Apple Debuts New Privacy-Focused iPhone Billboards in Canada

Apple has debuted two new billboards in Canada that underline the company's privacy stance, following a similar privacy-focused marketing campaign in Las Vegas during the Consumer Electronics Show back in January.



The new billboards were spotted in Toronto and shared on Twitter by Matt Elliot and Josh McConnell. The first one has been put up right outside of Sidewalk Labs – a Google-owned company – and includes a slogan which reads: "We're in the business of staying out of your business."

The second billboard located in King Street simply reads "Privacy is King."


This year, Apple has been heavily promoting its privacy focus compared to other tech companies like Google. Apple's Las Vegas billboard, put up ahead of CES 2019, played on the well-known tourism saying: "What happens in Vegas, stays in Vegas." The sign read, "What happens on your iPhone, stays on your iPhone." Apple was reminding the tech industry of its heavy emphasis on privacy, with the billboard offering up a link to Apple's dedicated privacy website.

Apple has also made privacy-focused iPhone ads that have been aired on various TV markets globally. For example, one ad starts with the tagline "privacy matters" and then shows a variety of humorous if not slightly awkward situations where people would want their privacy protected in everyday life.

Apple has long said it believes privacy is a "fundamental human right," and as part of that, it aims to minimize its collection of customer data and disassociate it from an individual user when it does.

Tag: privacy

This article, "Apple Debuts New Privacy-Focused iPhone Billboards in Canada" first appeared on MacRumors.com

Discuss this article in our forums

Telegram Messenger Service Suffers Cyberattack Originating From China

The CEO of messaging service Telegram has suggested that a recent cyber attack on the encrypted chat platform was the work of the Chinese government as part of an attempt to disrupt use of the app to coordinate ongoing protests in Hong Kong.

Telegram founder Pavel Durov said the messaging service experienced a "state actor-sized" distributed denial of service (DDoS) attack yesterday and this morning after "garbage requests" flooded its servers and disrupted communications.

DDoS attacks typically work through the use of botnets – often operating on hijacked computers infected with malware – which bombard servers with redundant requests to prevent them from processing legitimate requests.


Most of those requests came from IP addresses originating in China and appeared to be coincided in time with protests in Hong Kong, founder Pavel Durov said in a later Twitter post.

Protesters in the hundreds and thousands have been marching through Hong Kong's streets this week in opposition to a controversial law that would allow people in the city to be extradited to China.

Chinese state media have condemned the protests, which they claim is being motivated by outside forces and risks undermining social stability in the region.

This isn't the first time apps have been blocked in Hong Kong. In 2014, China's cyberspace administration cut access to Instagram during the city's Umbrella Movement, which used umbrellas as a tool of passive resistance to the police's use of pepper spray on protestors who were seeking more transparent elections.

Note: Due to the political nature of the discussion regarding this topic, the discussion thread is located in our Politics, Religion, Social Issues forum. All forum members and site visitors are welcome to read and follow the thread, but posting is limited to forum members with at least 100 posts.


This article, "Telegram Messenger Service Suffers Cyberattack Originating From China" first appeared on MacRumors.com

Discuss this article in our forums

Apple and Other Tech Giants Condemn GCHQ Proposal to Eavesdrop on Encrypted Messages

Apple and other tech giants have joined civil society groups and security experts in condemning proposals from Britain's cybersecurity agency that would enable law enforcement to access end-to-end encrypted messages (via CNBC).

British Government's Communications HQ in Cheltenham, Gloucestershire

In an open letter to the U.K.'s GCHQ (Government Communications Headquarters), 47 signatories including Apple, Google and WhatsApp urged the U.K. eavesdropping agency to ditch plans for its so-called "ghost protocol," which would require encrypted messaging services to direct a message to a third recipient, at the same time as sending it to its intended user.

Ian Levy, the technical director of Britain's National Cyber Security Centre, and Crispin Robinson, GCHQ's head of cryptanalysis, published details of the proposal in November 2018. In the essay, Levy and Robinson claimed the system would enable law enforcement to access the content of encrypted messages without breaking the encryption.

The officials argued it would be "relatively easy for a service provider to silently add a law enforcement participant to a group chat or call," and claimed this would be "no more intrusive than the virtual crocodile clips," which are currently used in wiretaps of non-encrypted chat and call apps.

Signatories of the letter opposing the plan argued that the proposal required two changes to existing communications systems that were a "serious threat" to digital security and fundamental human rights, and would undermine user trust.
"First, it would require service providers to surreptitiously inject a new public key into a conversation in response to a government demand. This would turn a two-way conversation into a group chat where the government is the additional participant, or add a secret government participant to an existing group chat.

"Second, in order to ensure the government is added to the conversation in secret, GCHQ's proposal would require messaging apps, service providers, and operating systems to change their software so that it would 1) change the encryption schemes used, and/or 2) mislead users by suppressing the notifications that routinely appear when a new communicant joins a chat.

"The overwhelming majority of users rely on their confidence in reputable providers to perform authentication functions and verify that the participants in a conversation are the people they think they are, and only those people. The GCHQ's ghost proposal completely undermines this trust relationship and the authentication process."
Apple's strong stance against weakened device protections for the sake of law enforcement access was highlighted in the 2016 Apple vs. FBI conflict that saw Apple refuse to create a backdoor access solution to allow the FBI to crack the iPhone 5c owned by San Bernardino shooter Syed Farook.

Responding to the open letter, which was first sent to GCHQ on May 22, the National Cyber Security Centre's Ian Levy told CNBC: "We welcome this response to our request for thoughts on exceptional access to data — for example to stop terrorists. The hypothetical proposal was always intended as a starting point for discussion."

"We will continue to engage with interested parties and look forward to having an open discussion to reach the best solutions possible," Levy said.

Note: Due to the political nature of the discussion regarding this topic, the discussion thread is located in our Politics, Religion, Social Issues forum. All forum members and site visitors are welcome to read and follow the thread, but posting is limited to forum members with at least 100 posts.


This article, "Apple and Other Tech Giants Condemn GCHQ Proposal to Eavesdrop on Encrypted Messages" first appeared on MacRumors.com

Discuss this article in our forums

Apps Are Using Background App Refresh to Send Data to Tracking Companies

When Background App Refresh is enabled, some iOS apps are using the feature to regularly send data to tracking companies, according to a privacy experiment from The Washington Post that explores the relationship between apps and tracking companies.

The Washington Post's Geoffrey Fowler teamed up with privacy firm Disconnect and used specialized software to see what his iPhone was doing and when. And while it's no surprise that apps are using trackers and sharing user data, the frequency with which apps took advantage of background refresh to send data off to tracking companies is surprising, as is some of the data shared.


Fowler found that apps were sending data like phone number, email, location, IP address, and more.
On a recent Monday night, a dozen marketing companies, research firms and other personal data guzzlers got reports from my iPhone. At 11:43 p.m., a company called Amplitude learned my phone number, email and exact location. At 3:58 a.m., another called Appboy got a digital fingerprint of my phone. At 6:25 a.m., a tracker called Demdex received a way to identify my phone and sent back a list of other trackers to pair up with.
Apps that were found passing data along included Microsoft OneDrive, Mint, Nike, Spotify, The Weather Channel, DoorDash, Yelp, Citizen, and even The Washington Post's own iOS app. Citizen shared personally identifiable information that violated its privacy policy (the tracker was later removed), and Yelp was sending data every five minutes, something the company later said was a bug.

During the course of a week of testing, Fowler ran into 5,400 trackers, mostly found within apps, which Disconnect told him would likely send 1.5 gigabytes of data over the course of a month.

Trackers within apps, for those unfamiliar, serve different purposes. Some analyze user behavior to let apps streamline advertising campaigns, combat fraud, or create targeted ads. Delivery app DoorDash, for example, was found using a whopping nine trackers in its apps, sharing data like device name, ad identifier, accelerometer data, delivery address, name, email, and cellular phone carrier.

DoorDash also has trackers from Facebook and Google Ad Services, which means Facebook and DoorDash are notified whenever you're using the DoorDash service. DoorDash is not alone in sending tracking data, nor are the apps listed above - using tracking information is standard practice - but most people aren't aware that it's happening.

Not all data collection is bad, such as when it's anonymized and stored for a limited period of time, but some trackers are collecting specific user information and don't provide clear information on how long that data is stored nor who it's shared with.

As Fowler points out, there is no way to know which apps are using trackers and when that data is being sent from your iPhone, nor does Apple have tools in place that give iPhone users a way to see which apps are using trackers and for what purpose. Apple was contacted for comment, but provided a standardized privacy response.
"At Apple we do a great deal to help users keep their data private," the company says in a statement. "Apple hardware and software are designed to provide advanced security and privacy at every level of the system."

"For the data and services that apps create on their own, our App Store Guidelines require developers to have clearly posted privacy policies and to ask users for permission to collect data before doing so. When we learn that apps have not followed our Guidelines in these areas, we either make apps change their practice or keep those apps from being on the store," Apple says.
Fowler suggests Apple could require apps to label when they're using third-party trackers, while privacy company Disconnect suggests greater privacy controls in iOS to give users more control over their data.

iOS users concerned about the data apps are sending, especially at night and without user knowledge, can turn off Background App Refresh in the Settings app and can use a VPN like Disconnect's Privacy Pro to limit the data apps are able to send to third-party sources.


This article, "Apps Are Using Background App Refresh to Send Data to Tracking Companies" first appeared on MacRumors.com

Discuss this article in our forums

Craig Federighi Responds to Google’s Subtle ‘Luxury Good’ Dig About Apple Products and Privacy

In a recent op-ed for The New York Times, Google CEO Sundar Pichai said that "privacy cannot be a luxury good offered only to people who can afford to buy premium products and services," a comment that some viewed as a dig at Apple.

Craig Federighi at WWDC 2018

Apple's software engineering chief Craig Federighi has unsurprisingly disagreed with that position in an interview with The Independent, noting that Apple aspires to offer great product experiences that "everyone should have," while cautioning that the values and business models of other companies "don't change overnight."
"I don't buy into the luxury good dig," says Federighi, giving the impression he was genuinely surprised by the public attack.

"On the one hand gratifying that other companies in space over the last few months, seemed to be making a lot of positive noises about caring about privacy. I think it's a deeper issue than then, what a couple of months and a couple of press releases would make. I think you've got to look fundamentally at company cultures and values and business model. And those don't change overnight.

"But we certainly seek to both set a great example for the world to show what's possible to raise people's expectations about what they should expect the products, whether they get them from us or from other people. And of course, we love, ultimately, to sell Apple products to everyone we possibly could certainly not just a luxury, we think a great product experience is something everyone should have. So we aspire to develop those."
Federighi emphasizes Apple's commitment to privacy throughout the interview, noting that the company aims to collect as little data as possible. When it does collect data, Apple uses technologies like Differential Privacy to ensure that the data cannot be associated with any individual user.

Federighi also refutes criticism about Apple's products and services being worse off because of its pro-privacy position:
"I think we're pretty proud that we are able to deliver the best experiences, we think in the industry without creating this false trade off that to get a good experience, you need to give up your privacy," says Federighi. "And so we challenge ourselves to do that sometimes that's extra work. But that's worth it."
As an example of Apple's privacy efforts, the article provides a look inside Apple's "top secret testing facilities" where its Secure Enclave chips for devices like the iPhone, iPad, Mac, and Apple Watch are said to be "stress tested" based on "extreme scenarios" like ice-cold -40ºF or blazing-hot 230ºF temperatures.

One of Apple's chip-testing labs (Brooks Kraft/Apple via The Independent)

Within these testing facilities near Apple Park is said to be "a huge room" with "highly advanced machines" that heat, cool, push, shock, and abuse chips before they make their way inside Apple devices, but no further details were shared.

The lengthy interview goes on to discuss Apple's dispute with the FBI over its refusal to unlock an iPhone used by the shooter in the 2015 San Bernardino attack, as well as Apple's decision to store iCloud data in China on servers overseen by GCBD, a company with close ties to the Chinese government.


This article, "Craig Federighi Responds to Google's Subtle 'Luxury Good' Dig About Apple Products and Privacy" first appeared on MacRumors.com

Discuss this article in our forums

Instagram Website Flaw Exposed Users’ Phone Numbers and Email Addresses

A security researcher found a flaw in Instagram's website that caused thousands of users' email addresses and phone numbers to be exposed online for several weeks, it was revealed on Thursday.

David Stier, a data scientist and business consultant, told CNET the website source code for some Instagram user profiles included the account holder's contact information whenever it loaded in a web browser.

Although the contact information was available in Instagram's mobile app if users chose to reveal it in their profile, it was never displayed on the desktop version of the Instagram website, so it's unclear why the details were exposed.

The leaked contacts are said to have come from thousands of accounts belonging to private individuals, including minors, as well businesses and brands. Stier alerted Instagram to the problem shortly after discovering it in February, and the photo-focused social platform issued a patch in March.

According to Stier, including the details in the source code could have let hackers scrape the data from the website relatively easily and use it to compile a database listing the contact information of thousands of Instagram users.

A similar data haul may have already occurred. On Monday it was revealed that a database containing contact information for millions of Instagram influencers, celebrities, and brand accounts had been leaked online.

The records included public data pulled from Instagram, such as profile picture, biography, and follower numbers, but also private contact information like phone numbers and email addresses.

The database was initially uploaded and shared by Mumbai-based social media marketing firm Chtrbox, a company that pays Instagram influencers to share sponsored content. Though uploaded by Chtrbox, the database included info from influencers who have never worked with the company.

In a statement, Chtrbox said the information in its database wasn't private and that it didn't source the information through unethical means.

Instagram parent company Facebook said on Monday that it was investigating the Chtrbox database. "We're also inquiring with Chtrbox to understand where this data came from and how it became publicly available," said Facebook.

A similar privacy befell the social media platform in August 2017, when a bug related to an Instagram API allowed hackers to breach multiple high-profile Instagram accounts belonging to celebrities.


This article, "Instagram Website Flaw Exposed Users' Phone Numbers and Email Addresses" first appeared on MacRumors.com

Discuss this article in our forums

Apple Shares New ‘Inside Joke’ Privacy-Focused Video Highlighting iMessage Encryption

Apple today shared a humorous new privacy-focused video on its YouTube channel, which is designed to highlight the end-to-end encryption feature in the Messages app.

In the minute-long video, a woman is at a nail salon getting a pedicure, and she's receiving iMessages and cracking up at them over and over again. The viewer is never given a look at what she's seeing that's so funny, which emphasizes the fact that messages are private.


The end of the video features the tagline "iMessage encrypts your conversations because not everyone needs to be in on the joke."

Apple has shared several other privacy-focused videos in recent months, including a "Privacy Matters" spot and a video that highlights limited ad tracking in Safari.


This article, "Apple Shares New 'Inside Joke' Privacy-Focused Video Highlighting iMessage Encryption" first appeared on MacRumors.com

Discuss this article in our forums

Facebook Harvested Email Contacts of 1.5 Million Users Without Their Consent

Facebook harvested the email contacts of 1.5 million users without their knowledge or consent and used the data to build a web of their social connections, it emerged today. Business Insider reports that Facebook began collecting the contact lists in May 2016 when new users opened a new account on the social network.

Image via Business Insider

The harvesting occurred when users were offered email password verification as an option to verify their identity when signing up to Facebook, a method widely condemned by security experts. In some cases if users did enter their password, a pop-up message would appear informing them that it was "importing" their contacts, without even asking their permission to do so.

These contacts were then fed into Facebook's database systems and used to build a map of users' social links and inform recommended friends on the social network. It's not clear if the data was also used for ad-targeting purposes.

In a statement given to Business Insider, the company said that these email contacts had been "unintentionally uploaded" to Facebook when users created their account.

It also said that prior to May 2016, it offered an option to verify a user's account and voluntarily upload their contacts at the same time. However, the feature was changed and the text informing users that their contacts would be uploaded was deleted, but the underlying functionality was not. Facebook says at no point did it access the content of users' emails.
We estimate that up to 1.5 million people's email contacts may have been uploaded. These contacts were not shared with anyone and we're deleting them. We've fixed the underlying issue and are notifying people whose contacts were imported. People can also review and manage the contacts they share with Facebook in their settings.
The news is just the latest addition to a long list of privacy blunders and violations by Facebook. In March, for example, it emerged that between 200 and 600 million Facebook users may have had their account passwords stored in plain text in a database accessible to 20,000 Facebook employees. Some Instagram passwords were also included.

That was followed earlier this month by news that cybersecurity researchers had discovered millions of Facebook records publicly accessible on Amazon's cloud servers, after the data was uploaded by third-party companies that work with Facebook.

In yet another development just this week, over 4,000 pages of documents from 2011 to 2015 were leaked which provide insight into how Facebook took advantage of user data while publicly promising to protect user privacy before and after its 2015 move to end broad access to user data.


This article, "Facebook Harvested Email Contacts of 1.5 Million Users Without Their Consent" first appeared on MacRumors.com

Discuss this article in our forums

Mozilla Launches Petition Urging Apple to Reset Interest-Based Ad Identifiers on Monthly Basis

Mozilla, the company behind Firefox, today launched a petition urging Apple to reset the unique IDs used to serve interest-based ads in the App Store and Apple News apps on the iPhone, iPad, iPod touch, and Apple TV on a monthly basis.


Mozilla takes aim at Apple's recent iPhone privacy ad in a blog post:
Apple's latest marketing campaign — "Privacy. That's iPhone" — made us raise our eyebrows.

It's true that Apple has an impressive track record of protecting users' privacy, from end-to-end encryption on iMessage to anti-tracking in Safari.

But a key feature in iPhones has us worried, and makes their latest slogan ring a bit hollow.

Each iPhone that Apple sells comes with a unique ID (called an "identifier for advertisers" or IDFA), which lets advertisers track the actions users take when they use apps. It's like a salesperson following you from store to store while you shop and recording each thing you look at. Not very private at all.
These identifiers can already be manually reset under Settings > Privacy > Advertising on iOS devices and under Settings > General > Privacy on Apple TV, but Mozilla is asking for "a real cap" with an automatic monthly reset to make it "harder for companies to build a profile about you over time."


"If Apple makes this change, it won't just improve the privacy of iPhones — it will send Silicon Valley the message that users want companies to safeguard their privacy by default," wrote Ashley Boyd, Mozilla's VP of Advocacy.

Interest-based ads in the App Store and Apple News app are based on information such as your App Store search history and Apple News reading history. Apple makes it easy to opt out, but Mozilla argues that "most people don't know that feature even exists, let alone that they should turn it off."

We'll provide an update if Apple responds.


This article, "Mozilla Launches Petition Urging Apple to Reset Interest-Based Ad Identifiers on Monthly Basis" first appeared on MacRumors.com

Discuss this article in our forums