Subscribe to this bi-weekly newsletter here!
Welcome to the latest edition of Pardon The Intrusion, TNW’s bi-weekly newsletter in which we explore the wild world of security.
Portland, Oregon has become the first US city to ban the use of facial recognition tech by private businesses.
Other cities like Boston, San Francisco, and Oakland have enacted similar laws prohibiting public institutions from using facial recognition, but Portland’s is the most stringent ban as it bars both public and private use of the technology.
While the law restraining public use is now in effect, the private-use ban is expected to take effect starting January 1, 2021. The latter will bar stores, banks, restaurants, public transit stations, homeless shelters, doctors’ offices, rental properties, and retirement homes from using facial recognition.
There are some exceptions however: public schools, private clubs, places of worship, workplaces, and the Portland International Airport are not covered by the ban.
The deployment of facial recognition software has been a contentious global issue due to racial and ethnic biases, and issues with misidentifying people, as well as obvious concerns over surveillance.
Unlike many other biometrics-based systems, facial recognition can be used for general surveillance in combination with public video cameras, and in a manner that doesn’t require the knowledge, consent, or participation of the people.
India, for example, is in its early stages of building a centralized web application that aims to be the foundation for a “national level searchable platform of facial images.”
Complicating the matter further is the absence of adequate regulation governing its use.
As a consequence, Amazon, Microsoft, and IBM announced self-imposed moratoriums on police use of their software in the US to “give Congress enough time to implement appropriate rules.”
But as revealed by OneZero back in May, Amazon has also been silently lobbying Portland city council commissioners since last year to water down the legislation, including how the term ‘facial recognition’ was defined.
Now that the city has passed a strict ban, it will be interesting to see if it inspires other states to enforce similar measures.
“The problem here is that technology is being increasingly used to track people,” Abine CEO Rob Shavell told me over a chat last week. “It’s therefore essential that governments regulate and deploy them in a manner that’s transparent and protects user privacy.”
Because once surveillance gets legitimized and normalized, it’s hard to roll it back. It’s now or never.
What’s trending in security?
China unveiled a new data security initiative, Ireland’s data protection watchdog asked Facebook to suspend data transfersfrom the EU to the US, and Yubico launched ‘YubiKey 5C NFC’ with USB-C and NFC support.
- China unveiled a new data security initiative with an aim to respect “data sovereignty.” As per the rules, Beijing will not ask Chinese companies to transfer overseas data to the Chinese government in breach of other countries’ laws, and “called on states to oppose mass surveillance against other states, and not to request domestic companies to store data generated and obtained overseas in their own territory.” [Global Times]
- Ireland’s data protection watchdog, the Data Protection Commission (DPC), sent Facebook a preliminary order to suspend data transfers from the EU to the US. The move comes almost two months after a landmark ruling nullified the “Privacy Shield” transatlantic data transfer framework over concerns that European users aren’t immune to American government surveillance once their personal data has shifted to US data centers. [The Wall Street Journal]
- With COVID-19 vaccine research coming under a wave of cyberattacks, the US Department of Defense and the National Security Agency (NSA) joined hands to protect Operation Warp Speed, a program designed to accelerate vaccine development in the US. [CyberScoop]
- Seven years after former NSA contractor Edward Snowden blew the whistle on bulk collection of Americans’ telephone records, the US Court of Appeals for the Ninth Circuit ruled that the NSA’s mass surveillance program was illegal. [Reuters]
- New research from Mozilla found that web browsing histories can be used to uniquely identify users, just like other browser fingerprinting techniques. [Mozilla]
- Yubico, the maker of physical security keys for multi-factor authentication, launched ‘YubiKey 5C NFC’ with USB-C and NFC support for $55. [Yubico]
- A leaked FBI bulletin obtained by The Intercept found that cops are worried criminals are using internet-connected smart doorbells, such as Amazon’s Ring doorbells, to spy on law enforcement. [The Intercept]
- Kaspersky researchers detailed a new Android spyware called Crimson Server distributed by the Transparent Tribe APT targeting Indian military and government personnel. [Kaspersky – Part I / Part II]
- A China-based hacking group named TA413 has been sending European diplomatic officials and Tibetan dissidents spear-phishing emails that distribute an intelligence-collecting Trojan dubbed “Sepulcher.” [Proofpoint]
- Apple accidentally approved “Shlayer” malware to run on macOS, making it the first time a rogue software bypassed notarization — an automated vetting process which scans apps for security issues and malicious content. The malware was found being used in an active adware campaign that disguised itself as a fake Adobe Flash update. [WIRED]
- Privacy-focused chat app Threema announced it plans to go open-sourced within the next 3 months. [ZDNet]
- Tesla CEO Elon Musk confirmed the company’s Nevada factory was the target of a foiled cyberattack that allegedly involved a Russian national Egor Igorevich Kriuchkov, who attempted to recruit and bribe a Tesla employee to introduce malware in the company’s network. [Teslarati]
- The last fortnight in data breaches, leaks and ransomware: American Payroll Association, Chile’s BancoEstado, Cygilant, Argentina’s immigration agency Dirección Nacional de Migraciones, ETERBASE, Pakistan’s K-Electric, Norwegian Parliament, Telmate, and Warner Music Group.
Even as ransomware attacks across the world are becoming more frequent, mobile ransomware Trojans are on a downward trend. According to Kaspersky’s IT Threat Evolution report, the number of detected installation packages for mobile ransomware Trojans has decreased from 4,339 the previous quarter to 3,805 for the three month period from April to June.
“It is much harder to extort cash from users than to steal the bank account data right away,” the cybersecurity firm says. “At the same time, the device needs to be previously infected in either case, so with the costs being equal, cybercriminals will choose the path of least resistance, i.e. theft.”
The other reason is that a factory reset of the phone will get the device back to a working state, forcing cybercriminals to keep their malware undetected on the device for as long as possible. But doing so runs counter to the very idea of ransomware.
Tweet of the week
That’s it. See you all in two weeks. Stay safe!
Ravie x TNW (ravie[at]thenextweb[dot]com)