News – Page 21 – Hawk Toolbox by LeadsOnline

Google says geofence warrants make up one-quarter of all US demands

August 19, 2021/in News /by Tom Bruce

Thurs. Aug. 19, 2021 | By Zack Whittaker | TechCrunch |

For the first time, Google has published the number of geofence warrants it’s historically received from U.S. authorities, providing a rare glimpse into how frequently these controversial warrants are issued.

The figures, published Thursday, reveal that Google has received thousands of geofence warrants each quarter since 2018, and at times accounted for about one-quarter of all U.S. warrants that Google receives. The data shows that the vast majority of geofence warrants are obtained by local and state authorities, with federal law enforcement accounting for just 4% of all geofence warrants served on the technology giant.

According to the data, Google received 982 geofence warrants in 2018, 8,396 in 2019 and 11,554 in 2020. But the figures only provide a small glimpse into the volume of warrants received and did not break down how often it pushes back on overly broad requests.

When reached, Google spokesperson Alex Krasov said in a statement: “We vigorously protect the privacy of our users while supporting the important work of law enforcement. We developed a process specifically for these requests that is designed to honor our legal obligations while narrowing the scope of data disclosed.”

Albert Fox Cahn, executive director of the Surveillance Technology Oversight Project (STOP), which led efforts by dozens of civil rights groups to lobby for the release of these numbers, commended Google for releasing the numbers.

“Geofence warrants are unconstitutionally broad and invasive, and we look forward to the day they are outlawed completely.” said Cahn.

Geofence warrants are also known as “reverse-location” warrants, since they seek to identify people of interest who were in the near vicinity at the time a crime was committed. Police do this by asking a court to order Google, which stores vast amounts of location data to drive its advertising business, to turn over details of who was in a geographic area, such as a radius of a few hundred feet at a certain point in time, to help identify potential suspects.

Google has long shied away from providing these figures, in part because geofence warrants are largely thought to be unique to Google. Law enforcement has long known that Google stores vast troves of location data on its users in a database called Sensorvault, first revealed by The New York Times in 2019.

Sensorvault is said to have the detailed location data on “at least hundreds of millions of devices worldwide,” collected from users’ phones when they use an Android device with location data switched on, or Google services like Google Maps and Google Photo, and even Google search results. In 2018, the Associated Press reported that Google could still collect users’ locations even when their location history is “paused.”

But critics have argued that geofence warrants are unconstitutional because the authorities compel Google to turn over data on everyone else who was in the same geographic area.

Worse, these warrants have been known to ensnare entirely innocent people.

TechCrunch reported earlier this year that Minneapolis police used a geofence warrant to identify individuals accused of sparking violence in the wake of the police killing of George Floyd last year. One person on the ground who was filming and documenting the protests had his location data requested by police for being close to the violence. NBC News reported last year how one Gainesville, Fla. resident whose information was given by Google to police investigating a burglary was able to prove his innocence thanks to an app on his phone that tracked his fitness activity.

Although the courts have yet to deliberate widely on the legality of geofence warrants, some states are drafting laws to push back against them. New York lawmakers proposed a bill last year that would ban geofence warrants in the state amid fears that police could use these warrants to target protesters — as what happened in Minneapolis.

Cahn, who helped introduce the New York bill last year, said the newly released data will “help spur lawmakers to outlaw the technology.”

“Let’s be clear, the number of geofence warrants should be zero,” he said.

Full article here

Data of 40 million plus exposed in latest T-Mobile breach

August 18, 2021/in News /by Tom Bruce

Wed. Aug. 18, 2021 | By Matt O’Brien | ABC News |

The names, Social Security numbers and information from driver’s licenses or other identification of just over 40 million people who applied for T-Mobile credit were exposed in a recent data breach, the company said Wednesday

NEW YORK — The names, Social Security numbers and information from driver’s licenses or other identification of just over 40 million people who applied for T-Mobile credit were exposed in a recent data breach, the company said Wednesday. The same data for about 7.8 million current T-Mobile customers who pay monthly for phone service also appears to be compromised. No phone numbers, account numbers, PINs, passwords or financial information from the nearly 50 million records and accounts were compromised, it said.

T-Mobile has been hit before by data theft but in the most recent case, “the sheer numbers far exceed the previous breaches,” said Gartner analyst Paul Furtado. T-Mobile, which is based in Bellevue, Washington, became one of the country’s largest cellphone service carriers, along with AT&T and Verizon, after buying rival Sprint last year. It reported having a total of 102.1 million U.S. customers after the merger.

“Yes, they have a big target on their back but that shouldn’t be a surprise to them,” Furtado said. “You have to start questioning the organization. How much are they actually addressing these breaches and the level of seriousness?”

T-Mobile also confirmed Wednesday that approximately 850,000 active T-Mobile prepaid customer names, phone numbers and account PINs were exposed. The company said that it proactively reset all of the PINs on those accounts. No Metro by T-Mobile, former Sprint prepaid, or Boost customers had their names or PINs exposed. There was also some additional information from inactive prepaid accounts accessed through prepaid billing files. T-Mobile said that no customer financial information, credit card information, debit or other payment information or Social Security numbers were in the inactive file.

T-Mobile had said earlier this week that it was investigating a leak of its data after someone took to an online forum offering to sell the personal information of cellphone users. The company said Monday that it had confirmed there was unauthorized access to “some T-Mobile data” and that it had closed the entry point used to gain access. “If you were affected, you’ll hear from us soon,” CEO Mike Sievert tweeted in response to a concerned customer Tuesday. The company now says it will immediately offer two years of free identity protection services and is recommending that all of its postpaid customers — those who pay in monthly installments — change their PIN. Its investigation is ongoing.

T-Mobile has previously disclosed a number of data breaches over the years, most recently in January and before that in Nov. 2019 and Aug. 2018, all of which involved unauthorized access to customer information. It also disclosed a breach affecting its own employees’ email accounts in 2020. And in 2015, hackers stole personal information belonging to about 15 million T-Mobile wireless customers and potential customers in the U.S., which they obtained from credit reporting agency Experian.

“It’s a real indictment on T-Mobile and whether or not these customers would want to continue working with T-Mobile,” said Forrester analyst Allie Mellen. “Ultimately T-Mobile has a lot of really sensitive information on people and it’s just a matter of luck that, this time, the information affected was not financial information.” She said the hack didn’t appear particularly sophisticated and involved a configuration issue on a server used for testing T-Mobile phones.

“There was a gate left wide open for the attackers and they just had to find the gate and walk through it,” Mellen said. “And T-Mobile didn’t know about the attack until the attackers posted about it in an online forum. That’s really troubling and does not give a good indication that T-Mobile has the appropriate security monitoring in place.”

Full article

A Simple Software Fix Could Limit Location Data Sharing

August 13, 2021/in News /by Tom Bruce

Fri. Aug 13, 2021 | Author Unk. | wired |

Carriers know where you are every time your phone reconnects to the cell network
but with Pretty Good Phone Privacy, they wouldn’t have to.

Much of the third-party location data industry is fueled by apps that gain permission to access your GPS information, but the location data that carriers can collect from cell towers has often provided an alternative pipeline. For years it’s seemed like little could be done about this leakage, because cutting off access to this data would likely require the sort of systemic upgrades that carriers are loath to make.

At the Usenix security conference on Thursday, though, network security researchers Paul Schmitt of Princeton University and Barath Raghavan of the University of Southern California are presenting a scheme called Pretty Good Phone Privacy that can mask wireless users’ locations from carriers with a simple software upgrade that any carrier can adopt—no tectonic infrastructure shifts required.

“The primary problem we’re trying to address is bulk data collection and the sale of it,” Raghavan says. “We see it as a user privacy issue that carriers can amass this location data whether or not they are currently actively selling it. And our goal here was backward compatibility. We didn’t want the telecoms to have to roll out anything, because we knew they weren’t going to.”…

What’s New With Find My in iOS 15: Tracking When iPhone is Off, Live Locations, Locate After Erase and More

August 1, 2021/in News /by Tom Bruce

Fri. Jul 30, 2021 | By Juli Clover – MacRumors |

Pegasus spyware political fallout: What’s up with this phone surveillance tech

August 1, 2021/in News /by Tom Bruce

Fri. Jul 30, 2021 | By Stephen Shankland – cnet |

It’s a doozy of a digital spying technology case. Security researchers have found evidence of attempted or successful installations of Pegasus, software made by an Israel-based cybersecurity company, on 37 phones of activists, journalists and businesspeople. The activists and others appear to have been targets of secret surveillance by software that’s intended to pursue criminals and terrorists.

It’s been a politically explosive issue that has put Israel under pressure, not just by activists, but also by governments worried about misuse of the software from NSO Group. France and the United States have raised concerns, and NSO has suspended some countries’ Pegasus privileges, NPR reported Thursday.

The phones were on an activist organization’s list of more than 50,000 phone numbers for politicians, judges, lawyers, teachers and others. Also on that list are 10 prime ministers, three presidents and a king, according to an international investigation released in mid-July by The Washington Post and other media outlets, although there’s no proof that being on the list means an attack was attempted or successful.

Pegasus is the latest example of how vulnerable we all are to digital prying. Our most personal information — photos, text messages and emails — is stored on our phones. Spyware can reveal directly what’s going on in our lives, bypassing the encryption that protects data sent over the internet.

The 50,000 phone numbers are connected to phones around the world, though NSO disputes the link between the list and actual phones targeted by Pegasus. The devices of dozens of people close to Mexican President Andrés Manuel López Obrador were on the list, as were those belonging to reporters at CNN, the Associated Press, The New York Times and The Wall Street Journal. But phones from several on the list, including Claude Mangin, the French wife of a political activist jailed in Morocco, were infected or attacked.

Here’s what you need to know about Pegasus…

Live Locations

Locate Lost Devices That Are Off