THE KEY

Tech companies have been in the spotlight in recent months as the Cambridge Analytica scandal and other controversies have brought concerns about deceptive data practices to the forefront of national debate. But while Facebook has so far been facing the most intense scrutiny from lawmakers and regulators, Google could be next in line. 

Google is drawing fire from the privacy community for quietly tracking the location of smartphone users -- even when they took specific steps to prevent the tech giant from doing so. The practice was revealed last week by the Associated Press, which reported that Google services on Android devices and iPhones stored users’ location data even if they turned off the setting known as “Location History.” 

The move could bring the company new attention from lawmakers. Sen. Richard Blumenthal (D-Conn.) has already spoken out,  criticizing Google on Twitter: 

It could also prompt action from federal privacy regulators. Blumenthal and Sen. Edward J. Markey (D-Mass.) asked the Federal Trade Commission to look into Google's location tracking earlier this year, so the issue is likely already on the commission's radar. And on Friday, the nonpartisan Electronic Privacy Information Center, or EPIC, told the commission in a letter that Google’s practice violates a 2011 settlement between Google and the FTC requiring the company to be transparent about the data it collects on users. 

“If the FTC does not enforce its Order, Google will perceive it as a suggestion,” wrote EPIC, which brought the initial complaint that led to Google’s settlement. “This is an opportunity for the FTC to make clear that the Commission will stand behind its judgments.”

Google entered the settlement after the FTC accused the company of privacy violations related to its now-defunct social network, Google Buzz, including publicizing users’ most frequent email contacts without permission. The agreement bars the company from misleading consumers about how they can control the collection or use of their information. 

The FTC typically doesn’t comment on investigations unless a company announces that it’s subject to one, so it’s difficult to gauge whether Google's location tracking would result in an inquiry from regulators. But the FTC may have a “plausible case” given the delicate nature of location data, said Justin Brookman, former policy director for the FTC’s Office of Technology Research and Investigation.

The commission has “been adamant that geolocation information is very sensitive, it's very revealing, and it's also very personal,” Brookman, now the director of consumer privacy and technology policy at Consumers Union, told me. “They have to ask, 'What's the average person going to think when they see that [Location History] control?'”

The FTC is currently investigating whether Facebook violated its own settlement with the commission  when it shared data on tens of millions of users with Cambridge Analytica. 

Other privacy advocates also questioned whether Google's location tracking ran afoul of the settlement.

From Ashkan Soltani, former chief technologist for the FTC:

Whitney Merrill, a former FTC attorney: 

And Matthew Stoller, a fellow at the anti-monopoly Open Markets Institute and a former congressional staffer: 

As of last week, Google told users on its support page that if they disabled “Location History” on their devices, “the places you go are no longer stored.” But that wasn’t true, the Associated Press reported.

“Even with Location History paused, some Google apps automatically store time-stamped location data without asking. (It’s possible, although laborious, to delete it.)

For example, Google stores a snapshot of where you are when you merely open its Maps app. Automatic daily weather updates on Android phones pinpoint roughly where you are. And some searches that have nothing to do with location, like ‘chocolate chip cookies,’ or ‘kids science kits,’ pinpoint your precise latitude and longitude — accurate to the square foot — and save it to your Google account.

The privacy issue affects some two billion users of devices that run Google’s Android operating software and hundreds of millions of worldwide iPhone users who rely on Google for maps or search.”

Google has since updated its description to say that it continues to track users even after they turn off “Location History.” The company told the AP that it provided “clear descriptions” of its tools and that it has “been updating the explanatory language about Location History to make it more consistent and clear across our platforms and help centers.”

PINGED, PATCHED, PWNED

PINGED: Reuters on Friday reported another FBI investigation into a cyberattack against a Democratic congressional campaign in California. The campaign of David Min, who lost in a June primary election in California’s 45th Congressional District, discovered the extent of the attack after Min's team sought assistance from software developers who were based in the same rented workspace facility, Reuters's Joel Schectman and Christopher Bing reported. The facility manager informed Min's team in late March that the Internet provider for the facility found signs that campaign computers could have been hacked.

“The software developers discovered that hackers had placed software into the computers of Min’s campaign manager and finance director that recorded and transmitted keystrokes,” Schectman and Bing wrote. “The hackers had also infected the computers with software that made it undiscoverable by the off-the-shelf anti-virus software used by the campaign staff.” Min's four-person staff informed the Democratic Congressional Campaign Committee about the cyberattack, and the DCCC informed the FBI.

The attack against Min's team highlights the hurdles that smaller campaigns encounter in trying to defend themselves against hacking, according to Reuters. “Ultimately, the campaign’s defense was limited to replacing the infected machines and a future commitment to using encrypted messaging apps,” Schectman and Bing wrote. Earlier last week, Rolling Stone's Andy Kroll reported that the FBI investigated cyberattacks against the campaign of Democrat Hans Keirstead, who also lost in a primary in June. Keirstead unsuccessfully ran in California for the U.S. House seat of Rep. Dana Rohrabacher, a Republican who has repeatedly expressed support for Russia.

PATCHED: National security adviser John Bolton on Sunday said the Trump administration's concerns about foreign interference in U.S. elections don't focus solely on Russia but also extend to China, Iran and North Korea, The Washington Post's Carol Morello reported. When asked by Martha Raddatz on ABC News's “This Week” whether he had “seen any credible evidence” of Chinese interference in American elections following a tweet by President Trump on Saturday about China, Bolton replied: “Well, I can say definitively that it's a sufficient national security concern about Chinese meddling, Iranian meddling and North Korean meddling that we're taking steps to try and prevent it. So, it's all four of those countries, really.”

Bolton said one of is priorities is to use “the full range of our capabilities” to defend elections and other “vulnerable systems” in the government and in the private sector against cyberattacks, adding that the Trump administration supports “peace in cyberspace.”

“And to do that, I think you need to establish structures of deterrence so that our adversaries who have conducted cyber-operations against us or who are contemplating it come to understand they will pay a much higher price if they do that than if they simply refrain,” Bolton said. “That's why offensive cyber-operations are potentially so important. If you're simply always on the defensive, you're not going to create structures of deterrence, which is what we aim to do.”

PWNED: Law enforcement agencies in eight countries earlier this year took part in a coordinated operation to hinder the Islamic State's propaganda capacities but the reemergence of extremist content online since then illustrates the difficulties of fighting the “virtual caliphate”, The Washington Post's Joby Warrick reported on Sunday. “In the two-day operation in April, police seized computers and network servers across Europe and North America and blocked Internet portals used by the terrorist group’s radio broadcaster, al-Bayan, and its official news agency, Amaq,” my colleague wrote. “Yet, less than a week later, Amaq suddenly reappeared at a different Web address, forcing the governments to pounce again. Then it surfaced a third time. And a fourth.”

Additionally, the group has increasingly moved its online efforts to the encrypted messaging app Telegram in order to continue posting propaganda. “Shifting from a website to an encrypted app arguably makes it harder for the Islamic State to connect with its followers, especially newcomers who might normally look for Amaq’s latest offerings by visiting a website or using a search engine,” according to Joby. “But among the group’s core supporters, Amaq postings on Telegram are often shared hundreds or even thousands of times, ensuring wide circulation.”

PUBLIC KEY

— The government has opened a new front in its struggle against tech companies over encryption. “The U.S. government is trying to force Facebook Inc to break the encryption in its popular Messenger app so law enforcement may listen to a suspect’s voice conversations in a criminal probe, three people briefed on the case said, resurrecting the issue of whether companies can be compelled to alter their products to enable surveillance,” Reuters's Dan Levine and Joseph Menn reported Friday.

The case originated in Fresno, Calif., and is linked to an investigation into the MS-13 gang. “The judge in the Messenger case heard arguments on Tuesday on a government motion to hold Facebook in contempt of court for refusing to carry out the surveillance request, according to the sources, who spoke on condition of anonymity,” Reuters reported. Should the federal judge rule in favor of the government, public authorities might later set their sights on other applications. “If the government prevails in the Facebook Messenger case, it could make similar arguments to force companies to rewrite other popular encrypted services such as Signal and Facebook’s billion-user WhatsApp, which include both voice and text functions, some legal experts said,” Levine and Menn wrote.

— “Housing Secretary Ben Carson accused Facebook on Friday of enabling illegal housing discrimination by giving landlords and developers advertising tools that made it easy to exclude people based on race, gender, Zip code or religion — or whether a potential renter has young children at home or a personal disability,” my colleagues Craig Timberg and Tracy Jan reported. “The action, which comes after nearly two years of preliminary investigation, amounts to a formal legal complaint against the company and starts a process that could culminate in a federal lawsuit against Facebook. It stands accused of creating advertising targeting tools — which classified people according to interests such as “English as Second Language” or “Disabled Parking Permit” — that resulted in violations of the Fair Housing Act.”

— “New Jersey is poised to use some $10 million in federal and state funds to beef up election security ahead of this year’s midterm and going through 2023, Secretary of State Tahesha Way said Friday,” the Associated Press's Mike Catalini reported. “Way, who runs the agency that oversees New Jersey’s elections, unveiled the Democratic administration’s plans for spending the more than $10 million that Congress and the state set aside this year. She said her ‘one priority’ has been making sure the right to vote is secure.”

— More cybersecurity news from the public sector:

The revised version of the “Secure Elections Act” unveiled today by Senate Rules Chairman Roy Blunt (R-MO) and ranking member Amy Klobuchar (D-MN) would amend the Help America Vote Act to require states to establish a “response and communications plan for cybersecurity incidents,” in order for states to receive funding from the Election Assistance Commission.
Inside Cybersecurity
The department wants industry’s input on how to detect malicious and counterfeit tech in the government’s supply chain.
Nextgov
Politics
“I am going to do whatever I can personally to try to prevent these abuses,” the former CIA director said.
Felicia Sonmez and Carol Morello
The lapse has contributed to a growing recognition that an early strategy of full cooperation with the inquiry was a potentially damaging mistake.
The New York Times
For much of the last two years, Senate Intelligence Committee Chairman Richard Burr has been the Russia investigator who is seen but rarely heard on Capitol Hill.
Associated Press
PRIVATE KEY
Apple said it removed illegal gambling apps from its App Store in China as it came under fire from state media—a move that could help quell the latest challenge for the tech giant in its most important market outside the U.S.
Wall Street Journal
Co-founder Sergey Brin said he didn’t know about the China plans, which CEO Sundar Pichai said are “in an exploration stage” — despite previous reports.
The Intercept
SECURITY FAILS
THE NEW WILD WEST
Cryptocurrency scams are using images of celebrities and upmarket London addresses to hoodwink consumers into parting with cash, Britain's Financial Conduct Authority has said.
Reuters
FOR THE N00BS
Your phone number is increasingly tied to your online identity. You need to do everything possible to protect it.
Wired
ZERO DAYBOOK

Coming soon

EASTER EGGS

Waltzing with Putin: Russian president attends Austrian foreign minister’s wedding

Taiwan restaurant dishes up ice cream treats almost too real to eat:

Man faces possible charges after selfie with bear: