Information Technology

The Australian government, alongside counterparts from Canada, New Zealand, the United Kingdom, and the United States, have rallied together to declare that the unintended consequences of the new European Electronic Communications Code are putting children at risk.
The new code came into effect in the European Union on 21 December 2020 and is aimed at harmonising the existing legal framework for electronic communications across the EU.
It introduced a new broader definition of “electronic communications services”, which compels service providers operating in the EU to comply with the rules of the ePrivacy Directive.
As a result, many over-the-top (OTT) providers and various other telecommunications services that did not previously fall within the definition of the code now do. Australian Minister for Home Affairs Peter Dutton said this would inadvertently make it easier for criminals to abuse children online.
“Under the new Code, it is now illegal for electronic service providers, including social media companies, operating in the EU to continue to use the necessary tools to detect child sexual abuse material on online platforms and services,” a statement from Dutton said.
The minister responsible for children in Australian immigration detention facilities said protecting children is the “most important thing we can do as a global community”. He said user privacy should not come at the expense of children’s safety.
“It is essential that the European Parliament acts urgently and agrees to exempt certain technologies from the ‘ePrivacy Directive’ and preserve companies’ ability to detect and prevent child sexual abuse. This cannot wait,” the statement continues. “We support European Union measures that will allow for the continuation and expansion of the current efforts to keep children safe online.”

The statement from the five countries said it is essential that the European Union urgently adopt the derogation to the ePrivacy Directive as proposed by the European Commission in order for the essential work carried out by service providers to shield endangered children in Europe and around the world to continue.  
“The European Union has a unique role to play in the global fight against online child sexual exploitation. It is essential that the European Union adopt measures that ensure not only the legal authority, but also the practical ability, for providers to use tools to detect online child sexual exploitation,” it reads.
Dutton pointed to the Voluntary Principles to Counter Online Child Sexual Exploitation and Abuse, which, launched in March 2020, provides a set of 11 actions that tech firms have voluntarily agreed to follow in order to prevent child predators from targeting kids on their platforms.
“The Voluntary Principles rely on the continuation of companies’ legal and technical ability to identify and take action against child sexual abuse on their platforms,” Dutton said.
He also pointed to the signing of the International Statement: End-to-End Encryption and Public Safety in October 2020 by the Australian, Canadian, New Zealand, UK, US, Indian, and Japanese governments, saying the countries have been working closely with the world’s largest tech companies to implore companies to better protect children online.
“The introduction of the Code could undermine this progress and prevent tech companies from using some of the most powerful tools available to combat child abuse on their platforms,” Dutton said.
MORE FROM AUSTRALIA More

Google has introduced Guest Mode to Google Assistant to give users the chance to ensure their interactions with their Google smart speakers or displays, including Nest Audio and Nest Hub Max, are not saved to their account when this new mode is switched on.
When Guest Mode is switched on, users will be able to continue to ask questions, control smart home devices, set timers, and play music, but will not be able to access personal results, such as calendar entries or contacts, until Guest Mode is switched off.
Google added the device will also automatically delete audio recordings and Google Assistant activity from the device owner’s account when in Guest Mode.
However, if users are interacting with other apps and services, such as Google Maps, YouTube, or other media and smart home services while in Guest Mode, those apps may still save that activity, Google said.
To switch on Guest Mode, it is a matter of users saying, “Hey Google, turn on Guest Mode”, before the device plays a special chime and a guest icon is displayed. To be switched off, users just have to ask Google to turn off the feature.
Users can also check if their device is still on Guest Mode by asking Google, “Is Guest Mode on?”
Google product manager Philippe de Lurand Pierre-Paul said Guest Mode was designed to give users more privacy controls, suggesting it could come in handy when guests are over and don’t want their interactions saved to a user’s existing account.

“Google Assistant is designed to automatically safeguard your privacy and offer simple ways for you to control how it works with your data,” he wrote in a blog post.
Guest Mode is now available on Google Nest speakers and displays in English. Google said it plans to bring the feature in more languages and devices in the next few months.
This latest feature builds on other Assistant privacy features Google introduced just last week at CES 2021, including allowing users to delete a record of the most recent command by saying, “Hey Google, that wasn’t for you”, or asking “Hey Google, are you saving my audio data?” to learn about their privacy controls and go directly into the settings screen to change their preferences.
Google confirmed in August that third-party workers were “systematically listening” and leaking private Dutch conversations collected by the assistant. 
Belgian public broadcaster VRT NWS revealed that more than 1,000 files had been leaked from these workers, including recordings from instances where users accidentally triggered Google’s software. After the incident, Google paused all of its language review operations. 
Google revamped its Assistant privacy policy last year. The changes from last year included Google making it default for the voice assistant to not retain audio recordings once a request was fulfilled, meaning that users have to opt-in to let Google keep any voice recordings made by the device. It also added a feature that allows users to review and delete past, historical audio recordings.
Related Coverage More

Fertility-tracking app Flo Health has settled Federal Trade Commission (FTC) allegations that it shared user data with third parties, despite pushing the contrary.
As part of the proposed settlement [PDF], the developer of the period and fertility-tracking app, which the FTC said is used by more than 100 million consumers, is required to obtain an independent review of its privacy practices and get app users’ consent before sharing their health information. 
Flo will also be prohibited from misrepresenting the purposes for which it or entities to whom it discloses data collect, maintain, use, or disclose the data; how much consumers can control these data uses; its compliance with any privacy, security, or compliance program; and how it collects, maintains, uses, discloses, deletes, or protects users’ personal information.
In addition, Flo must notify affected users about the disclosure of their personal information and instruct any third party that received users’ health information to destroy that data.
In its complaint [PDF], the FTC alleges that Flo promised to keep users’ health data private and only use it to provide the app’s services to users. 
According to the complaint, Flo disclosed health data from millions of users of its Flo Period & Ovulation Tracker app to third parties that provided marketing and analytics services to the app, including Facebook’s analytics division, Google’s analytics division, Google’s Fabric service, AppsFlyer, and Flurry.
The FTC said Flo disclosed sensitive health information, such as a user’s pregnancy, to third parties in the form of “app events,” which is app data transferred to third parties for various reasons.

The complaint alleges Flo did not limit how third parties could use this health data.
See also: Best workout subscription apps for 2021: Apple Fitness Plus, Peloton, Daily Burn and more (CNET)
Flo did not stop disclosing this sensitive data until its practices were revealed in a news article in February 2019, which prompted hundreds of complaints from the app’s users, the FTC said.
“Apps that collect, use, and share sensitive health information can provide valuable services, but consumers need to be able to trust these apps,” director of the FTC’s Bureau of Consumer Protection Andrew Smith said. “We are looking closely at whether developers of health apps are keeping their promises and handling sensitive health information responsibly.”
The FTC also alleges that Flo violated the EU-US Privacy Shield and Swiss-US Privacy Shield frameworks, which require notice, choice, and protection of personal data transferred to third parties.
A Flo Spokesperson told ZDNet the company’s highest priority is protecting its users’ data.
“Which is why we have cooperated fully throughout the FTC’s review of our privacy policy and procedures,” they said.
“We understand that our users place trust in our technology to keep their sensitive information private and the responsibility we have to provide a safe and secure platform for them to use.”
The spokesperson said Flo is transparent about its practices and adheres strictly to all applicable regulations.
“Our agreement with the FTC is not an admission of any wrongdoing. Rather, it is a settlement to avoid the time and expense of litigation and enables us to decisively put this matter behind us,” they said.
“Flo did not at any time share users’ names, addresses, or birthdays with anyone. We do not currently, and will not, share any information about our users’ health with any company unless we get their permission.”
Updated 10:43am AEDT 14 January 2021: Added comments from Flo Health spokesperson.
RELATED COVERAGE
Apple just expanded the reach of its iPhone health records feature
App allows iPhone users to download their medical records to their smartphones.
UnderArmour sells MyFitnessPal for $345 million, bets on MapMyRun and connected running shoes
Under Armour will sunset Endomondo fitness platform by end of 2020 and keep MapMyFitness. MapMyRun now has 1 million connected Under Armour shoes.
Amazon’s Halo is the perfect fit for its healthcare strategy. Here’s why
The wristband is the latest step in the tech giant’s plan to remake an entire industry.
How to track your menstrual cycle and fertility with the Apple Watch (CNET)
There’s a period-tracking app built into your wrist and iPhone. More

Image: Rodion Kutsaev
An Iranian cyber-espionage group known as Charming Kitten (APT35 or Phosphorus) has used the recent winter holiday break to attack targets from all over the world using a very sophisticated spear-phishing campaign that involved not only email attacks but also SMS messages.

Special feature

Cyberwar and the Future of Cybersecurity
Today’s security threats have expanded in scope and seriousness. There can now be millions — or even billions — of dollars at risk when information security isn’t handled properly.
Read More

“Charming Kitten has taken full advantage of this timing to execute its new campaign to maximum effect,” said CERTFA, a cybersecurity organization specialized in tracking Iranian operations.
“The group started the new round of attacks at a time when most companies, offices, organizations, etc. were either closed or half-closed during Christmas holidays and, as a result, their technical support and IT departments were not able to immediately review, identify, and neutralize these cyber incidents,” it added.
CERTFA said it detected attacks targeting members of think tanks, political research centers, university professors, journalists, and environmental activists.
The victims were located in countries around the Persian Gulf, Europe, and the US.
How an attack unfolded
CERTFA researchers said that this particular campaign exhibited an advanced degree of complexity. Victims received spear-phishing messages from the attackers not only via email but also via SMS, a channel that not many threat actors use on a regular basis.
While the SMS messages posed as Google security alerts, the emails leveraged previously hacked accounts and tried to play on the festive mood with holiday-related lures.

The common denominator in both campaigns was that Charming Kitten operators managed to successfully hide their attacks behind a legitimate Google URL of https://www.google[.]com/url?q=https://script.google.com/xxxx, which would have fooled even the most tech-savvy recipients.

Image: CERTFA

Image: CERTFA
But behind the hood, CERTFA said that the legitimate Google URL would end up bouncing the user through different websites and eventually bring him to a phishing page, where they’d be asked for login credentials for personal email services like Gmail, Yahoo, and Outlook, but also business emails.

Image: CERTFA
The CERTFA team noted that this wasn’t the first time that Charming Kitten managed to successfully hide links to spear-phishing websites behind Google URLs.
The company points to a previous report from January 2020, exposing a Charming Kitten operation that abused sites.google.com links. More

Is privacy a good area to mock Facebook? Perhaps.
When a rival does something heinous, ignorant or just inevitably cynical, it’s tempting to (try to) take advantage.

more Technically Incorrect

So when Facebook announced last week that WhatsApp users either had to agree that the app would share more of their data with Facebook by February 8 or be excommunicated from WhatsApp, Microsoft couldn’t help itself.
Suddenly, here was Redmond protesting that its services are more privacy-conscious. Well, one of its services. Well, Skype.
In a serendipitous tweet on the Skype account, users were told: “Skype respects your privacy. We are committed to keeping your personal data private and do not sell to 3rd parties.”
This came with a link to Microsoft’s privacy statement. (Sample wording: “We also obtain data about you from third parties.”)

Perhaps some might have seen this as a noble, as well as commercial, message.
Anyone who suggests that Facebook is to privacy what Kanye West is to reticence surely has the respect of many.

Yet Twitterers who responded to Skype’s sudden bravado weren’t inspired. There were criticisms of Skype’s slowness on mobile, its tendency to demand your private phone number and even its past troubles with, oh, privacy.
It’s worth, of course, considering why Skype exists at all. Hasn’t Teams become what Skype was supposed to be, but never quite made it?
With the sudden onset of working from home, everyone was Zooming when they could have been — at least theoretically — Skypeing.
Indeed, my ZDNet colleagues recently offered a detailed exposition of why Skype is an unhappy relic of freedom-loving times. The bugginess, the spam, the constant updates. None of this earned Skype affection. Or respect.
Conversely, WhatsApp’s whole ethos was based around ease and encryption. How sad, indeed, that Microsoft thinks Skype — of all its products — could somehow replace that. WhatsApp vs Skype is like Steph Curry vs Jake Paul. It doesn’t even seem like the same sport.
Why, Elon Musk insists your best choice is Signal.
In any case, Facebook has been siphoning off data from WhatsApp for quite some time already. The latest announcement just made that process more grotesquely grabby. Why would Microsoft suddenly think that anyone would suddenly think Skype is a fine option?
Perhaps it’s better to do something than nothing. Could it be, though, that Microsoft is also trying to align itself with Apple’s hardline stance against Facebook, but in more muted tones?
At least, you might still insist, Skype doesn’t sell your data to third parties. This may be because, unlike Facebook, its business isn’t advertising.
I still worry that Skype is simply past it.
It’s instructive, indeed, how Microsoft sees Skype these days. The Skype Twitter profile offers this description: “The next generation of Skype from Microsoft gives you better ways to chat, call, and plan fun things to do with the people in your life every day.”
I can’t see anything about privacy there, can you? More

Facebook-owned WhatsApp has published a new FAQ that aims to clear up misunderstandings over a planned update to its privacy policy, which some people thought would force them to permit WhatsApp to share profile data, phone numbers and diagnostic data with Facebook.    
Chatter on social media about the policy change caused a mini exodus among WhatsApp’s two billion users to Signal – a messaging app that most security experts recommend. Signal also provides the end-to-end encryption protocol that WhatsApp uses. 

WhatsApp’s wording in the notification about its privacy update said users must accept the policy update after February 8 and suggested an alternative was to delete the WhatsApp account. WhatsApp’s previous policy let users opt-out of most sharing of user data with Facebook.
SEE: 5G smartphones: A cheat sheet (free PDF) (TechRepublic)
The surge in new Signal signups was probably helped by Elon Musk tweeting “Use Signal” following reports of WhatsApp’s upcoming privacy policy changes by Ars Technica and PCMag.  
Telegram also claimed to have gained 25 million new users in the past three days, pushing its user numbers beyond 500 million.  
Facebook has now explained the policy changes, which take effect on February 8, are actually about WhatsApp users messaging a business on WhatsApp. 

“We want to be clear that the policy update does not affect the privacy of your messages with friends or family in any way. Instead, this update includes changes related to messaging a business on WhatsApp, which is optional, and provides further transparency about how we collect and use data,” WhatsApp says in the FAQ. 
WhatsApp stressed that Facebook can’t see private WhatsApp messages and nor can WhatsApp because of end-to-end encryption. Additionally, neither WhatsApp nor Facebook can see users’ locations shared with each other. WhatsApp says it doesn’t share users’ contacts with Facebook or its other apps.
However, the FAQ also explains the three key scenarios where WhatsApp user data and communications can end up on Facebook’s servers, but these are limited to communications with businesses via WhatsApp. Those communications can be used to target ads to the user on Facebook.  
WhatsApp explains it is “giving businesses the option to use secure hosting services from Facebook to manage WhatsApp chats with their customers, answer questions, and send helpful information like purchase receipts.”
“Whether you communicate with a business by phone, email, or WhatsApp, it can see what you’re saying and may use that information for its own marketing purposes, which may include advertising on Facebook. To make sure you’re informed, we clearly label conversations with businesses that are choosing to use hosting services from Facebook.”
SEE: WhatsApp vs. Signal vs. Telegram vs. Facebook: What data do they have about you?
Additionally, with Facebook commerce features like Shops, Facebook is allowing businesses to display their goods within WhatsApp. Facebook says that when WhatsApp users choose to use these features, it will inform users within the WhatsApp app how a person’s data is being shared with Facebook. 
The third way is via ads on Facebook with a button to message a business using WhatsApp. 
“If you have WhatsApp installed on your phone, you’ll have the option to message that business. Facebook may use the way you interact with these ads to personalize the ads you see on Facebook,” said WhatsApp.  More

TikTok has announced sweeping changes to how the accounts of younger users are handled to shield minors from potentially inappropriate interaction with strangers. 

On Wednesday, TikTok’s Head of US Safety, Eric Han, said that any accounts registered to those of the ages between 13 and 15 will now be private by default, and so there are limits on who can view and comment on any content they post. 
When an account is set to private, only approved followers can view and interact with content created by the account holder on the video-sharing platform, and furthermore, users between 13 and 15 can now choose between allowing only friends to comment on their videos — or no-one. 
TikTok’s “Suggest your account to others” option has also been set to “Off” by default for this age group.
“We want our younger users to be able to make informed choices about what and with whom they choose to share, which includes whether they want to open their account to public views,” Han commented. “By engaging them early in their privacy journey, we can enable them to make more deliberate decisions about their online privacy.”
The switch to private-by-default is not the only change impacting this age group. From now, Duet and Stitch will also only be available to users aged 16 and over and will be set to friends only by default. 
TikTok Duet is a video collaboration feature for creating content based on an original piece, and having these videos displayed side-to-side. Stitch is another way to ‘remix’ content by plucking elements out of an original clip and building upon it. 

Both options are ways for TikTok content to spread further and to facilitate communication between users, but when minors and their privacy are thrown into the mix, app developers need to be careful — or potentially face accusations of failing to safeguard the information and privacy of younger audiences. 
Another important change TikTok has implemented is only permitting videos to be downloaded when they have been created by those aged 16 and over. For users between 16 and 17 years of age, the default option to allow their content to be downloaded will be set to “Off,” unless they choose to permit it. 
As TikTok, owned by ByteDance, has become popular with young and teen users worldwide over the past few years, the app began implementing additional privacy controls to help bring the app into line with regulations designed to protect child privacy online, such as the US’s child privacy act COPPA. 
In the US, TikTok for Younger Users caters to users aged 13 and below.
The app has also restricted direct messaging for younger users, as well as the buying and sending virtual gifts. In 2020, TikTok introduced “Family Pairing,” which allows parents to remotely control their child’s account. 
“We know there is no finish line when it comes to protecting users,” Han says. “We’ll continue to evolve our policies, work closely with regulators and experts in minor safety, and invest in our technology and teams so that TikTok remains a safe place for everyone to express their creativity.”
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Hackers have leaked the information they stole about the COVID-19 vaccines as part of a cyberattack targeting the European Union’s medical agency, the organisation has admitted.
The attack against the European Medicines Agency (EMA) was first disclosed last month and now it has been determined that those behind the hack gained access to information about coronavirus medicines.
“The ongoing investigation of the cyberattack on EMA revealed that some of the unlawfully accessed documents related to COVID-19 medicines and vaccines belonging to third parties have been leaked on the internet. Necessary action is being taken by the law enforcement authorities,” the EMA said in a statement.

More on privacy

“The agency continues to fully support the criminal investigation into the data breach and to notify any additional entities and individuals whose documents and personal data may have been subject to unauthorised access,” the EMA added.
SEE: Network security policy (TechRepublic Premium)
The EMA’s work and the European medicines regulatory network  are unaffected by the breach and the approval and distribution of COVID-19 vaccines hasn’t been disrupted.
A previous update revealed that hackers gained access to the information by breaching one undisclosed IT application – and that the attackers were specifically targeting data related to COVID-19 medicines and vaccines. The investigation into the attack is currently still ongoing.

It isn’t the first time pharmaceuticals firms and other organisations involved in COVID-19 vaccine development and distribution have been targeted by hackers. The UK’s National Cyber Security Centre (NCSC) has previously warned that universities and scientific facilities are being targeted by state-sponsored hacking groups attempting to gain access to research data.
Microsoft has also issued a warning that state-sponsored hacking operations have been targeting coronavirus vaccine producers, while the World Health Organisation has also issued warnings over an increase in cyberattacks targetting health.

MORE ON CYBERSECURITY More