cross-posted from: https://lemmy.sdf.org/post/36106116

Archived

[...]

According to the measures, introduced by the Ministry of Public Security (MPS), each internet user in China will be issued with a unique “web number,” or wanghao (网号), that is linked to their personal information. While these IDs are, according to the MPS notice, to be issued on a strictly voluntary basis through public service platforms, the government appears to have been working on this system for quite some time — and state media are strongly promoting it as a means of guaranteeing personal “information security” (信息安全). With big plans afoot for how these IDs will be deployed, one obvious question is whether these measures will remain voluntary.

[...]

The measures bring China one step closer to centralized control over how Chinese citizens access the internet. The Cybersecurity Law of 2017 merely stipulated that when registering an account on, say, social media, netizens must register their “personal information” (个人信息), also called “identifying information” (身份信息). That led to uneven interpretations by private companies of what information was required. Whereas some sites merely ask for your name and phone number, others also ask for your ID number — while still others, like Huawei’s cloud software, want your facial biometrics on top of it.

[...]

Beyond the key question of personal data security, there is the risk that the cyber ID system could work as an internet kill switch on each and every citizen. It might grant the central government the power to bar citizens from accessing the internet, simply by blocking their cyber ID. “The real purpose is to control people’s behavior on the Internet,” Lao Dongyan cautioned last year.

[...]

Take a closer look at state media coverage of the evolving cyber ID system and the expansion of its application seems a foregone conclusion — even extending to the offline world. Coverage by CCTV reported last month that it would make ID verification easier in many contexts. “In the future, it can be used in all the places where you need to show your ID card,” a professor at Tsinghua’s AI Institute said of the cyber ID. Imagine using your cyber ID in the future to board the train or access the expressway.

[...]

While Chinese state media emphasize the increased ease and security cyber IDs will bring, the underlying reality is more troubling. Chinese citizens may soon find themselves dependent on government-issued digital credentials for even the most basic freedoms — online and off.

An Italian parliamentary committee has confirmed that the government used the Israeli-made spyware Graphite, developed by the offensive cyber company Paragon, to hack the smartphones of several activists working with migrants.

The committee confirmed that Paragon provided Graphite to two Italian agencies, including the country's external intelligence service, starting in 2023. The version of Graphite provided did not include the ability to activate the phone's microphone or camera, the report said. Instead, it only enabled its operators access to encrypted communications on the hacked devices.

The report also confirmed that Graphite exploited a vulnerability in WhatsApp that Meta identified and patched in December 2024, one month before the spyware's activity was publicly disclosed. The vulnerability's discovery also caused "panic" at Israel's military intelligence Unit 8200, according to the recent Israeli television report.

What is DNS4EU? DNS4EU is an initiative by the European Commission that aims to offer an alternative to the public DNS resolvers currently dominating the market. Supported by the European Union Agency for Cybersecurity (ENISA), the European Union's DNS4EU secure-infrastructure project provides a protective, privacy-compliant, and resilient DNS service to strengthen the EU’s digital sovereignty and enhance digital security for European Union citizens, governments, and institutions.

The program provides robust DNS security for public institutions and their employees, ministries, local governments or municipalities, healthcare, education, and other critical services such as telecommunications providers. By working with the latter, for example, it ensures DNS resolution service for all of a telco’s customers, with minimum manual overhead for their teams.

Additionally, the DNS4EU solutions aid organizations in complying with regulatory requirements (such as GDPR) to keep data within European borders.

As these organizations often face challenges to independently developing and maintaining high-level cybersecurity measures (such as election cycles or funding), the DNS4EU project solves these challenges by providing a Europe-based, centralized, scalable solution to ensure the highest standards of security and privacy, compliant with EU regulations.

Push notification data can sometimes include the unencrypted content of notifications. Requests include from the U.S., U.K., Germany, and Israel.

Apple provided governments around the world with data related to thousands of push notifications sent to its devices, which can identify a target’s specific device or in some cases include unencrypted content like the actual text displayed in the notification, according to data published by Apple. In one case, that Apple did not ultimately provide data for, Israel demanded data related to nearly 700 push notifications as part of a single request.

The data for the first time puts a concrete figure on how many requests governments around the world are making, and sometimes receiving, for push notification data from Apple.

The practice first came to light in 2023 when Senator Ron Wyden sent a letter to the U.S. Department of Justice revealing the practice, which also applied to Google. As the letter said, “the data these two companies receive includes metadata, detailing which app received a notification and when, as well as the phone and associated Apple or Google account to which that notification was intended to be delivered. In certain instances, they also might also receive unencrypted content, which could range from backend directives for the app to the actual text displayed to a user in an app notification.”

The published data relates to blocks of six month periods, starting in July 2022 to June 2024. Andre Meister from German media outlet Netzpolitik posted a link to the transparency data to Mastodon on Tuesday.

For example, according to the data, the U.S. made 99 requests for push token data related to 345 different push tokens, and received data in response to 65 of the requests between July and December 2023. The U.K. made 123 requests, about 128 tokens, and received data in response to 111 requests in the same time period. Germany was the only other country to receive data, which was in response to 5 of the country’s requests. The Netherlands and France also requested data but did not receive any.

Israel made a single push notification data request in that time period, but it related to 694 push tokens, according to the data. Representatives of the Israeli government did not respond to a request for comment, and neither did Apple.

In another stretch of time, from January to June 2024, the U.K. received data in response to 127 requests, and the U.S. got data from 36. Germany did successfully receive some data during that period. Singapore has also made requests for data but has not received any, according to the transparency report.

Along with the data Apple published the following description: “Push Token requests are based on an Apple Push Notification service token identifier. When users allow a currently installed application to receive notifications, a push token is generated and registered to that developer and device. Push Token requests generally seek identifying details of the Apple Account associated with the device’s push token, such as name, physical address and email address.”

404 Media previously published a U.S. court record which sought access to push notification data.

In December 2023, Apple said it started to require a judge’s order to hand over push notification data. Before that, it was available with a subpoena.

About the author

Joseph is an award-winning investigative journalist focused on generating impact. His work has triggered hundreds of millions of dollars worth of fines, shut down tech companies, and much more.

I can't believe I'm on OpenAI's side here

Cross-posted from: https://lemmy.ca/post/45444332

cross-posted from: https://lemmy.sdf.org/post/35993881

[...]

Under draft legislation that the State Duma approvedat first reading on May 22, 2025, a bill will require banks and merchants to facilitate digital ruble transactions and a universal QR payment code for purchases. Beginning October 1, 2025, the digital ruble will be used for a limited range of federal budget expenditures, transitioning on January 1, 2026, to full, unrestricted use for all federal outlays.

[...]

Kremlin financiers will track every digital ruble transaction in real time, granting authorities the power to block citizens’ accounts without a court order and automatically deduct taxes, fines, and other charges. Social benefits payable in digital rubles will be usable only for government‐approved categories of goods and services, and spending may be restrictedbased on a citizen’s place of residence or product type.

[...]

Critics—from human rights groups to economic analysts—argue the digital ruble will entrench state surveillance. According to The Cryptonomist, Russia’s CBDC may replicate China’s model of monitoring every transaction, but with even tighter Kremlin oversight. Ukrainian intelligence observers highlight the risk of a “behavioral loyalty” system, where digital currency access depends on citizens’ political and social “reliability.”

Previously, it was reported that Latvia’s Defense Intelligence and Security Service released a 48-page public handbook designed to help civilians identify and report suspected Russian operatives. The guide details indicators such as ragged appearance and suspicious behavior, offers safe reporting practices, and includes case studies illustrating espionage tactics in both urban and rural settings.

[...]

cross-posted from: https://lemmy.sdf.org/post/35972832

Native Android apps – including Facebook, Instagram, and several Yandex apps such as Maps, Navi, Browser, and Search – silently listen on fixed local ports on mobile devices to de-anonymize users’ browsing habits without consent, says a report published by a team of researchers from Spain-based IMDEA Networks Internet Analytics Group, and Dutch Radboud University.

Here is the technical report: https://localmess.github.io/

By embedding tracking code into millions of websites, Meta’s Pixel and Yandex Metrica have been able to map Android users’ browsing habits with their persistent identities (that is to say, with the account holder logged in). This method bypasses privacy protections offered by Android’s permission controls and even browsers’ Incognito Mode, affecting all major Android browsers. The international research team has disclosed the issue to several browser vendors, who are actively working on mitigations to limit this type of abuse. For instance, Chrome’s mitigation is scheduled to go into effect very soon.

These tracking companies have been doing this bypass for a long time: since 2017 in the case of Yandex, and Meta since September 2024. The number of people affected by this abuse is high, given that Meta Pixel and Yandex Metrica are estimated to be installed on 5.8 million and 3 million sites, respectively. It is also worth noting that evidence of this tracking practice has been observed only on Android.

[...]

Police and federal agencies have found a controversial new way to skirt the growing patchwork of laws that curb how they use facial recognition: an AI model that can track people using attributes like body size, gender, hair color and style, clothing, and accessories.

cross-posted from: https://lemmy.ca/post/45333504

Tracking code that Meta and Russia-based Yandex embed into millions of websites is de-anonymizing visitors by abusing legitimate Internet protocols, causing Chrome and other browsers to surreptitiously send unique identifiers to native apps installed on a device, researchers have discovered. Google says it's investigating the abuse, which allows Meta and Yandex to convert ephemeral web identifiers into persistent mobile app user identities.

The covert tracking—implemented in the Meta Pixel and Yandex Metrica trackers—allows Meta and Yandex to bypass core security and privacy protections provided by both the Android operating system and browsers that run on it. Android sandboxing, for instance, isolates processes to prevent them from interacting with the OS and any other app installed on the device, cutting off access to sensitive data or privileged system resources. Defenses such as state partitioning and storage partitioning, which are built into all major browsers, store site cookies and other data associated with a website in containers that are unique to every top-level website domain to ensure they're off-limits for every other site.

A translation of this article with a few (minor additions). I could not find an English-language article. The original article has informative illustrations.

“Archive.Today” is a popular website for access to paid media content. Well-known domain names for the website are archive.is and archive.ph (and archive.md, archive.fo, archive.li, archive.vn).

What many users do not know: The website provides users' data to Russia.

The data goes to Mail.ru and thus to the Russian Internet company VK. A look at the website with Webbkoll shows the following Russian domain names:

• privacy-cs.mail.ru
• r.mradx.net
• rs.mail.ru
• top-fwz1.mail.ru

First and foremost, top-fwz1.mail.ru/js/code.js is integrated. Further code from Russia is then loaded.

The following applies to Russian Internet companies:

“Russia demands unconditional cooperation and extensive control options from its flourishing IT economy. It is not just about the full possession of the largest social network (VK) and the largest payment service (Mail.ru), but in the case of Yandex also to influence the entire output of Yandex News.

The data collected show which Paywall content is particularly popular in western media, but could also provide insight about their users. One can speculate about the importance of such data in the hybrid Russian war against Europe and the rest of the West.

(the following part is about the most common originating news sites in Switzerland that are to be archived. It refers to the above mentioned paywall content)

Incidentally (and in addition), anyone who pays for the paid media content must (also) expect for user data to go to Russia:

«Until recently, Ringier sent - thanks to these cookies - the IP addresses of "Blick" readers to the Russian tech company Yandex. […] Yandex is also listed at «20 Minuten». The free news portsal of the TX Group also works with the platform of the Interactive Advertising Bureau. […] The NZZ also sent data to the east. The traditional company on Falkenstrasse has integrated dozens of trackers, including from Yandex and also from Rutarget, an advertising company that belongs to the Russian Sberbank, is fully controlled by the state and is on the sanction list of the United States. »

The operators of «Archive.Today» do not open their identity. Neither an impressum nor a data protection declaration can be found on the website.

“Liberapay” in France should be able to say who operates “archive.today”. If you click on the "Donate" button at "Archive.Today", you will be forwarded to the donation platform "Liberapay".

A (more) reputable alternative is the Internet Archive at Archive.org, best known for the archiving of websites at web.archive.org.

Posted to privacy@lemmy.ml, privacy@lemmy.dbzer0.com and privacy@lemmy.world

edit 2 days later:

I'm aware this isn't the biggest smoking gun ever. But this particular service is in such widespread use that I feel it's important to shine a light on it.

Of course any post with certain keywords in the title will attract weird commentary, but I think you'll find that even the most contrary ones do not dispute the facts outlined in the article - just try to play them down, or ridicule them.

It's free, it has fast servers, it doesn't ask questions of you. It's a godsent!

Archived

TikTok introduced a slew of new advertiser tools at the company’s annual advertiser summit on June 3rd. The new products range from AI-powered ad tools to new features connecting creators and brands, but the overall picture is clear: advertiser content on TikTok is about to become much more tailored and specific.

The company will give brands precise details about how their target audience is using the platform — including AI-generated suggestions on ads to run. Using a tool called Insight Spotlight, advertisers will be able to sort by user demographics and industry to see what videos users in the target group are watching and what keywords are associated with popular content. In an example provided by TikTok, an AI-generated suggestion recommends that a brand “produce video content focused on ‘hormonal health’ for female, English-speaking users” and to include a specific keyword. Another feature in Insight Spotlight analyzes users’ viewing history to identify types of content that are bubbling up.

[...]