Skip to content

Recent Articles

22
Nov

Google admits tracking users’ location even when location services are disabled

Big Brother is watching you. Even if you’ve told Big Brother Google you don’t want to be tracked.

Many people realize that smartphones track their locations. But what if you actively turn off location services, haven’t used any apps, and haven’t even inserted a carrier SIM card?

Even if you take all of those precautions, phones running Android software gather data about your location and send it back to Google when they’re connected to the internet, a Quartz investigation has revealed.

Since the beginning of 2017, Android phones have been collecting the addresses of nearby cellular towers—even when location services are disabled—and sending that data back to Google. The result is that Google, the unit of Alphabet behind Android, has access to data about individuals’ locations and their movements that go far beyond a reasonable consumer expectation of privacy.

Quartz observed the data collection occur and contacted Google, which confirmed the practice.

When confronted, Google claimed that the tracking was happening in part to improve message delivery, which Quartz rightly deemed to be a completely bogus explanation.

It is not clear how cell-tower addresses, transmitted as a data string that identifies a specific cell tower, could have been used to improve message delivery. But the privacy implications of the covert location-sharing practice are plain. While information about a single cell tower can only offer an approximation of where a mobile device actually is, multiple towers can be used to triangulate its location to within about a quarter-mile radius, or to a more exact pinpoint in urban areas, where cell towers are closer together.

The practice is troubling for people who’d prefer they weren’t tracked, especially for those such as law-enforcement officials or victims of domestic abuse who turn off location services thinking they’re fully concealing their whereabouts. Although the data sent to Google is encrypted, it could potentially be sent to a third party if the phone had been compromised with spyware or other methods of hacking. Each phone has a unique ID number, with which the location data can be associated.

Read the whole thing.

1
Nov

Google’s reCaptcha defeated again

NakedSecurity reports:

Researchers have created an automated system to solve Google’s reCAPTCHA auditory challenges.

Again.

Poor, poor prove-you’re-a-human reCAPTCHA tests – also known as Completely Automated Procedures for Telling Computers and Humans Apart – they get no respect!

The point of reCAPTCHA challenges is to act as a gate that lets humans through but stops or slows down bots (software robots), so a bot that can solve a CAPTCHA automatically defeats the whole object of reCAPTCHA. And yet, that’s precisely what keeps happening. There are three kinds, and they’ve all been automatically kicked over by researchers.

reCAPTCHA tests aren’t much of a hurdle for sophisticated spammers, but they definitely inconvenience and annoy users. Yet they are in widespread use all over the place. Time to get rid of them and replace them with something better.

17
Oct

Journalist’s Home Mini review unit was sending Google a recording of every sound it picked up

This journalist’s experience with a Google Home Mini is being called a glitch, or malfunction.

But let’s face it: these “smart home” devices are DESIGNED to perform 24/7 hour audio surveillance. And a user has no way of knowing when the device is “phoning home” without checking the logs. Anyone who installs one of these stupid things is signing up for the possibility of being surveilled, accidentally or intentionally by a hostile party, without knowing it.

The privacy glitch that befell Google’s new £49 ($49) Home Mini speaker last week was small but, critics might suggest, still revealing.

The trouble started when journalist Artem Russakovskii, who had been given a review unit at the launch event on 4 October, noticed that the Mini kept turning itself on even when not commanded to.

Deciding to search for clues in the device’s logs, he got a shock:

I opened it up, and my jaw dropped. I saw thousands of items, each with a Play button and a timestamp.

The Mini, it seemed had recorded and uploaded to Google every sound detected in its vicinity for a two-day period, which seemed to be every sound no matter how inconsequential. It even activated after a simple knock on the wall.

This behaviour could be disabled and recordings deleted but only at the expense of harming the system’s future voice recognition accuracy.

If you value your privacy, don’t install a so-called smart speaker in your home, whether made by Google, Amazon, Apple, or any other company. It’s not worth it. The fact that microphones and cameras are standard in laptops, tablets, and smartphones and can be remotely hijacked is problematic enough.

4
Oct

Big Brother Google unveils Clips, a $249 semi-autonomous recording device

Yikes:

Google has just announced Google Clips, a new hands-free camera that takes photos for you. Instead of having to pull yourself out of special moments to shoot photos and videos, Clips will capture moments so you can be in them.

Software is at the core of the camera, meaning Clips can be made smarter and more powerful over time as Google continues to push out new updates.

Clips can capture a 130-degree field of view at 15 frames per second. Each motion photo moment captured by Clips lasts several seconds and is called a “clip,” and they can be browsed using your Pixel phone. No audio is recorded. Each clip can be saved as motion photo, or you can select a single frame from the motion to save as an auto-enhanced, high-resolution photo.

On the front of Clips is a button for capturing photos manually. With a tiny form factor, Clips is designed to be clipped to “almost anything” or set down to document things remotely.

Clips has facial learning features — the more it sees a person, the more it learns to capture more clips of that individual. It also learns to recognize pets like cats and dogs.

Google engineers have laughably attempted to address the privacy implications of their Orwellian creation by giving it an offline mode. In other words, they’re telling potential buyers you don’t need to connect it to the Internet to use it. But of course, you’ll be encouraged to do so — the device has been designed for semi-autonomous recording and the presumption is people will want to share moments they’ve recorded.

There’s also an indicator light — which is a standard feature of webcams.

Commenters at PetaPixel are rightly skeptical. Writes one:

This is not about memories. How many people actually have time to go back and relive the unbelievable amount of memories that would build up? This is about Google’s AI learning and growing. This is about amassing algorithms to make their AI smarter. Simply put, this is getting scary. A record of intimate moments kept on Google servers. But like you, I guess I have already given up freedoms because of my Google phones and tablets. What have I done?

Says another:

As if Google didn’t know enough of our lives yet….

And another:

I don’t like it… We’re getting into some real Orwellian #$%& here. Always listening microphones, bed facing cameras and 24/7 recording body cams… I don’t want any of this stuff, having a phone is bad enough.

Save your $250 and pass on Google Clips, another unnecessary invention the world doesn’t need.

3
Oct

Naked Security breaks down the Google tracking feature you didn’t know you’d switched on

This is a must-read:

Using GPS, Wi-Fi and cell tower data, Google’s Your Timeline can paint a very accurate picture of your daily life. If you’ve got it switched on, it stores every step you take and everywhere you go.

And the thing is, lots of people seem to have it switched on without even realising, including me, and my favourite hats come in tinfoil.

I was surprised it had slipped past me so I started asking other people if they had it switched on too. More often than not, without making a conscious decision to let Google follow them around, they had.

In the end I decided to ask 20 people at random and write down the answers. The result of my short, non-scientific survey? 95% of the people I asked – a mixture of people in technical and non-technical roles – had location history, or its slightly less obnoxious iPhone equivalent Frequent Locations, turned on, tracking their every step, without realising.

Check for yourself. On Android it’s under Settings > Location > Google Location History.

So what exactly is Google Timeline? Google says: “Your timeline in Google Maps helps you find the places you’ve been and the routes you’ve travelled. Your timeline is private, so only you can see it.”

Only you. And Google.

Read the whole thing. The WHOLE THING.

This could be the best post Naked Security has ever published.

Well done, Sophos, and thanks for helping more people understand how to liberate themselves from having their every move tracked by the Monster of Mountain View.

30
Sep

Did Russia exploit Google’s offerings to meddle in the 2016 United States presidential election?

An investigation is underway:

Google is examining what role its services could have played in Russian interference during the 2016 US presidential election, according to a report published Friday by The Wall Street Journal.

The search giant joins its rivals Facebook and Twitter in their own probes, as they try to figure out how Russian agents could have misused their advertising platforms, among other services, to meddle in the campaign.

“We will of course cooperate with inquiries,” a Google spokesperson said. “We’re looking into how we can help with any relevant information.”

But will the results be made publicly available? Facebook has been less than forthcoming about what its probes have turned up.

28
Sep

AlterNet: Google is a “monopoly on steroids”

The venerable progressive news outlet AlterNet has published an editorial making the case that it has gotten swept up in Google’s crackdown on “fake news”:

The New Media Monopoly Is Hurting Progressive and Independent News

The story is about monopoly on steroids. It is about the extreme and unconstrained power of Google and Facebook, and how they are affecting what you read, hear and see. It is about how these two companies are undermining progressive news sources, including AlterNet.

In June, Google announced major changes in its algorithm designed to combat fake news. Ben Gomes, the company’s vice president for engineering, stated in April that Google’s update of its search engine would block access to “offensive” sites, while working to surface more “authoritative content.”

This seemed like a good idea. Fighting fake news, which Trump often uses to advance his interests and rally his supporters, is an important goal that AlterNet shares.

But little did we know that Google had decided, perhaps with bad advice or wrong-headed thinking, that media like AlterNet—dedicated to fighting white supremacy, misogyny, racism, Donald Trump, and fake news—would be clobbered by Google in its clumsy attempt to address hate speech and fake news.

Read the whole thing.

18
Sep

Malware still lurking in the Google Play mobile app store

Embarrassing:

It seems almost too ironic that the Google Play Store has been secretly invaded by even more malware after it has promoted its Google Play Protect security platform for Android. Boasting of technologies like machine learning and artificial intelligence, Play Protect promises to protect Android users more thoroughly without having to increase manpower. Alas, it seems that another malware, named ExpensiveWall, has gotten past the Play Store’s security and this lapse is costing users a lot more than just peace of mind but actual money as well.

Check Point, the cybersecurity firm who reported this latest news, says that ExpensiveWall, named after one of its carriers, “Lovely Wallpaper” is actually a new variant of another malware discovered earlier this year. Both types of malware care costing users money by silently signing them up for premium subscriptions or sending premium SMS. Both strains have also made it past Google’s security checks and have been downloaded thousands of times by users.

SlashGear, which posted the report excerpted above, says Google needs to step its security game. Duh. Supposedly, that’s what they were doing when they launched “Play Protect”. But obviously, they failed.

Anyone who wants a secure mobile platform should invest in a BlackBerry device — and preferably one that runs the secure BlackBerry 10 operating system — to keep their data and networks secure.

14
Sep

Lawsuit alleges Google is a discriminatory place to work

Kudos to the plaintiffs for bringing this suit:

Google systematically pays women less than men doing similar work, according to a class action-lawsuit accusing the technology company of denying promotions and career opportunities to qualified women who are “segregated” into lower-paying jobs.

The complaint, filed Thursday on behalf of all women employed by Google in California over the last four years, provided the most detailed formal accounts to date of gender discrimination and pay disparities at the company after months of criticisms and a growing chorus of women publicly speaking out.

Allegations of possible employment violations emerge at court hearing as part of lawsuit to compel company, a federal contractor, to provide compensation data

“We’ve been talking about these issues for a long time, and it hasn’t really changed,” Kelly Ellis, a former Google employee and a lead plaintiff on the case, told the Guardian in her first interview about the suit. “There’s been a lot of PR and lip service, but … this is going to be one of the only ways to get these companies to change how they hire and compensate women.”

Any effort to hold the Monster of Mountain View accountable for its bad business practices is an effort we support. For a company with a motto of “do no evil”, Google sure does a lot of evil things.

11
Sep

Google releases new version of Chrome that incorporates a technology called “WebUSB”

USB, or Universal Series Bus, is already a technology that has a lot of security problems. Now Google is rushing to put into its increasingly dominant web browser (Chrome) a technology that allows websites to interface with USB devices via Javascript, which has to be one of the worst ideas they’ve ever come up with:

Google has wrapped up coding the desktop version of Chrome 61, and will be rolling it out for Windows, Mac and Linux “over the coming days/weeks”.

Chrome 61 extends the visibility of USB-connected devices to Web apps. First proposed last year, WebUSB was pitched as an easier way to set up USB devices, since (for example) a vendor’s site could use the API to push a config to a newly-connected gadget.

The feature’s focus, Google says, is on specialist devices that don’t have a standard way to advertise their capabilities. Keyboards or mice are easy, but as is explained in the specification, USB-connected educational devices (say, microscopes) or 3D printers aren’t conveniently accessible.

There’s also the vexed question of USB device updates: the Chrome devs explain WebUSB could let manufacturers update a device by getting users to visit the page and give permission to the update [What could possibly go wrong? – Reg].

What could possibly go wrong, indeed! That wasn’t just the reaction of the folks at The Register; it was also the reaction of a commenter at Phoronix, who also wisely said No thanks, Google.

We’ve learned over the past few years that everything connected to the internet tends to be less secure. Therefore, it follows that a device can be made more secure if it’s not connected to the internet. Perhaps we should strive to minimize how many devices can be connected directly to the internet by emphasizing localized control and asking ourselves, “Do we really need internet-controlled light-bulbs?”

This may not be to Google’s advantage, as it won’t be able to obtain as much data from non-internet-connected devices, but it may be to the benefit of the internet at large. Some devices may actually work better and be more useful when connected to the internet, but the majority of the “Internet of Things” probably doesn’t actually need an internet connection, especially if those devices can be controlled locally, either through a physical push of a button or through local networks such as Bluetooth, NFC, Thread, or other P2P mesh networking technologies. The latter could bring much of the same convenience of controlling a smart device from an app, without the downside of allowing someone from the other side of the world to connect to it as well.

Well said. Putting WebUSB in Chrome was a mistake. Then again, using Chrome is a mistake. LGB recommends Firefox instead, or one of its derivatives, like Waterfox or Pale Moon.