"We care about our customers."
(Tongue in cheek and fingers crossed behind back)
Apple's ramp up in iOS privacy measures has affected small data brokers, yet apps can still collect group-oriented data and identify users via device fingerprinting, according to a study out of Oxford. What's more, the researchers claim, Apple itself engages in and allows some forms of tracking, which serve to strengthen its …
If the users voluntarily submit data sufficient to track them across apps, like an email address, once the app sends it to e.g. Facebook's servers there isn't anything Apple can do to limit what Facebook does with it. Sure, it is possible to use a different email address for different services, but very few people choose to do so so it is an even better identifier since it will follow you to new phones, your PC, etc.
Nevermind apps for stuff like banking/finance or dating where providing personally identifying information is sort of required for the app to function at all.
Apparently these researchers thought Apple could wave a magic wand and fix all privacy problems? All they could do is stop providing apps the means to track, which they were doing in the form of IDFA.
Now maybe Apple could provide apps the option of getting some sort of special privacy designation in the App Store if they committed to not sharing any personally identifying information with anyone else (which would probably require not using Google's libraries) but neither they nor the end user would have any way of knowing whether they comply.
Apple provided Hide My Email functionality for exactly this reason. No more mucking about managing email aliases; just click the option to generate a new hidden email alias when registering on a website. Because it’s so easy, I imagine a lot of people are using this, myself included.
Hide My Email only works for a new app/website. If you already have say a Facebook account or Reg login, unless you start from scratch as a new user you can't use it.
I agree it is a nice thing, but most of us already have so many accounts using our real unhidden email address it is closing the barn door when the horse is already in the next county.
Why would Hide My Email not work with El Reg's profile edit option?
Safari on your iPhone, iPad, iPod touch and Mac when filling in a web form or creating an account for an app or website that does not support Sign in with Apple
Frankly I am really surprised that there are any IT professionals left using the same email address for different personal-use registrations. Even my resolutely non-technical friends have mostly now understood the advantage in appending ".companyname" to the email address they hand out for any registration and are using it for all new registrations.
My current battle is to get them all to use password managers for every website so they no longer need to choose or remember passwords.
Using the "same" email address modified in a way that results in it being delivered to a single email address are well known by those using them to track personal behavior. You won't fool them using a '+' address or equivalent.
The problem is not with voluntary data submission. If I choose to activate 2FA then I provide my phone number, that's my choice.
The problem is with all the tracking that done without consent. The fact that ad agencies are basically finding out who you are as soon as you connect, and they're following you all the way whether you like it or not.
I use Firefox with NoScript and uBlock Origin, or Brave. I like to think that I'm rather invisible to ad companies, until I actually make a purchase somewhere. I like to think that, but I'm not sure.
I would like to be sure.
If you read the article this has nothing to do with voluntary user supplied data like an email address. It is to do with device fingerprinting and tracking using hidden identifiers without user consent.
If you want to have a problem with the article or research go for the classification of Crashlytics as a tracking library. Obviously I haven't read the code so it might be doing some behind the scenes tracking for Google but for the app dev it is reporting on crashes and errors and is not a tracking or advertising library. I doubt the usefulness of a tracking library that only tracks users for whom your app is crashing.
Similarly Firebase Analytics is not necessarily a tracking library but it can be used for that depending on how you implement it. Merely detecting the existance of one of these libraries and declaring the app tracks its users is poor science imo.
@iron I agree it is poor science, some of their conclusions about the effect of ATT on tracking rely on assumptions (Crashlytics and Firebase Analytics).
Though not all their conclusions rely on assumptions. Their conclusion that ATT is beneficial in regard to IDFA is supported by their tests 26% of apps using it before ATT, none of those apps using it after.
One set of figures in their study are interesting though, “firebaseinstallations.googleapis.com got called by 4.1 percent of apps prior to ATT and 47.4 percent after.”. Though not a conclusion it could suggest that because IDFA can’t be used it is being replaced with Firebase Analytics to do tracking.
Finally with Apple’s stance on privacy, it does seem a little hypocritical of them to exempt their advertising technology. Surely Apple should abide by the same privacy rules they apply to others.
The article first mentions "cohort tracking", which no one cares about.
The only claim about individual tracking was nine apps that create an "AAID" in an unspecified way suggested to be fingerprinting. Without knowing what those apps we can't tell what information they might have on individuals to be able to do so.
It isn't clear to me what avenues there are for this, especially on iPhone where there are many millions of each model. Bit easier on the Android side if you buy a phone that sold less than a million, then you install an SD card which further reduces you, then you use a different browser which could put in a class of a few hundred. Wouldn't take much more (installed browser extensions perhaps) to perhaps uniquely identify such a person. But someone with a Galaxy S22 where they will sell 10 or 20 million of them who uses the system default browser and doesn't tweak much? Good luck fingerprinting their device!
Maybe if we could access the paper we could tell what ways they think we are being fingerprinted, but I'm still gonna bet those nine apps got hold of your email address or some other voluntarily submitted bit of personal data and hashed that into an "AAID", unless they found some backdoor way to access something they shouldn't be able to like a list of all the apps installed on the phone.
If they want to uniquely identify someone using their IP address is still the best way. Most IPs rarely change even if they aren't static, so if you are using it from home wifi they can know it is you. Or one of a few in your household if you have multiple people with the same phone. That's not device fingerprinting though, and doesn't require the app to do anything - the server can do that by itself. Only way around that is a VPN. Now if Apple made use of a VPN to hide your location the default someday that would REALLY upset the data collection cartel!
*
nxgRlmjIlCx4Lj3iSicD0BQauvVHgcmmv1VbKnWGt8Z0YsUH0KqPrd8r1qcx9HSTnS3c7g1FiXBG
V1uh/0LdqFRDKZP8B7BiJgYsYJFOi+YDiqdbHirFI4pqU0UZ1bujXGwbZHCz3CXjJwql2jGu6sCE
1TfCYIK2Nk2AZgI937KEUzv15IAUuWR/n2oqKxTDKa7MM8Qoy7SYYbvbZkfGhCEqjoZ/4ifB4+n/
X1VAHvAAbtkZ3mOplzGr+myyMnxbC4XqhdCUjFaR2KBN5uDZ1NsAde9Rekkd4Csr9qAYVjNahxGX
+94AjA4sJHBNG6ymp3MVhbuWHb2QTGwU0LR2D7A4Ywc5B8z0CjSu4JUnEKvZVpEpC9GNCNa3/OIh
H2O+r/2H3imyLtiCFsGykNski048bBcrFTs+8KUY3OHMhEwRnp9t+PZrxct6SRZyQ02QzTI6c0qc
dqJYnRPlp2kOz34T0jdEM5x+wU1zYEwhe0OXT0IU4iwuBAqSU5mMp5AbLmTxoiI47kQgGD1PljRG
+cPd
*
So...was it a throw-away email address?
*
So........is it IDEA.....or AES......or blowfish.......or some other type of encryption?
*
The snoops here who are worrying about email addresses are COMPLETELY MISSING THE POINT!!
American lawmakers held a hearing on Tuesday to discuss a proposed federal information privacy bill that many want yet few believe will be approved in its current form.
The hearing, dubbed "Protecting America's Consumers: Bipartisan Legislation to Strengthen Data Privacy and Security," was overseen by the House Subcommittee on Consumer Protection and Commerce of the Committee on Energy and Commerce.
Therein, legislators and various concerned parties opined on the American Data Privacy and Protection Act (ADPPA) [PDF], proposed by Senator Roger Wicker (R-MS) and Representatives Frank Pallone (D-NJ) and Cathy McMorris Rodgers (R-WA).
Brave CEO Brendan Eich took aim at rival DuckDuckGo on Wednesday by challenging the web search engine's efforts to brush off revelations that its Android, iOS, and macOS browsers gave, to a degree, Microsoft Bing and LinkedIn trackers a pass versus other trackers.
Eich drew attention to one of DuckDuckGo's defenses for exempting Microsoft's Bing and LinkedIn domains, a condition of its search contract with Microsoft: that its browsers blocked third-party cookies anyway.
"For non-search tracker blocking (e.g. in our browser), we block most third-party trackers," explained DuckDuckGo CEO Gabriel Weinberg last month. "Unfortunately our Microsoft search syndication agreement prevents us from doing more to Microsoft-owned properties. However, we have been continually pushing and expect to be doing more soon."
Apple's Intelligent Tracking Protection (ITP) in Safari has implemented privacy through forgetfulness, and the result is that users of Twitter may have to remind Safari of their preferences.
Apple's privacy technology has been designed to block third-party cookies in its Safari browser. But according to software developer Jeff Johnson, it keeps such a tight lid on browser-based storage that if the user hasn't visited Twitter for a week, ITP will delete user set preferences.
So instead of seeing "Latest Tweets" – a chronological timeline – Safari users returning to Twitter after seven days can expect to see Twitter's algorithmically curated tweets under its "Home" setting.
The latest version of OpenSSL v3, a widely used open-source library for secure networking using the Transport Layer Security (TLS) protocol, contains a memory corruption vulnerability that imperils x64 systems with Intel's Advanced Vector Extensions 512 (AVX512).
OpenSSL 3.0.4 was released on June 21 to address a command-injection vulnerability (CVE-2022-2068) that was not fully addressed with a previous patch (CVE-2022-1292).
But this release itself needs further fixing. OpenSSL 3.0.4 "is susceptible to remote memory corruption which can be triggered trivially by an attacker," according to security researcher Guido Vranken. We're imagining two devices establishing a secure connection between themselves using OpenSSL and this flaw being exploited to run arbitrary malicious code on one of them.
Period- and fertility-tracking apps have become weapons in Friday's post-Roe America.
These seemingly innocuous trackers contain tons of data about sexual history, menstruation and pregnancy dates, all of which could now be used to prosecute women seeking abortions — or incite digital witch hunts in states that offer abortion bounties.
Under a law passed last year in Texas, any citizen who successfully sues an abortion provider, a health center worker, or anyone who helps someone access an abortion after six weeks can claim at least $10,000, and other US states are following that example.
Broadcom has made its first public comment in weeks about its plans for VMware, should the surprise $61 billion acquisition proceed as planned, and has prioritized retaining VMware's engineers to preserve the virtualization giant's innovation capabilities.
The outline of Broadcom's plans appeared in a Wednesday blog post by Broadcom Software president Tom Krause.
Blockchain venture Harmony offers bridge services for transferring crypto coins across different blockchains, but something has gone badly wrong.
The Horizon Ethereum Bridge, one of the firm's ostensibly secure bridges, was compromised on Thursday, resulting in the loss of 85,867 ETH tokens optimistically worth more than $100 million, the organization said via Twitter.
"Our secure bridges offer cross-chain transfers with Ethereum, Binance and three other chains," the cryptocurrency entity explained on its website. Not so, it seems.
Oracle has been sued by Plexada System Integrators in Nigeria for alleged breach of contract and failure to pay millions of dollars said to be owed for assisting with a Lagos State Government IT contract.
Plexada is seeking almost $56 million in denied revenue, damages, and legal costs for work that occurred from 2015 through 2020.
A partner at Plexada, filed a statement with the Lagos State High Court describing the dispute. The document, provided to The Register, accuses Oracle of retaliating against Plexada and trying to ruin the firm's business for seeking to be paid.
Qualcomm knows that if it wants developers to build and optimize AI applications across its portfolio of silicon, the Snapdragon giant needs to make the experience simpler and, ideally, better than what its rivals have been cooking up in the software stack department.
That's why on Wednesday the fabless chip designer introduced what it's calling the Qualcomm AI Stack, which aims to, among other things, let developers take AI models they've developed for one device type, let's say smartphones, and easily adapt them for another, like PCs. This stack is only for devices powered by Qualcomm's system-on-chips, be they in laptops, cellphones, car entertainment, or something else.
While Qualcomm is best known for its mobile Arm-based Snapdragon chips that power many Android phones, the chip house is hoping to grow into other markets, such as personal computers, the Internet of Things, and automotive. This expansion means Qualcomm is competing with the likes of Apple, Intel, Nvidia, AMD, and others, on a much larger battlefield.
A decentralized autonomous organization (DAO) called Inverse Finance has been robbed of cryptocurrency somehow exchangeable for $1.2 million, just two months after being taken for $15.6 million.
"Inverse Finance’s Frontier money market was subject to an oracle price manipulation incident that resulted in a net loss of $5.83 million in DOLA with the attacker earning a total of $1.2 million," the organization said on Thursday in a post attributed to its Head of Growth "Patb."
And Inverse Finance would like its funds back. Enumerating the steps the DAO intends to take in response to the incident, Patb said, "First, we encourage the person(s) behind this incident to return the funds to the Inverse Finance DAO in return for a generous bounty."
Biting the hand that feeds IT © 1998–2022