Saturday, November 5, 2022

The same app can pose a bigger security and privacy threat depending on the country where you download it, study finds

 

Same app, same app store, different risks if you download it in, say, Tunisia rather than in Germany. NurPhoto via Getty Images

Google and Apple have removed hundreds of apps from their app stores at the request of governments around the world, creating regional disparities in access to mobile apps at a time when many economies are becoming increasingly dependent on them.

The mobile phone giants have removed over 200 Chinese apps, including widely downloaded apps like TikTok, at the Indian government’s request in recent years. Similarly, the companies removed LinkedIn, an essential app for professional networking, from Russian app stores at the Russian government’s request.

However, access to apps is just one concern. Developers also regionalize apps, meaning they produce different versions for different countries. This raises the question of whether these apps differ in their security and privacy capabilities based on region.

In a perfect world, access to apps and app security and privacy capabilities would be consistent everywhere. Popular mobile apps should be available without increasing the risk that users are spied on or tracked based on what country they’re in, especially given that not every country has strong data protection regulations.

My colleagues and I recently studied the availability and privacy policies of thousands of globally popular apps on Google Play, the app store for Android devices, in 26 countries. We found differences in app availability, security and privacy.

While our study corroborates reports of takedowns due to government requests, we also found many differences introduced by app developers. We found instances of apps with settings and disclosures that expose users to higher or lower security and privacy risks depending on the country in which they’re downloaded.

Geoblocked apps

The countries and one special administrative region in our study are diverse in location, population and gross domestic product. They include the U.S., Germany, Hungary, Ukraine, Russia, South Korea, Turkey, Hong Kong and India. We also included countries like Iran, Zimbabwe and Tunisia, where it was difficult to collect data. We studied 5,684 globally popular apps, each with over 1 million installs, from the top 22 app categories, including Books and Reference, Education, Medical, and News and Magazines.

Our study showed high amounts of geoblocking, with 3,672 of 5,684 globally popular apps blocked in at least one of our 26 countries. Blocking by developers was significantly higher than takedowns requested by governments in all our countries and app categories. We found that Iran and Tunisia have the highest blocking rates, with apps like Microsoft Office, Adobe Reader, Flipboard and Google Books all unavailable for download.

three text boxes stacked vertically
Attempting to download the LinkedIn app in the Google Play app store is a different experience in, from top to bottom, the U.S., Iran and Russia. Kumar et al., CC BY-ND

We found regional overlap in the apps that are geoblocked. In European countries in our study – Germany, Hungary, Ireland and the U.K. – 479 of the same apps were geoblocked. Eight of those, including Blued and USA Today News, were blocked only in the European Union, possibly because of the region’s General Data Protection Regulation. Turkey, Ukraine and Russia also show similar blocking patterns, with high blocking of virtual private network apps in Turkey and Russia, which is consistent with the recent upsurge of surveillance laws.

Of the 61 country-specific takedowns by Google, 36 were unique to South Korea, including 17 gambling and gaming apps taken down in accordance with the national prohibition on online gambling. While the Indian government’s takedown of Chinese apps happened with full public disclosure, surprisingly most of the takedowns we observed occurred without much public awareness or debate.

Differences in security and privacy

The apps we downloaded from Google Play also showed differences based on country in their security and privacy capabilities. One hundred twenty-seven apps varied in what the apps were allowed to access on users’ mobile phones, 49 of which had additional permissions deemed “dangerous” by Google. Apps in Bahrain, Tunisia and Canada requested the most additional dangerous permissions.

Three VPN apps enable clear text communication in some countries, which allows unauthorized access to users’ communications. One hundred and eighteen apps varied in the number of ad trackers included in an app in some countries, with the categories Games, Entertainment and Social, with Iran and Ukraine having the most increases in the number of ad trackers compared to the baseline number common to all countries.

One hundred and three apps have differences based on country in their privacy policies. Users in countries not covered by data protection regulations, such as GDPR in the EU and the California Consumer Privacy Act in the U.S., are at higher privacy risk. For instance, 71 apps available from Google Play have clauses to comply with GDPR only in the EU and CCPA only in the U.S. Twenty-eight apps that use dangerous permissions make no mention of it, despite Google’s policy requiring them to do so.

The role of app stores

App stores allow developers to target their apps to users based on a wide array of factors, including their country and their device’s specific features. Though Google has taken some steps toward transparency in its app store, our research shows that there are shortcomings in Google’s auditing of the app ecosystem, some of which could put users’ security and privacy at risk.

Potentially also as a result of app store policies in some countries, app stores that specialize in specific regions of the world are becoming increasingly popular. However, these app stores may not have adequate vetting policies, thereby allowing altered versions of apps to reach users. For example, a national government could pressure a developer to provide a version of an app that includes backdoor access. There is no straightforward way for users to distinguish an altered app from an unaltered one.

Our research provides several recommendations to app store proprietors to address the issues we found:

  • Better moderate their country targeting features
  • Provide detailed transparency reports on app takedowns
  • Vet apps for differences based on country or region
  • Push for transparency from developers on their need for the differences
  • Host app privacy policies themselves to ensure their availability when the policies are blocked in certain countries

The Conversation

Renuka Kumar, Ph.D. student in Computer Science and Engineering, University of Michigan

This article is republished from The Conversation under a Creative Commons license.

Saturday, July 2, 2022

How the Satanic Temple is using ‘abortion rituals’ to claim religious liberty against the Texas’ ‘heartbeat bill’

 

Two women hold mock pro-life signs in what they call an ‘Abortrait room’ at the Satanic Temple’s headquarters to protest abortion laws. Joseph Prezioso / AFP via Getty images

Texas’s controversial anti-abortion law known as the “Heartbeat Bill” went into effect at midnight on Sept. 1, 2021. Less than 24 hours later, the U.S. Supreme Court declared it would not block the law.

In response, The Satanic Temple, a nontheistic group that has been recognized by the IRS as a religion, announced that it would fight back by invoking the Religious Freedom Restoration Act, or RFRA, to demand exemption from abortion restrictions on religious grounds. RFRA laws, which came into effect in 1993, restrict the government’s ability to burden religious practices.

Like the Heartbeat Bill itself, The Satanic Temple’s efforts to circumvent abortion restrictions on religious grounds involve a creative and complicated legal strategy. As a scholar who studies the ways in which The Satanic Temple’s provocations affect public debates about religious freedom, I anticipate their latest legal argument will challenge some assumptions about RFRA and the freedoms it was designed to protect.

The Heartbeat Bill

In the pivotal 1973 abortion case Roe v. Wade and Planned Parenthood v. Casey in 1992, the Supreme Court established that abortion is a Constitutional right. However, states can still pass laws that severely restrict access to abortion. The question is how severely.

Texas’s new law was designed to effectively shut down all abortion while protecting the state from judicial review.

First, the bill bans abortion after six weeks – the point at which Texas lawmakers claim a fetus’s heartbeat can be detected. Most women are not aware they are pregnant before six weeks, and Texas abortion providers estimate 85% of abortions in the state are performed after this period.

Second, the law allows anyone to sue those they can accuse of “aiding and abetting” an abortion for US$10,000. Critics of the law claim this is an intimidation tactic designed to threaten the clinics with so much potential liability that legal abortion becomes impossible.

But outsourcing enforcement to the public is also intended to protect the state. Proponents of the bill claim that since no state official is enforcing the law, abortion providers have no one to sue.

The Religious Freedom Restoration Act

The 1990 Supreme Court case Employment Division v. Smith considered arguments that a member of the Native American Church had a religious right to use peyote, a controlled substance.

The court ruled that freedom of religion was no excuse from compliance with a generally applicable law – a law that applies equally to everyone and does not single out specific groups. With this decision, it appeared that the free exercise of religion guaranteed in the First Amendment meant very little.

In response, Congress wrote the Religious Freedom Restoration Act, which was signed into law in 1993.

Under RFRA, the government cannot burden the free exercise of religion unless: 1) it has a compelling reason for doing so, and 2) the government acts in the least restrictive way possible to achieve its purpose.

Four years later, in Boerne v. Flores, the Supreme Court ruled that RFRA applied only to the federal government and not to individual states. So many states, including Texas, passed similar legislation, sometimes called “mini-RFRAs.”

In 2014, the Supreme Court ruled in Burwell v. Hobby Lobby that under RFRA, the federal government could not require the Christian company Hobby Lobby to fund insurance that provided their employees with certain forms of birth control. This decision inspired The Satanic Temple by linking the question of religious liberty with that of reproductive rights.

The Satanic Temple and RFRA

A statue of Baphomet, a winged-goat creature, installed by The Satanic Temple, a group of atheistic Satanists.
The Satanic Temple’s seven tenets include the belief that one’s body is subject to one’s own will alone. AP Photo/Hannah Grabenstein

The Satanic Temple began in 2013 and has launched a number of political actions and lawsuits related to the separation of church and state. Texas is home to four congregations of The Satanic Temple, more than any other state.

Although The Satanic Temple does not believe in or worship a literal Satan, they revere Satan as described in the works of English poet John Milton and the Romantic movement, an intellectual movement that originated in late 18th-century Europe, as a powerful symbol of rebellion against authority.

The Satanic Temple’s seven tenets include the belief that “one’s body is inviolable, subject to one’s own will alone.” It interprets state restrictions on abortion access as a burden on this sincerely held religious belief.

In 2015, The Satanic Temple began a series of lawsuits against the state of Missouri, where women seeking abortions must view sonograms and then review a booklet stating, “The life of each human being begins at conception. Abortion will terminate the life of a separate, unique, living human being.” After this, the women must spend 72 hours considering their decision before finally receiving an abortion.

The Satanic Temple argued that this practice was an unconstitutional effort by the state to impose its religious views onto vulnerable women. Furthermore, it claimed that under Missouri’s RFRA law, Satanic women could not be forced to comply with these procedures. Instead of answering whether RFRA protected members of The Satanic Temple from abortion restrictions, the court dismissed these cases on procedural grounds.

The Missouri Supreme Court ruled that since the plaintiff, a woman known as “Mary Doe,” was no longer pregnant by the time her case wound its way through the courts, she no longer needed an abortion and therefore had no legal standing to sue. The Satanic Temple appealed this ruling to the U.S. Supreme Court, which declined to hear it.

To prevent similar rulings, ministers for The Satanic Temple created an “abortion ritual,” in which a woman affirms her own autonomy, obtains an abortion, and then concludes the ritual.

Since abortion is part of the ritual, The Satanic Temple argues, subjecting a woman to a waiting period is akin to the government interfering with a baptism or communion. In February 2021, The Satanic Temple filed a new lawsuit against Texas, arguing that the state was violating the religious liberty of its new plaintiff, referred to as “Ann Doe.”

The devil is in the details

The Satanic Temple raises important questions about what counts as a religion. Opponents of the group argue that abortion is a medical procedure, not a protected religious practice. But The Satanic Temple’s lawyer, Matthew Kezhaya, points to a 2009 case, Barr v. City of Sinton, in which Texas pastor Richard Barr was told the halfway house he operated violated a zoning ordinance.

The Texas Supreme Court ruled that excluding Barr’s halfway house from the city violated Texas’s RFRA law. Key to this argument was the court’s statement that, “The fact that a halfway house can be secular does not mean that it cannot be religious.” Likewise, Kezhaya argues, abortion can be both secular and religious, depending on context.

Kezhaya also disagrees that outsourcing the enforcement of abortion to private lawsuits makes the state of Texas immune to judicial review. He compared this situation to “racially restrictive covenants” of the Jim Crow era in which white residents signed legal agreements never to sell or rent their homes to African Americans.

The Supreme Court initially declined to hear cases challenging these covenants because they were considered private contracts. But in 1948, it ruled that a court enforcing these contracts was a state action that violated the 14th Amendment.

The Satanic Temple also has an even more creative strategy. The Food and Drug Administration, which controls the distribution of the abortion pills mifepristone and misoprostol, is subject to the federal RFRA law. The Satanic Temple sent a letter to the FDA explaining that its prescription requirements illegally burden their abortion ritual. Currently, these drugs are only available with a doctor’s prescription, and the doctor must adhere to any state restrictions before providing them.

The Satanic Temple proposed an accommodation in which Satanic women can obtain a doctor’s note indicating only that these medications are safe for them to use, and then receive medication directly from The Satanic Temple rather than a state-approved provider.

In an interview with me in September 2021, Kezhaya, The Satanic Temple’s lawyer, admitted this was experimental territory. Assuming a court approved this accommodation, it could legally make The Satanic Temple a pharmacy, in addition to a religious entity, because it would be distributing controlled medications.

Is RFRA a “loophole?”

The Satanic Temple’s opponents claim it is abusing RFRA and using it as a “loophole” to circumvent the law. However, Lucien Greaves, a co-founder of The Satanic Temple, counters that RFRA was always intended to protect religious minorities from the government. If anyone is abusing it, he claims, it is companies like Hobby Lobby that invoked it to restrict the choices of their employees.

Critics of RFRA, such as legal scholar Marci Hamilton, warn that religious exemptions can turn the law into “Swiss cheese.” In other words, there could be so many religious loopholes that laws become meaningless. Whether or not this is a serious concern, it is certainly true that RFRA must not benefit only the Christian majority.

This is why constitutional law professor Jay Wexler has encouraged the work of groups like The Satanic Temple, stating, “Only by insisting on exercising these rights can Muslims, Hindus, Buddhists, atheists and everybody else ensure that the Court’s new religious jurisprudence does not result in a public space occupied exclusively by Christian messages and symbols. At stake is nothing less than our national public life.”

Joseph P. Laycock, Assistant Professor of Religious Studies, Texas State University

This article is republished from The Conversation under a Creative Commons license.

Monday, April 18, 2022

Surprise! There might be salmonella in your chocolate

 

Shutterstock

In the past three months, more than 150 cases of salmonella food poisoning across Europe have been linked to Kinder chocolate products. Most of the cases have been in children under ten years old.

Health officials have traced the outbreak to bad milk in a factory in Belgium, and many products have been recalled from shelves as Easter approaches.

As consumers, we often think of the risk of food poisoning from raw or under-cooked meat, leftovers or even packaged salad. It’s less common to worry about chocolate.

Salmonella outbreaks in chocolate

While reports of salmonella bacteria in chocolate are not common, there have been several high-profile outbreaks. Most documented cases of salmonellosis have been in Europe and North America, perhaps because chocolate consumption is high and monitoring and surveillance is in place.

Outbreaks include:

Salmonella outbreaks linked to chocolate. David Bean, Author provided
  • 1985–86: 33 cases of gastroenteritis due to salmonella were reported in Canada and the US, and eventually traced back to chocolate coins imported from Belgium

  • 1987: 361 confirmed cases of salmonellosis in Norway and Finland were part of an outbreak linked to chocolate contaminated with salmonella (it is estimated the actual number of infections was 20,000-40,000)

  • 2001–02: an outbreak of salmonella occurred in Germany, resulting in at least 439 reports of infection, traced to a specific brand of chocolate distributed exclusively through a single supermarket chain

  • 2006: an outbreak in the UK was traced to chocolate, with 56 cases reported.

Why do salmonella outbreaks occur?

Chocolate begins its life as various agricultural products, the most important of which is cacao. Much of the world’s cacao comes from small farms in West Africa.

Beans from the cacao tree are harvested, fermented and dried on these farms. There are plenty of opportunities for the beans to become contaminated with salmonella from animals and the environment.

When the beans reach a chocolate factory, they are roasted. This will kill any salmonella on the beans. But if salmonella is present on the raw beans it can potentially be a source of contamination.

It is important raw beans are well segregated from roast beans to prevent cross-contamination.

As well as this segregation, chocolate factories must be well maintained and have risk-control mechanisms in place. The 2006 outbreak in the UK, for example, was ultimately linked to water leaks from pipes onto chocolate.

Salmonella in chocolate

Even when chocolate is made using appropriate food safety techniques, it has inherent properties that make it very capable of spreading bacteria.

While salmonella will not grow in chocolate (there isn’t enough water), it survives in chocolate very well. Chocolate may even protect the salmonella during its passage through the gut.

A photograph of a person pouring molten chocolate from a pot into a tray.
Salmonella won’t grow in chocolate, but it survives there very well. Shutterstock

This means a batch of chocolate product contaminated with salmonella may remain a food safety risk for a long time and be distributed over a large geographical area. This explains why chocolate-related outbreaks can affect large numbers of people in multiple countries.

Another important consideration is who often consumes chocolate: children. Children are often disproportionately represented in these outbreaks and may be more susceptible to severe infections.

What can be done?

Most confectionery manufacturers operate under stringent guidelines to ensure quality and safety of their products. Good manufacturing processes and food safety guidelines are well established to ensure chocolate is safe.

Manufacturers would prefer to eliminate pathogens (disease causing microorganisms) such as salmonella in chocolate, or at least detect it during manufacturing.

However, the current Kinder recall and others like it are evidence of the system working, albeit late in the process. When a recall notice is issued, consumers should take the advice seriously.

So don’t put off a little Easter indulgence! In the absence of a recall notice in a specific product, it is safe to assume eating chocolate won’t make you sick – unless perhaps you over-indulge.The Conversation

David Bean, Senior Lecturer in Microbiology, Federation University Australia and Andrew Greenhill, Associate Professor in Microbiology and Fermentation Technology, Federation University Australia

This article is republished from The Conversation under a Creative Commons license.

Tuesday, February 15, 2022

FF Plus – ‘Horror of farm murders remains shocking, Jan Kempdorp’

 

FF Plus - 'Horror of farm murders remains shocking, Jan Kempdorp'

Although farm murders often occur and the government does not consider them a priority crime, they remain shocking and unnecessary.

In the latest incident, Mr. Ernst Human was killed over the weekend at Jan Kempdorp in the Vaalharts area.

Mr. Human was part of a farm security group that was connected to each other by radio. Other group members investigated after he did not respond to his radio call.

The incident reiterates the vulnerability of people on farms and in rural areas, even within security groups.

The FF Plus’ prayers accompany Mr. Human’s loved ones.

Read: Farm murder, body of farmer discovered in his home, Jan Kempdorp

It was further reported in the media that Ernst Human was found with his hands and feet tied and then brutally murdered.

Read about more farm attacks here

Read the original article in Afrikaans by Dr. Wynand Boshoff on FF Plus

 SOURCE

 

Wednesday, December 15, 2021

How vulnerable is your personal information? 4 essential reads

 

Chances are some of your data has already been stolen, but that doesn’t mean you should shrug data breaches off. WhataWin/iStock via Getty Images

When you enter your personal information or credit card number into a website, do you have a moment of hesitation? A nagging sense of vulnerability prompted by the parade of headlines about data breaches and hacks? If so, you probably push those feelings aside and hit the submit button, because, well, you need to shop, apply for that job, file that insurance claim, apply for that loan, or do any of the other sensitive activities that take place online these days.

First, the bad news. If you regularly enter sensitive information online, chances are you’ve had some data stolen somewhere at some point. By one estimate, the average American had data stolen at least four times in 2019. And the hits keep coming. For instance, a data breach at the wireless carrier T-Mobile reported in August 2021 affected 100 million people.

Now for some good news. Not all hacks are the same, and there are steps you can take to protect yourself. The Conversation gathered four articles from our archives that illuminate the types of threats to your online data, what data thieves do with your stolen information, and what you can do about it.

1. Take stock of your risk

Not all cyberattacks are the same, and not all personal data is the same. Was an organization that has your information the victim of a ransomware attack? Chances are your information won’t be stolen, though the organization’s copy of it could be rendered unusable.

If an organization you deal with did have customer data stolen, what data of yours did the thieves get? Merrill Warkentin, a professor of information systems at Mississippi State University, writes that you should ask yourself some questions to assess your risk. If the stolen data was your purchase history, maybe that won’t be used to hurt you. But if it was your credit card number, that’s a different story.

Data breaches are a good opportunity “to change your passwords, especially at banks, brokerages and any site that retains your credit card number,” he wrote. In addition to using unique passwords and two-factor authentication, “you should also consider closing old unused accounts so that the information associated with them is no longer available.”

2. The market for your stolen data

Most data breaches are financial crimes, but the hackers generally don’t use the stolen data themselves. Instead, they sell it on the black market, usually via websites on the dark web, for other criminals and scammers to use.

This black market is awash in personal data, so much so that your information is probably worth a lot less than you would guess. For example, stolen PayPal account information goes for $30.

Buyers use stolen data in several ways, writes Ravi Sen, an associate professor of information and operations management at Texas A&M University. Common uses are stealing your money or identity. “Credit card numbers and security codes can be used to create clone cards for making fraudulent transactions,” he writes. “Social Security numbers, home addresses, full names, dates of birth and other personally identifiable information can be used in identity theft.”

The T-Mobile breach revealed in August 2021 exemplifies the challenges consumers face when hackers steal their information from large corporations.

3. How to prepare for the inevitable

With all this bad news, it’s tempting to throw up your hands and assume there’s nothing you can do. W. David Salisbury, a professor of cybersecurity management, and Rusty Baldwin, a research professor of computer science at the University of Dayton, write that there are steps you can take to protect yourself.

“Think defensively about how you can protect yourself from an almost inevitable attack, rather than assuming you’ll avoid harm,” they write. The key is focusing on the information that’s most important to protect. Uppermost are your passwords, particularly for banking and government services. Use different passwords for different sites, and use long – though not necessarily complicated – passwords, they write.

The most effective way to protect your data is to add another layer of security via multifactor authentication. And rather than rely on websites to text or email you authentication codes, which can be hijacked, you should use an app or USB device that uses public-key encryption, they write.

4. Don’t make it easy for the thieves

The risk to your personal information isn’t just having it stolen from a third party. Phishing attacks can get you to do the thieves’ work for them. These emails fool people into entering personal information and passwords on fake websites controlled by data thieves.

It turns out that you’re probably pretty good at sensing when something is off about an email message. Rick Wash, an associate professor of information science and cybersecurity at Michigan State University, found that the average person is as good as a cybersecurity expert at sensing when something is weird about an email message.

The trick to protecting yourself from phishing attacks is remembering that phishing exists and could explain what you’re sensing about an email message.

“The people who were good at noticing phishing messages reported stories about specific phishing incidents they had heard about,” he wrote. “Familiarity with specific phishing incidents helps people remember phishing generally.”

Editor’s note: This story is a roundup of articles from The Conversation’s archives.The Conversation

Eric Smalley, Science + Technology Editor, The Conversation

This article is republished from The Conversation under a Creative Commons license.