Privacy

An Apple Maps privacy bug fixed in iOS 16.3 may have allowed apps to collect user location data without permission.

At least one app appears to have done so, and a security reporter has speculated that the same privacy bug could have been exploited by countless apps over an unknown time period …

Pegasus spyware – a zero-click way of remotely hacking an iPhone, and gaining access to all the personal data stored on it – has been defended by the company’s CEO. NSO chief exec said that the company had made “mistakes” in selling it to repressive governments, but claimed that it now sells Pegasus only to countries to whom the US sells weapons.

A security researcher said that the comparison was bogus, stating that a more reasonable comparison would be selling long-range nuclear missiles …

In honor of Data Privacy Day, Apple has announced a handful of new resources “designed to help users take control of their data.” This year, those initiatives include dedicated privacy-focused “Today at Apple” sessions, a new short film with Ted Lasso star Nick Mohammed (Nate the Great), and more.

A GoTo hack related to the LastPass security breach was far worse than initially disclosed. The company, formerly known as LogMeIn, has revealed that attackers obtained not only encrypted backups of customer data, but also an encryption key for at least some of that data.

It’s a similar tale to the LastPass hack, which followed a similar path from low-key initial announcement to revelations that it was significantly worse than initially feared …

Apple is facing a third class action privacy lawsuit, after the company was found to be collecting analytics data from iPhone users even after they refused permission.

Apple insists that all developers ask permission to collect analytics data, but security researcher Tommy Mysk discovered last year that the company wasn’t playing by its own rules …

There have been numerous examples of people losing a lifetime’s worth of photos after being locked out of their iCloud account. The Apple account recovery process often proves impossible, especially in cases where an iPhone has been stolen and its owner forced to unlock it.

Just yesterday there was a fresh example, where an unlocked iPhone was stolen at gunpoint by seemingly tech-savvy thieves …

Apple has been fined $8.5 million in France over how personalized advertising works on the iPhone. France’s CNIL data protection agency (National Commission on Informatics and Liberty) issued the €8 million penalty against Apple as the result of an investigation.

The long-running Cambridge Analytica lawsuit against Facebook parent company Meta has finally been settled. The social media company agreed to pay Facebook users a combined total of $725M for sharing their personal data with the now-bankrupt political consultancy.

The lawyers behind the case described the victory as a “historic” one, saying that it was the largest ever payout in a US privacy case …

Brand owner Anker has finally responded to proof of a major Eufy camera security breach, but its official statement still leaves a great many questions unanswered.

The company has now admitted that it lied to users about all footage and images being stored locally, and never sent to the cloud, after a security researcher proved that this was not true …

One of the ironies of Apple’s long-running battle with the FBI over the agency’s desire for a security backdoor into iPhones is that it could have taken advantage of one which already existed: The fact that iCloud backups of iPhones didn’t use end-to-end encryption. Apple has now finally fixed this with Advanced Data Protection (ADP).

ADP not only closes a privacy hole which should have been closed a long time ago, but will also relieve Apple of the need to engage in any similar legal battles in future …

Apple on Wednesday announced new iCloud security features to strengthen users’ privacy. This includes Advanced Data Protection with end-to-end encryption for all data saved in the cloud, as well as support for physical security keys. In an interview with WSJ’s Joanna Stern, Apple’s SVP of software, Craig Federighi, shared some details about what led the company to introduce such features to iCloud.

Proton Drive, a Dropbox and iCloud rival, has today launched iOS and Android apps for both free and paid cloud storage tiers.

As you’d expect from the company that launched an encrypted email service, Proton Mail, the emphasis is on privacy and security …

The LastPass security breach that occurred back in August did allow attackers to access customer data, says the company. It had previously said that no customer data was compromised.

LastPass owner LogMeIn stresses that customer passwords have not been compromised, as the company uses end-to-end encryption so that only the subscriber has the decryption key …

Elon Musk recently hinted that Twitter encrypted DMs were on the way, using full end-to-end encryption – and code spotted in the iOS app suggests that it will use the same E2E encryption standard as Signal.

Plans for E2E encryption of Twitter direct messages date back to at least 2018, and it appears that the company has resuscitated code written back then …

A massive Twitter data breach last year, exposing more than five million phone numbers and email addresses, was worse than initially reported. We’ve been shown evidence that the same security vulnerability was exploited by multiple bad actors, and the hacked data has been offered for sale on the dark web by several sources.

It had previously been thought that only one hacker gained access to the data, and Twitter’s belated admission reinforced this impression …

Mozilla has announced an update to its Firefox Relay and VPN security offerings today with the main change making them a more affordable, bundled subscription. For $6.99/month, you can get both the Relay and VPN services from the non-profit to protect your devices.

iOS privacy concerns were raised last week when security researchers appeared to demonstrate that iPhones send the same analytics data to Apple whether you grant or decline permission.

The same researchers have now demonstrated that Apple can – despite assurances to the contrary – link this data back to individual users, as the same ID is used as that for iCloud accounts …

A potentially sensitive US Army iOS app is among thousands of iOS and Android apps to include user-profiling code from a Russian company that pretended to be an American one – raising both privacy and security concerns.

The Centers for Disease Control and Prevention (CDC) also used the code in seven of its apps. Both organizations have now removed the code, but it remains present in thousands of other apps …

A security researcher has discovered that Apple analytics data is collected and sent from iPhones, whether or not users consented during the setup process. The amount of data collected was described by the researcher as “shocking.”

A class action lawsuit has now filed, which says that Apple’s privacy promises are “completely illusory” …