Security
Headlines
HeadlinesLatestCVEs

Headline

DuckDuckGo Isn’t as Private as You Think

Plus: A $150 million Twitter fine, a massive leak from a Chinese prison in Xinjiang, and an ISIS plot to assassinate George W. Bush.

Wired
#web#android#google#microsoft#git#intel#auth#sap

After another week of dismally tragic news and moral failures by the powerful, it’s good to know that you can at least depend on the small things, like “privacy-focused” search engine and browser DuckDuckGo resisting the temptation to sell out and help corporations to surveil its users. Oh, wait.

Yes, a security researcher revealed this week that even DuckDuckGo, which markets itself as “the internet privacy company,” made an exception for its business partner Microsoft to its browser’s blocking of some advertising trackers on websites, sparking accusations of betraying its purported privacy ethos. The milkshake-ducking of DuckDuckGo comes amid a rising awareness of how the stakes of online surveillance are rising as signs grow that the US Supreme Court will overturn Roe v. Wade’s protections on abortion rights: A new report this week from the Surveillance Technology Oversight Project laid out all the technological means available to law enforcement and private litigants to surveil those seeking abortions, should Roe be struck down. And more than 40 members of Congress called on Google to stop tracking location data in Android ahead of a potential Roe reversal.

In other privacy news, we looked at how the European Union’s General Data Protection Regulation has failed to meaningfully curb Big Tech’s privacy abuses four years after its passage. Australia’s digital driver’s licenses turn out to be far too easy to forge. China has been saber-rattling with accusations about American cyberespionage. We spoke to the inventor of the browser “cookie” about how to handle cookie settings for privacy—and those ubiquitous cookie-related pop-ups on websites. And we also interviewed the CEO of Protonmail, now rebranded as just Proton, about its ambitions to offer a broader range of privacy-focused services beyond email—hopefully without, ahem, surveillance exceptions for its business partners.

But there’s more. As usual, we’ve rounded up all the news that we didn’t break or cover in-depth this week. Click on the headlines to read the full stories. And stay safe out there.

Cybersecurity and privacy researcher Zach Edwards discovered a glaring hole in the privacy protections of DuckDuckGo’s purportedly privacy-focused browser: By examining the browser’s data flows on Facebook-owned website Workplace.com, Edwards found that the site’s Microsoft-placed tracking scripts continued to communicate back to Microsoft-owned domains like Bing and LinkedIn. DuckDuckGo CEO Gabriel Weinberg responded to Edwards on Twitter, admitting that "our search syndication agreement prevents us from stopping Microsoft-owned scripts from loading"—essentially admitting that a partnership deal DuckDuckGo struck with Microsoft includes creating a carveout that lets Microsoft track users of its browsers. Weinberg added that DuckDuckGo is “working to change that.” (A company spokesperson reiterated in an email to WIRED Weinberg’s assertion that none of this applies to DuckDuckGo search, adding that both its search and its browser offer more privacy protections than the competition.) In the meantime, the revelation blew a glaring hole of its own in the company’s reputation as a rare privacy-preserving tech firm. Turns out this surveillance capitalism thing is pretty hard to escape.

Staying on that surveillance capitalism theme, Twitter agreed this week to pay a $150 million fine after the Federal Trade Commission and the US Department of Justice accused it of selling user data that it had collected under the guise of security. Twitter had asked users to share the emails and phone numbers for security purposes, such as two-factor authentication and account recovery, but had ultimately sold the data to advertisers seeking to target ads to its users. That bait-and-switch violated an agreement Twitter made with the FTC in 2011 after earlier privacy misbehavior.

If the world had any doubts that China’s"re-education camps" for Muslim minorities in its Xinjiang region were in fact prisons with euphemistic names, a massive leak known as the Xinjiang Police Files should correct that delusion. The leak, provided by an unknown source to researcher Adrien Zenz, who in turn provided the info to a group of global media outlets, includes a vast collection of tens of thousands of internal files, manuals, and even detailed photos revealing life in one of Xinjiang’s prisons. The files reveal, for instance, shoot-to-kill orders for any prisoner attempting to escape the camps, and guidelines for shackling the inmates when they’re transferred between different parts of the facility—hardly the practices of a “vocational school,” as China describes the camps to the world. It also includes photos of the camp’s detainees, who were as young as 15 and as old as 73, often jailed for years without trial for offenses as simple as studying Islamic texts.

In a strange replay of events from 2016, Google researchers and the UK government revealed that a site publishing leaked documents from a group of pro-Brexit UK politicians was, in fact, created by Russia-based hackers. The site, called Very English Coop d’Etat, described its collection of leaked emails as coming from an influential group of hardline right-wing Brexit supporters, including former MI6 head Richard Dearlove. But Google’s Threat Analysis Group told Reuters that the site appears to have been created by a Russian hacker group it calls Cold River. Former UK intelligence head Dearlove cautioned that the leak of his emails should be understood to be a Russian influence operation, especially given the West’s current icy relations with Russia over its illegal and unprovoked invasion of Ukraine.

An accidentally unsealed warrant, spotted by Forbes, revealed that an Iraqi man had allegedly sought to assassinate former president George W. Bush in Dallas, going so far as to take video of Bush’s home in November. According to the warrant, the FBI says it foiled the plot through the use of a confidential informant and surveillance of the would-be assassin’s WhatsApp messages’ metadata. The case shows how, despite law enforcement’s claims that end-to-end encryption can stymy its investigations, the FBI has managed to monitor encrypted apps like WhatsApp and even penetrate communications on them through the use of undercover informants.

Wired: Latest News

Bitfinex Hacker Gets 5 Years for $10 Billion Bitcoin Heist