Facebook Slammed By FTC

Today, Acting Director of the Bureau of Consumer Protection Samuel Levine sent the following letter (PDF) to Mark Zuckerberg concerning Facebook’s misleading claims regarding the company’s consent decree with the FTC:

Dear Mr. Zuckerberg:

I write concerning Facebook’s recent insinuation that its actions against an academic research project conducted by NYU’s Ad Observatory were required by the company’s consent decree with the Federal Trade Commission. As the company has since acknowledged, this is inaccurate. The FTC is committed to protecting the privacy of people, and efforts to shield targeted advertising practices from scrutiny run counter to that mission.

While I appreciate that Facebook has now corrected the record, I am disappointed by how your company has conducted itself in this matter. Only last week, Facebook’s General Counsel, Jennifer Newstead, committed the company to “timely, transparent communication to BCP staff about significant developments.” Yet the FTC received no notice that Facebook would be publicly invoking our consent decree to justify terminating academic research earlier this week.

Had you honored your commitment to contact us in advance, we would have pointed out that the consent decree does not bar Facebook from creating exceptions for good-faith research in the public interest. Indeed, the FTC supports efforts to shed light on opaque business practices, especially around surveillance-based advertising. While it is not our role to resolve individual disputes between Facebook and third parties, we hope that the company is not invoking privacy – much less the FTC consent order – as a pretext to advance other aims. 

Sincerely, 

/s/ Samuel Levine 

Acting Director
Bureau of Consumer Protection

Facebook Claims To Be Deleting Whistleblower Name

Facebook says it is now deleting the name of the person who has been publicly identified in some serious circles as the whistleblower who triggered a congressional impeachment inquiry into President Donald Trump’s actions.

The company said Friday mention of the whistleblower’s name now violates Facebook’s “coordinating harm policy,” which prohibits material that could identify a “witness, informant, or activist.”

Facebook says it is removing mentions of the alleged whistleblower’s name & will revisit this decision if the name is widely published in the media or used by public figures in debate. It is unlikely. The policy is not new.

Facebook says it has been applying it to the whistleblower case & removing the person’s name for a few days.

On Twitter, though, the alleged whistleblower’s name was circulating widely on Friday. The company does not have a policy against identifying whistleblowers by name and is not removing the posts.

Some of the stories identifying the person came from the conservative news site Breitbart, which Facebook counts as one of its news partners in a newly launched news section on its app. However, the company said it was also removing identifying posts on the whistleblower from Breitbart.

In a statement, Twitter said it prohibits the sharing of “personally identifiable information about any individual, including the alleged whistleblower.” But the company’s policy on such information does not consider a person’s name to be private information, a category that does include details such as a person’s address, contact information or medical records.

This is not the first time Twitter and Facebook diverged on important policies. Last week, Twitter said it is banning all political ads from its service, in sharp contrast to Facebook , which continues to defend running paid political ads, even false ones to this day… as a free speech priority.

Even news wires or services typical do NOT reveal the identity of whistleblowers. This is no longer the norm.

U.S. whistleblower laws exist to protect the identity & careers of people who bring forward accusations of wrongdoing by government officials. Lawmakers in both parties have historically backed those protections.

So far, President Donald Trump has avoided identifying the whistleblower by name. Exposing whistleblowers can be dicey, even for a president. For one thing, doing so could be a violation of federal law.

While there’s little chance Trump could face charges, revealing the name could give Democrats more impeachment fodder. It could also prompt a backlash among some Senate Republicans who have long defended whistleblowers.

Amid all this, a false claim about the identity of the whistleblower has also been circulating online. Falsely captioned photos of former White House staffer David Edelman circulated widely on Twitter, Facebook & Reddit this week as social media users tried to unmask the whistleblower.

They were possibly inspired by posts & stories shared by conservative outlets & the president’s son, Donald Trump Jr., that claimed to reveal the person’s identity.

Why Web Scraping Is Vital to Democracy

Journalists have used scrapers to collect data that rooted out extremist cops, tracked lobbyists, and uncovered an underground market for adopted children

The fruits of web scraping—using code to harvest data and information from websites—are all around us.

Right here, on LuvAtFirstByte we covered how even Supreme Court rulings & the published opinions of justices ruling on cases were successfully scraped & compared to “official versions“… ultimately showing they were being systematically altered… after the case was ruled upon…. all by a tweet loving hacktavist with a penchant for justice & transparency.

People build scrapers that can find every Applebee’s on the planet or collect congressional legislation and votes or track fancy watches for sale on fan websites. Businesses use scrapers to manage their online retail inventory and monitor competitors’ prices. Lots of well-known sites use scrapers to do things like track airline ticket prices and job listings. Google is essentially a giant, crawling web scraper.

Scrapers are also the tools of watchdogs and journalists, which is why The Markup filed an amicus brief in a case before the U.S. Supreme Court this week that threatens to make scraping illegal.

The case itself—Van Buren v. United States—is not about scraping but rather a legal question regarding the prosecution of a Georgia police officer, Nathan Van Buren, who was bribed to look up confidential information in a law enforcement database. Van Buren was prosecuted under the Computer Fraud and Abuse Act (CFAA), which prohibits unauthorized access to a computer network such as computer hacking, where someone breaks into a system to steal information (or, as dramatized in the 1980s classic movie “WarGames,” potentially start World War III).

In Van Buren’s case, since he was allowed to access the database for work, the question is whether the court will broadly define his troubling activities as “exceeding authorized access” to extract data, which is what would make it a crime under the CFAA. And it’s that definition that could affect journalists.

Or, as Justice Neil Gorsuch put it during Monday’s oral arguments, lead in the direction of “perhaps making a federal criminal of us all.”

Investigative journalists and other watchdogs often use scrapers to illuminate issues big and small, from tracking the influence of lobbyists in Peru by harvesting the digital visitor logs for government buildings to monitoring and collecting political ads on Facebook. In both of those instances, the pages and data scraped are publicly available on the internet—no hacking necessary—but sites involved could easily change the fine print on their terms of service to label the aggregation of that information “unauthorized.” And the U.S. Supreme Court, depending on how it rules, could decide that violating those terms of service is a crime under the CFAA.

“A statute that allows powerful forces like the government or wealthy corporate actors to unilaterally criminalize newsgathering activities by blocking these efforts through the terms of service for their websites would violate the First Amendment,” The Markup wrote in our brief.

What sort of work is at risk? Here’s a roundup of some recent journalism made possible by web scraping:

• The COVID tracking project, from The Atlantic, collects and aggregates data from around the country on a daily basis, serving as a means of monitoring where testing is happening, where the pandemic is growing, and the racial disparities in who’s contracting and dying from the virus.
• This project, from Reveal, scraped extremist Facebook groups and compared their membership rolls to those of law enforcement groups on Facebook—and found a lot of overlap.

• Reveal also used scrapers to find that hundreds of millions of dollars in property taxes should have never been charged to Detroit residents who then lost their homes through foreclosure.

• The Markup’s recent investigation into Google’s search results found that it consistently favors its own products, leaving some websites from which the web giant itself scrapes information struggling for visitors and, therefore, ad revenue. The U.S. Department of Justice cited the issue in an antitrust lawsuit against the company. 

• In Copy, Paste, Legislate, USA Today found a pattern of cookie-cutter laws, pushed by special interest groups, circulating in legislatures around the country.

• Reuters scraped social media and message boards to find an underground market for adopted children whose parents, who had usually adopted the children from abroad, decided the children were too much for them. A couple featured in the piece was later convicted of kidnapping as a result of the investigation.

• Gizmodo was able to use similar tools to find the probable locations of tens of thousands of Ring surveillance cameras.

• The Trace and The Verge, using scrapers, found people using an online market to sell guns without a license and without performing background checks.

Zero-day Exploit: Apple Sign In Hacked

What if I say, your Email ID is all I need to takeover your account on your favorite website or an app. Sounds scary, right? This is what a bug within the “Sign in with Apple” feature seen around the web allowed me to do.

In the month of April, I found a zero-day exploit that compromised the  “Sign in with Apple” logging service and it affected almost all third-party applications which were using it and didn’t implement their own additional security measures (like Facebook, Gmail, Twitter, WhatsApp, Instagram…).

This bug could have resulted in a full account takeover of user accounts on thousands of third party applications irrespective of a victim even having a valid Apple ID or not.

For this vulnerability, I earned (check is in the mail) $100,000.00 USD courtesy of Apple under the terms of their Apple Security Bounty program.

Technical Details

“Sign in with Apple” works similarly to OAuth 2.0. There are two possible ways to authenticate a user by either using a JWT (JSON Web Token) or a code generated by the Apple server. The code is then used to generate a JWT. The below diagram represents how the JWT creation & validation works.

In the 2nd step, while authorizing, Apple gives an option to a user to either share the Apple Email ID with the 3rd party app or not. If the user decides to hide the Email ID, Apple generates its own user-specific Apple relay Email ID. Depending upon the user selection, after successful authorization, Apple creates a JWT which contains this Email ID which is then used by the 3rd party app to login a user.

A decoded JWT’s payload looks like this:

{
  "iss": "https://appleid.apple.com",
  "aud": "com.XXXX.weblogin",
  "exp": 158XXXXXXX,
  "iat": 158XXXXXXX,
  "sub": "XXXX.XXXXX.XXXX",
  "c_hash": "FJXwx9EHQqXXXXXXXX",
  "email": "contact@bhavukjain.com", // or "XXXXX@privaterelay.appleid.com"
  "email_verified": "true",
  "auth_time": 158XXXXXXX,
  "nonce_supported": true
}

**BUG**

I found I could request JWTs for any Email ID from Apple & when the signature of these tokens was verified using Apple’s public key, they showed as valid. This means an attacker could forge a JWT by linking any Email ID to it and gaining access to the victim’s account.

Sample Request (2nd step)

{
  "iss": "https://appleid.apple.com",
  "aud": "com.XXXX.weblogin",
  "exp": 158XXXXXXX,
  "iat": 158XXXXXXX,
  "sub": "XXXX.XXXXX.XXXX",
  "c_hash": "FJXwx9EHQqXXXXXXXX",
  "email": "contact@bhavukjain.com", // or "XXXXX@privaterelay.appleid.com"
  "email_verified": "true",
  "auth_time": 158XXXXXXX,
  "nonce_supported": true
}

Here on passing any email, Apple generated a valid JWT (id_token) for that particular Email ID.

Sample Response

POST /XXXX/XXXX HTTP/1.1
Host: appleid.apple.com

{"email":"contact@bhavukjain.com"}

Here on passing any email, Apple generated a valid JWT (id_token) for that particular Email ID.

Sample Response

{
  "authorization" : {
    "id_token" : "eyJraWQiOiJlWGF1bm1MIiwiYWxnIjoiUlMyNTYifQ.XXXXX.XXXXX",
    "grant_code" : "XXX.0.nzr.XXXX",
    "scope" : [ "name", "email" ]
  },
  "authorizedData" : {
    "userId" : "XXX.XXXXX.XXXX"
  },
  "consentRequired" : false
}

The impact of this vulnerability was quite critical as it could have allowed full account takeover. A lot of developers have integrated “Sign in with Apple” since it is mandatory for applications that support other social logins. To name a few that use “Sign in with Apple” – Dropbox, Spotify, Airbnb, Giphy (Now acquired by Facebook). These applications were not tested but could have been vulnerable to a full account takeover if there weren’t any other security measures in place while verifying a user.

Apple also did an investigation of their logs & determined there was no misuse or account compromise due to this vulnerability.

A huge thanks to the Apple Security Team & Bruce Schneider.

Facebook Drone Crash Under NTSB Investigation

Aquila, Facebook’s ambitious drone that could bring high-speed internet to remote parts of the world, is being investigated by a government agency for an accident that took place during a test flight in June.

The social media giant downplayed this “structural failure” in the aftermath of the initial test, and did not disclose that they were being investigated.

Bloomberg reports that the National Transportation Safety Board has been engaged in a previously undisclosed investigation into the accident, which took place as the done was landing on the morning of June 28.

The unmanned drone, which has a wingspan wider than a Boeing Co. 737, suffered a “structural failure” as it was coming in for a landing after an otherwise successful test. The NTSB as classified the incident as an accident, which means the damage was “substantial,” according to Bloomberg. There were no injuries on the ground.

WATCH | Inside Facebook’s Connectivity Lab

 

Neither Facebook nor the NTSB have released further details about the accident.

With the exception of half a sentence in the eighth paragraph of a post on Facebook’s engineering blog in July, the company didn’t address this failure. Mark Zuckerberg was exclusively positive when he wrote about the test on his blog in July. Facebook didn’t disclose the NTSB investigation, nor did anyone at the company mention the extent of the damage in multiple interviews, according to The Verge.

Aquila certainly seems like a noble endeavor, and it’s understandable (if more than a little shady) that Facebook would want to focus on the positive aspects of the test rather than a crash landing. But, as we’re learning, you can’t always believe what you read on Facebook.

Apple Developing Smart Glasses

Apple Inc. is weighing an expansion into digital glasses, a risky but potentially lucrative area of wearable computing, according to people familiar with the matter.

While still in an exploration phase, the device would connect wirelessly to iPhones, show images and other information in the wearer’s field of vision, and may use augmented reality, the people said. They asked not to be identified speaking about a secret project.

// WATCH BLOOMBERG COVERAGE OF APPLE’S LATEST R&D NEWS //

Apple has talked about its glasses project with potential suppliers, according to people familiar with those discussions. The company has ordered small quantities of near-eye displays from one supplier for testing, the people said. Apple hasn’t ordered enough components so far to indicate imminent mass-production, one of the people added.

Should Apple ultimately decide to proceed with the device, it would be introduced in 2018 at the earliest, another person said. The Cupertino, California-based company tests many different products and is known to pivot, pause, or cancel projects without disclosing them. Apple spokeswoman Trudy Muller declined to comment.

Chief Executive Officer Tim Cook is under pressure to deliver new products amid slowing sales of the iPhone, which accounts for two-thirds of Apple’s revenue. In July, he expressed enthusiasm for augmented reality after the rise of Pokemon Go, a location-based game that uses the technology. AR, as it’s known, adds images and other digital information to people’s view of the real world, while virtual reality completely surrounds them with a computer-generated environment.

The glasses may be Apple’s first hardware product targeted directly at AR, one of the people said. Cook has beefed up AR capabilities through acquisitions. In 2013, Apple bought PrimeSense, which developed motion-sensing technology in Microsoft Corp.’s Kinect gaming system. Purchases of software startups in the field, Metaio Inc. and Flyby Media Inc., followed in 2015 and 2016.

“AR can be really great, and we have been and continue to invest a lot in this,” Cook said in a July 26 conference call with analysts. “We are high on AR for the long run. We think there are great things for customers and a great commercial opportunity.”

Apple has AR patents for things like street view in mapping apps. It was also awarded patents for smart glasses that make use of full-fledged virtual reality. Apple is unlikely to leverage VR in a mass-consumer product, Cook suggested in October.

“I can’t imagine everyone in here getting in an enclosed VR experience while you’re sitting in here with me, but I could imagine everyone in here in an AR experience right now,” he said during an onstage discussion in Utah.

Apple’s challenge is fitting all the technology needed into a useful pair of internet-connected glasses that are small and sleek enough for regular people to wear.

Google’s attempt to develop internet-connected eye wear flopped in part because its tiny battery ran out quickly. Google Glass, as it was called, also suffered a privacy backlash and poor public perception of its external design.

After that disappointment, technology companies largely turned their immediate focus to VR and away from AR. Google recently introduced a VR headset alongside its Pixel smartphone, and Facebook Inc.’s Oculus VR unit has teamed up with Samsung Electronics Co. on a similar headset. Microsoft has the most public AR offering. Its HoloLens product shows holographic images in a user’s field of vision.

Apple’s effort may be more difficult because the chips, batteries and other components that will be available in a year or two may still not be small enough and powerful enough to build slim glasses capable of handling compelling AR experiences.

However, given time, technical challenges may play to Apple’s strengths. The company specializes in turning technology that others have struggled with into easy-to-use devices for the masses. For example, Apple simplified fingerprint technology into an unlocking mechanism for the iPhone and took touch screens mainstream with the original iPhone.

Augmented reality “is going to take a while, because there are some really hard technology challenges there, but it will happen in a big way, and we will wonder when it does, how we ever lived without it,” Cook said last month. “Like we wonder how we lived without our phone today.”

NSA To Stop Spying: Sort Of

The National Security Agency has determined access to historical metadata of millions of Americans collected under Section 215 of the USA PATRIOT Act… which means any data collected before November 29, 2015… will cease November 29, 2015.

No real legitimate debate, public court proceedings to hold accountable those who authorized Section 215 have taken place. Quarreling over the right ‘balance’ between security & privacy has over shadowed the real issue. Pundits, politicians & every person posting with such passion about patriotism on Facebook pages… seem to be missing the point almost entirely.

Call me crazy… but this seems a bit nuts. It seems something is amiss here. Was Section 215 ever really effective… because we now know it certainly wasn’t legal? I thought this type of spying on Americans… the collection of private data, metadata & often times much, much more… was the lynch pin of US National Security Strategy?! It wasn’t keeping terrorists at bay. If the wide-spread invasion of privacy… robbing The People of liberty… is the only way to prevent catastrophe or imminent attack… perhaps more than Section 215 should cease come November 29th.

| Read the entire statement by the Office of The Director of National Intelligence on Retention of Data Collected Under Section 215 of the USA PATRIOT Act.

ID Thieves Leverage Domino’s App

Let’s say you’re a criminal who has just purchased a bunch of credit/debit card numbers stolen from one of the data breaches that occur every day. How do you check to see if the numbers you’ve purchased are any good? For ID thieves in Brooklyn, the Domino’s Pizza ordering app provided a quick and easy way to run through those numbers — and get pizza for people.

According to the NY Times, Brooklyn police officers were monitoring various usual suspects’ social media accounts when they noticed the question “Who wants pizza?” and the Domino’s logo repeatedly popping up in folks’ timelines on Facebook.

When they checked with Domino’s HQ, the pizza company acknowledged there had been a spike in sales in the area.

Additionally, some people were not only making way too many pizza orders for one household to eat, but their successful orders were coming after multiple rejected attempts. One user made 2,000 ordering attempts in a single month, according to the police.

Police were able to work with Domino’s to determine which orders were likely placed with stolen card numbers, which came from people all over the country. Some folks noticed that their accounts were being used to order lots of pizza in Brooklyn and had contested the charges.

In November, police rounded up 14 suspects — almost all male teenager — over the course of two days. Some claim that they were guilty of nothing more than receiving a pizza.

“I didn’t order the pizza,” one 17-year-old arrestee tells the Times. “Someone ordered the pizza for me. The address was at my house.”

He claims that a friend offered to send him some free Domino’s, which is hard to say no to. But when he went downstairs to get the pizza from the delivery driver, he was cuffed and arrested.

Global Corporate Surveillance Reform | Website

This week, Google, Facebook, & their pals released a new web site, Reform Government Surveillance, calling on governments to rein in their surveillance efforts. 

While this is a positive move in general, I find it highly hypocritical that it’s the business models of many of these companies that facilitated the scale and ease of the spying in the first place. They also conveniently forgot to mention that they have been surveilling their users for ages and that many have built their businesses on doing just that.

Although with corporate surveillance it may appear that we have a choice, many of these services are actually becoming essential to our lives. Essential to taking part in modern society. And if all of our alternatives share the same business model, what real choice are we left with?

So, Aral Balkan, Founder of IndiePhone decided to point out these little oversights by making a parody site: Reform Corporate Surveillance. It is intended to help expose the hypocrisy of these companies and the need for viable open alternatives that can compete with them.

To learn more about the dangers of corporate surveillance and the ‘free’ business model, as well as the motivations behind experience-driven open source, indie data, and Indie Phone, watch Aral’s talk on Digital Feudalism and How to Avoid It.