts, they'll get a notification when you join the app and a recommendation to follow you...

It's not clear why Clubhouse doesn't have better options for users to manage their privacy or more information for users about how their data might be used or linked to them. The company is reportedly operating with a small staff, but it also has millions of users and millions of dollars worth of funding from major Silicon Valley venture capital firms, including Andreessen Horowitz, and a valuation of $1 billion. It's not the first well-funded social media app to push the boundaries of data privacy. But you'd at least think Clubhouse would have learned from the unicorns that came before it.

When Tim Cook told an interviewer that Apple wouldn't get in a Facebook-style data-collection controversy, "Mr. Zuckerberg shot back that Mr. Cook's comments were 'extremely glib' and 'not at all aligned with the truth,'" reports the Wall Street Journal.

But "In private, Mr. Zuckerberg was even harsher. 'We need to inflict pain,' he told his team, for treating the company so poorly, according to people familiar with the exchange." It wasn't the first time — or the last — that Mr. Cook's comments and actions would leave Mr. Zuckerberg seething and, at times, plotting to get back at Apple...

Apple has positioned itself as the protector of digital privacy, upholding a greater good, while often leveling criticisms at Facebook's business model — without naming the company. All of that grates on Facebook, which sees Apple as overreaching in a way that threatens Facebook's existence, and hypocritical, including by doing extensive business is China where privacy is scarce. A 2017 attempt to address tensions through a face-to-face meeting between the two CEOs resulted in a tense standoff.

The trigger last month was a new privacy tool the iPhone maker plans to roll out that will further restrict Facebook's ability to collect data. Mr. Zuckerberg accused Apple on an earnings call of using its platform to interfere with how Facebook apps work. Mr. Cook, without naming Facebook, delivered an online speech condemning "conspiracy theories juiced by algorithms" — a jab that came just days after the Capitol riot.

At stake is how the internet will evolve and which companies will dominate it. Facebook and Apple's visions are diverging and increasingly incompatible. Facebook wants to capture and monetize eyeballs on every possible device and platform. Apple wants to draw users to its own hardware-centric universe, partly by marketing itself as a privacy-focused company. The outcome of the battle could affect what kinds of information users see when they browse the internet.

The war of words and ideas will ultimately play out in court, regulatory agencies and user decisions as both companies defend themselves against antitrust investigations. The potential regulatory settlements and legal decisions are likely to affect hundreds of millions of consumers' phones in coming years.
The Journal describes Zuckerberg as "a hacker-turned-Harvard-dropout who once touted the end of privacy as a social norm," and notes that Facebook assisted Epic in its lawsuit against Apple with supporting materials and documents, and "placed full-page ads on the matter in several newspapers, including the Journal. 'We're standing up to Apple for small businesses everywhere,' the ads said...."

"Some people familiar with Mr. Zuckerberg's thinking said he has taken Apple's broadsides personally, running the risk of distracting him at a time when Facebook is fighting many other battles in the U.S. and abroad over antitrust and content moderation..."

"Privately, he and other Facebook employees have been waging a campaign against Apple, asserting in meetings and communications with government officials, antitrust regulators and advertisers that the company is abusing its power and deserves more regulatory scrutiny, according to people familiar with the matter."

An anonymous reader quotes a report from ZDNet: Russian search engine and email provider Yandex said today that it caught one of its employees selling access to user email accounts for personal gains. The company, which did not disclose the employee's name, said the person was "one of three system administrators with the necessary access rights to provide technical support" for its Yandex.Mail service. The Russian company said it's now in the process of notifying the owners of the 4,887 mailboxes that were compromised and to which the employee sold access to third-parties. Yandex officials also said they re-secured the compromised accounts and blocked what appeared to be unauthorized logins. They are now asking impacted account owners to change their passwords. It also said that there was no evidence to suggest that user payment data was accessed during the recent incident.

Apple's upcoming iOS 14.5 release will ship with a feature that will re-route all Safari's Safe Browsing traffic through Apple-controlled proxy servers as a workaround to preserve user privacy and prevent Google from learning the IP addresses of iOS users. From a report: The new feature will work only when users activate the "Fraudulent Website Warning" option in the iOS Safari app settings. This enables support for Google's Safe Browsing technology in Safari. The Safe Browsing technology works by taking an URL the user is trying to access, sending the URL in an anonymized state to Google's Safe Browsing servers, where Google accesses the site and scans for threats. If malware, phishing forms, or other threats are found on the site, Google tells the user's Safari browser to block access to the site and show a fullscreen red warning. While years ago, when Google launched the Safe Browsing API, the company knew what sites a user was accessing; in recent years, Google has taken several steps to anonymize data sent from user's devices via the Safe Browsing feature. But while Google has anonymized URL strings, by sending the link in a cropped and hashed state, Google still sees the IP address from where a Safe Browsing check comes through. Apple's new feature basically takes all these Safe Browsing checks and passes them through an Apple-owned proxy server, making all requests appear as coming from the same IP address.

Germany says its citizens will be able to use smartphones to store their government-issued ID cards and prove their identity online. The Associated Press reports: The Interior Ministry said Wednesday that from this fall, citizens will be able to use the electronic ID stored in their smartphones together with a PIN number to prove they are who they claim to be when communicating with authorities or private businesses. Separately, the ministry said the Cabinet has agreed on a bill that will make government-generated data openly available to businesses and private individuals where possible, to spur the development of new applications.

Germans are frequently required to present credit card-sized cards featuring their photo and personal details, such as when applying for benefits, opening bank accounts or registering a vehicle. While there are already ways of doing this online, the physical card and a card reader are currently required.

An anonymous reader quotes a report from ZDNet: Google is rolling out its virtual private network (VPN) service for subscribers of its Fi network that should help people when they're using online services on public Wi-Fi. "We plan to roll out the VPN to iPhone starting this spring," Google notes. Google is also bringing its privacy and security hub to Android devices, offering users a shortcut to features available to Android users, such as its VPN.

Finally, Fi users can expect free spam call warnings and blocking to stop identified robocalls and scams and the company is stepping up its game to protect users from SIM swapping scams. "Your Fi number is tied to your Google Account and comes with security features that protect your phone number from threats like SIM swaps -- that's when bad actors try to take someone's phone number and assign it to another SIM card without their consent," Google said. "On Fi, you receive extra layers of protection by default, including a robust account recovery process and notifications for suspicious activity. You can also enable 2-step verification for more protection."

The North Dakota Senate recently introduced a new bill that would prevent Apple and Google from requiring developers to use their respective app stores and payment methods, paving the way for alternative app store options.

In response, Apple Chief Privacy Engineer Erik Neuenschwander said that it "threatens to destroy the iPhone as you know it" by requiring changes that would "undermine the privacy, security, safety, and performance" of the iPhone. Neuenschwander said that Apple "works hard" to keep bad apps from the App Store, and North Dakota's bill would "require us to let them in." MacRumors reports: According to Senator Kyle Davison, who introduced Senate Bill 2333 yesterday, the legislation is designed to "level the playing field" for app developers in North Dakota and shield customers from "devastating, monopolistic fees imposed by big tech companies," which refers to the cut that Apple and Google take from developers. Specifically, the bill would prevent Apple from requiring a developer to use a digital application distribution platform as the exclusive mode of distributing a digital product, and it would keep the company from requiring developers to use in-app purchases as the exclusive mode of accepting payment from a user. There's also wording preventing Apple from retaliating against developers who choose alternate distribution and payment methods.

Apple does not allow apps to be installed on iOS devices outside of the "App Store" and there are no alternate app store options that are available. Apple reviews every app that is made available for its customers to download, something that would not happen with a third-party app store option. Apple also does not let app developers accept payments through methods other than in-app purchase except in select situations, a policy that has led to Apple's legal fight with Epic Games.

No federal legislation has been introduced as of yet, and the North Dakota Senate committee did not take action on the bill. Senator Jerry Klein said that there's "still some mulling to be done" in reference to the bill.