Meta has settled a Texas lawsuit over gathering biometric data for Facebook's "Tag Suggestions" feature without informed consent.

Texas Attorney General Ken Paxton has announced a $1.4 billion settlement with Meta to “stop the company’s practice of capturing and using the personal biometric data of millions of Texans without the authorization required by law.”

The prime reason for the initial lawsuit that led to the settlement was Facebook’s “Tag Suggestions” feature that used facial recognition. This feature was rolled out in 2011 to “improve the user experience by making it easier for users to tag photographs with the names of people in the photo.”

However, Meta allegedly automatically turned this feature on for all Texans without explaining how the feature worked. This method made it possible to run facial recognition software on virtually every face contained in the photographs uploaded to Facebook, capturing records of the facial geometry of the people depicted, for a long time.

In 2019, Facebook said it had always given control to users about the use of face recognition technology to recognize users in photos, but it wasn’t until December 2017 that Facebook introduced settings that allowed users to manage whether Facebook used face recognition technology on their photos to suggest tags.

Texas’s “Capture or Use of Biometric Identifier” (CUBI) Act forbids companies from capturing biometric identifiers of Texans, including records of face geometry, unless the business first informs the person and receives their consent to capture the biometric identifier.

So, in February 2022, Attorney General Paxton sued Meta for unlawfully capturing the biometric data of millions of Texans without obtaining their informed consent as required by Texas law. Approximately two years after filing the petition, Texas reached a settlement agreement with Meta who will pay the state of Texas $1.4 billion over five years.

The face recognition setting is no longer available after Facebook reluctantly shut the Face Recognition system down by the end of 2021:

> “Making this change required careful consideration, because we have seen a number of places where face recognition can be highly valued by people using platforms.
> 
> We believe facial recognition can help for products like these with privacy, transparency and control in place, so you decide if and how your face is used. We will continue working on these technologies and engaging outside experts.”

Personally, I feel since biometrics are increasingly used for identification by more important services than social media, those platforms have no business gathering them. Therefore, we welcome Facebook’s move away from this kind of broad identification and will closely follow its planned future move toward narrower forms of personal authentication.

**We don’t just report on threats – we help protect your social media**

Cybersecurity risks should never spread beyond a headline. Protect your social media accounts by using Cyrus, powered by Malwarebytes.

 Meta to pay $1.4 billion over unauthorized facial recognition image capture 

Apple has released security updates that patch vulnerabilities in Siri and VoiceOver that could be used to access sensitive user data.

Apple has released security updates for many of its products in order to patch several vulnerabilities that could allow an attacker to steal sensitive information from a locked device.

Included in the patches for Apple Watch, iOS, and iPadOS are four vulnerabilities in Siri. While your device is locked there are several voice-commands your digital assistant can process.

Apple has restricted these options to stop an attacker with physical access from being able to access contacts from the lock screen and access other sensitive user data. Using Siri on a locked device has limitations to protect your privacy and security, and the digital assistant should only be able to perform tasks that do not require access to sensitive data locked behind the device’s security systems, such as Face ID or a passcode.

A similar vulnerability was also patched in the VoiceOver component in Apple Watch, iOS, iPadOS, and macOS Ventura. To check whether VoiceOver is on or off on your iPhone or iPad, you can check by looking at **Settings > Accessibility > VoiceOver**.

To check if you’re using the latest software version of iOS and iPadOS, go to **Settings** > **General** > **Software Update**. You want to be on iOS 17.6 or iPadOS 17.6, so update now if you’re not. It’s also worth turning on Automatic Updates if you haven’t already. You can do that on the same screen.

iPad Software update is available

Here’s an overview of the available updates for the various Apple products:

Name:

Available for:

Safari 17.6

macOS Monterey and macOS Ventura

iOS 17.6 and iPadOS 17.6

iPhone XS and later, iPad Pro 13-inch, iPad Pro 12.9-inch 2nd generation and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 6th generation and later, and iPad mini 5th generation and later

iOS 16.7.9 and iPadOS 16.7.9

iPhone 8, iPhone 8 Plus, iPhone X, iPad 5th generation, iPad Pro 9.7-inch, and iPad Pro 12.9-inch 1st generation

macOS Sonoma 14.6

macOS Sonoma

macOS Ventura 13.6.8

macOS Ventura

macOS Monterey 12.7.6

macOS Monterey

watchOS 10.6

Apple Watch Series 4 and later

tvOS 17.6

Apple TV HD and Apple TV 4K (all models)

visionOS 1.3

Apple Vision Pro

iOS 15.8.3 and iPadOS 15.8.3

iPhone 6s (all models), iPhone 7 (all models), iPhone SE (1st generation), iPad Air 2, iPad mini (4th generation), and iPod touch (7th generation)

Apple also patched the regreSSHion vulnerability that allows unauthenticated Remote Code Execution (RCE) in OpenSSH.

For beta testers Apple also released the first beta of iOS 18.1 to developers. This update is available for iPhone 15 Pro and iPhone 15 Pro Max and includes the first set of Apple Intelligence features, such as Writing Tools, new features for Mail and notifications, upgrades to Photos, and more.

**We don’t just report on phone security—we provide it**

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

 Apple fixes Siri vulnerabilities that could have allowed sensitive data theft from locked device. Update now! 

Only trust official sources they say, but what happens when a Google vetted ad is for a Google product?

We have previously reported on the brand impersonation issue with Google ads: users who search for popular keywords are shown malicious ads that purport to be from an official vendor.

Not only does this trick innocent victims into downloading malware or losing their data to phishing sites, it also erodes trust in brands and by association in Google Search itself.

Today, we show yet another example of brand misuse, except that this one targets Google itself. If you were trying to download the popular Google Authenticator (a multi-factor authentication program) via a Google search in the past few days, you may have inadvertently installed malware on your computer.

A similar distribution site and the same payload were previously reported by sandbox maker AnyRun. In this blog post, we will reveal the missing piece at the top of the killchain, namely the Google ad that was involved in tricking users into visiting a decoy website.

**Trust, but ‘verified’?**

The core issue with brand impersonation comes from ads that appear as if they were from official sources and advertisers’ identities verified by Google. This was the case here with this ad for Authenticator:

The truth is Larry Marr has nothing to do with Google, and is likely a fake account. We can follow what happens when you click on the ad by monitoring web traffic. We see a number of redirects via intermediary domains controlled by the attacker, before landing on a fake site for Authenticator.

**Fake site leads to signed payload hosted on Github**

The fraudulent site _chromeweb-authenticators\[.\]com_ was registered via NICENIC INTERNATIONAL GROUP CO., LIMITED on the same day as the ad was observed.

Looking at the site’s source code, we can see the code responsible for downloading _Authenticator.exe_ from GitHub. Note the comments from the author in Russian:

Hosting the file on GitHub allows the threat actor to use a trusted cloud resource, unlikely to be blocked via conventional means. While GitHub is the de facto software repository, not all applications or scripts hosted on it are legitimate. In fact, anyone can create an account and upload files, which is exactly what the threat actor did under the username _authe-gogle_, creating the _authgg_ repository that contains the malicious _Authenticator.exe_:

Looking at the file itself, we can see that it has been digitally signed by “_Songyuan Meiying Electronic Products Co., Ltd._” just one day before, and the signature is still valid at the time of writing:

The malware, DeerStealer, is a kind of stealer that will grab and exfitrate your personal data via an attacker-controlled website hosted at _vaniloin\[.\]fun_.

**Conclusion**

Threat actors have been abusing Google ads as a way to trick users into visiting phishing and malware sites. Since the whole premise of these attacks relies on social engineering, it is absolutely critical to properly distinguish real advertisers from fake ones.

As we saw in this case, some unknown individual was able to impersonate Google and successfully push malware disguised as a branded Google product as well.

We should note that Google Authenticator is a well-known and trusted multi factor authentication tool, so there is some irony in potential victims getting compromised while trying to improve their security posture. We recommend avoiding clicking on ads to download any kind of software and instead visiting the official repositories directly.

Malwarebytes blocks access to the fake Authenticator website, and we detect the payload as Spyware.DeerStealer.

**Indicators of Compromise**

Malicious domains

vcczen\[.\]eu  
tmdr7\[.\]mom  
chromeweb-authenticators\[.\]com

Payload (stealer)

5d1e3b113e15fc5fd4a08f41e553b8fd0eaace74b6dc034e0f6237c5e10aa737

C2

vaniloin\[.\]fun

 Threat actor impersonates Google via fake ad for Authenticator 

This week on the Lock and Code podcast, we speak with Jess Dodson about SIEM selection, management, and proper data collection.

_This week on the Lock and Code podcast…_

In the world of business cybersecurity, the powerful technology known as “Security Information and Event Management” is sometimes thwarted by the most unexpected actors—the very people setting it up.

Security Information and Event Management—or SIEM—is a term used to describe data-collecting products that businesses rely on to make sense of everything going on inside their network, in the hopes of catching and stopping cyberattacks. SIEM systems can log events and information across an entire organization and its networks. When properly set up, SIEMs can collect activity data from work-issued devices, vital servers, and even the software that an organization rolls out to its workforce. The purpose of all this collection is to catch what might easily be missed.

For instance, SIEMs can collect information about repeated login attempts occurring at 2:00 am from a set of login credentials that belong to an employee who doesn’t typically start their day until 8:00 am. SIEMs can also collect whether the login credentials of an employee with typically low access privileges are being used to attempt to log into security systems far beyond their job scope. SIEMs must also take in the data from an Endpoint Detection and Response (EDR) tool, and they can hoover up nearly anything that a security team wants—from printer logs, to firewall logs, to individual uses of PowerShell.

But just because a SIEM _can_ collect something, doesn’t necessarily mean that it should.

Log activity for an organization of 1,000 employees is tremendous, and the collection of frequent activity could bog down a SIEM with noise, slow down a security team with useless data, and rack up serious expenses for a company.

Today, on the Lock and Code podcast with host David Ruiz, we speak with Microsoft cloud solution architect Jess Dodson about how companies and organizations can set up, manage, and maintain their SIEMs, along with what advertising pitfalls to avoid when doing their shopping. Plus, Dodson warns about one of the simplest mistakes in trying to save budget—setting up arbitrary data caps on collection that could leave an organization blind.

“A small SMB organization … were trying to save costs, so they went and looked at what they were collecting and they found their biggest ingestion point,” Dodson said. “And what their biggest ingestion point was was their Windows security events, and then they looked further and looked for the event IDs that were costing them the most, and so they got rid of those.”

Dodson continued:

> “Problem was the ones they got rid of were their Log On/Log Off events, which I think most people would agree is kind of important from a security perspective.”

Tune in today to listen to the full conversation.

_Show notes and credits:_

Intro Music: “Spellbound” by Kevin MacLeod (incompetech.com)  
Licensed under Creative Commons: By Attribution 4.0 License  
http://creativecommons.org/licenses/by/4.0/  
Outro Music: “Good God” by Wowa (unminus.com)

**Listen up—Malwarebytes doesn’t just talk cybersecurity, we provide it.**

Protect yourself from online attacks that threaten your identity, your files, your system, and your financial well-being with our exclusive offer for Malwarebytes Premium for Lock and Code listeners.

 SIEM is not storage, with Jess Dodson (Lock and Code S05E16) 

Senators have asked the FTC to investigate the consumer privacy violations by car makers that provide data brokers with information that could be used against them

An ongoing US Senate investigation indicated that connected car makers violate consumer privacy by sharing and selling drivers’ data, including their location, on a vast scale, and that the same car makers often obtain consumer consent through deception.

Based on this investigation, senators have urged the Federal Trade Commission (FTC) to investigate automakers’ disclosure of millions of Americans’ driving data to data brokers, and to share new-found details about the practice.

And they don’t stop there:

> “If the FTC determines that these companies violated the law, we urge you to hold the companies and their senior executives responsible.”

At Malwarebytes, we reported how a team of researchers at Mozilla who reviewed the privacy and data collection policies of various product categories for several years now, named “Privacy Not Included,” found cars to be the worst product category they ever reviewed for privacy.

A modern car hasn’t just been a transportation vehicle for a long time. With multiple digital systems, they are increasingly plugged into web applications and digital processes—applications and processes that are vulnerable to security flaws.

But at least those vulnerabilities are not intentional. Some other privacy issues are.

In November 2023, a judge ruled it’s fine for car makers to intercept your text messages, because the practice doesn’t meet the threshold for an illegal privacy violation under state law. 

The senators found some worrying aspects of modern car data collection practices, which included the use of dark patterns to obtain consent in ways that did not qualify as “informed” consent. Dark patterns, also known as deceptive design patterns, occur when a user interface has been carefully crafted to nudge or trick users into doing things they didn’t set out to do.

Another problem lies in the fact that data was found to be sold on to data brokers. These services can allow interested parties—from law enforcement agencies to marketing firms and even scammers—to access records that contain usernames, passwords (including in clear text), email addresses, IP addresses, and more.

Three car makers confirmed their disclosure of drivers’ data to one data broker, such as acceleration and braking data. One of the car makers also confirmed that it disclosed customer location data to two other companies, which it refused to name.

The named data broker sold these reports to auto insurance companies and also provided automakers with some of this information, including a driving score and safe driving suggestions. According to the New York Times, car manufacturers shared driving behavior data from more than eight million cars.

The senators also worry that some car makers may have gone as far as exclusively advertising “safe driving” programs as a way to lower their insurance bills, without revealing that some insurers might charge some drivers more based on their telematics data.

Some states—including Louisiana and Montana—limited the use of telematics data to raise insurance premiums, while California only permits telematics data sharing for mileage verification.

The senators requested that:

> “The FTC should hold accountable the automakers, which shared their customers’ data with data brokers without obtaining informed consent, as well as the data brokers, which resold data that had not been obtained in a lawful manner. Given the high number of consumers impacted, and the outrageous manipulation of consumers using dark patterns, the FTC should also hold senior company officials responsible for their flagrant abuse of their customers’ privacy.”

At Malwarebytes, we have expressed our concerns about the number of buyers and brokers for data. That’s regardless of whether they are there to sell data to anyone that is willing to pay, or only offer it to those that rightfully own the data. It’s also regardless of how the data were obtained, in a breach or by “consent.”

As we all learned in economics, demand drives up the price and the higher the price the more attractive it becomes to go after the data. And, as the mother-of-all-breaches (MOAB) incident clearly demonstrated, not everyone is as careful as they should be about accidentally exposing their data collection.

**Check your exposure**

You can verify whether your information is available online due to data breaches by using the Malwarebytes Digital Footprint portal. Just enter your email address (try the one your car dealership has) to our free Digital Footprint scan, and we’ll give you a report. For those whose information was not included, you’ll still likely find other exposures in previous data breaches.

**We don’t just report on threats – we help safeguard your entire digital identit**y

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

 US senators ask FTC to investigate car makers’ privacy practices 

A list of topics we covered in the week of July 22 to July 28 of 2024

July 26, 2024 - Meta has taken down a whopping number of Instagram accounts directly involved in sextortion and more accounts aimed at training scammers

July 25, 2024 - After the July Microsoft update some systems boot into a BitLocker Recovery screen. How can you find the key you need?

July 24, 2024 - Prepay wireless provider TracFone has been slapped on the wrist to the tune of $16 million for insufficient customer data protection

July 23, 2024 - Google has taken a new turn in the approach to eliminating third-party cookies. This time it's back to the Privacy Sandbox

July 22, 2024 - Data from the Heritage Foundation containing at least half a million passwords and usernames are available online

 A week in security (July 22 &#8211; July 28) 

Meta has taken down a whopping number of Instagram accounts directly involved in sextortion and more accounts aimed at training scammers

Meta announced the take-down of 63,000 sextortion-related Instagram accounts in Nigeria alone.

The action was directed against a group known as Yahoo Boys, a loosely organized set of cybercriminals that largely operate out of Nigeria and specialize in different types of scams.

Meta took down a host of accounts, including some 2,500 that belonged to a coordinated group of around 20 criminals which primarily targeted adult men in the US.

Sextortion, the act of blackmailing individuals for cash in return for not leaking sensitive images and videos, has been a problem for many years. Sextortion and sextortion scams are sometimes carried out by people familiar with the target, but most of the time, cybercriminals who have no relationship to the victim are to blame.

Additionally, Meta took down around 7,200 assets, including 1,300 Facebook accounts, 200 Facebook Pages and 5,700 Facebook Groups, also based in Nigeria. These accounts provided training, scripts, and complete guides for conducting scams. Nigeria still grapples with its reputation for being a source of internet-era fraud (the “Nigerian Prince” email scam is engrained in the public’s mind), and some residents are reportedly tricked into becoming scammers through predatory “classes” and programs that promise wealth.

Recently, after a successful operation targeting West African organized crime groups led to hundreds of arrests,  Isaac Oginni, Director of INTERPOL’s Financial Crime and Anti-Corruption Centre (IFCACC) said:

> “The volume of financial fraud stemming from West Africa is alarming and increasing. This operation’s results underscore the critical need for international law enforcement collaboration to combat these extensive criminal networks.”

While Meta’s investigation showed that the majority of these scammers’ attempts were unsuccessful and mostly targeted adults, it did reveal some attempts to target minors. The Federal Bureau of Investigation (FBI) reported in January 2024 that it saw a huge increase in the number of sextortion cases involving children and teens, mainly where the criminals would threaten and coerce the victims into sending explicit images online.

Children are led to believe they are communicating with someone their own age and tricked into sending nude pictures, which will later be used to threaten the victim with exposure. Last month, the BBC reported on an example of how devastating the consequences of sextortion can be, especially on young ones. In that case, Meta handed over data relating to a Scottish teenager who ended his life after becoming the victim of a sextortion gang on Instagram.

A US Senate committee accused Meta in February of not doing enough to protect children online and called for action by social media giants, in general, to do better.

 In his opening statement, Ranking Member Senator Lindsey Graham held Mark Zuckerberg and the other CEOs to immediate account:

> “Mr. Zuckerberg, you and the companies before us, I know you don’t mean it to be so but you have blood on your hands. … You have a product that’s killing people.”

Since then, Meta has said that it has learned new signals to identify accounts that are potentially engaging in sextortion, and the company is taking steps to help prevent these accounts from finding and interacting with teens.

> “Our teams have deep experience in fighting this crime and work closely with experts to recognize the tactics scammers use, understand how they evolve and develop effective ways to help stop them.”

These takedowns seem to be a good indication that this is true. But these scammers will undoubtedly return to social media platforms to continue their cybercriminal run.

For those with children that don’t know where to start in keeping kids safe online, we recommend reading: Internet safety tips for kids and teens: A comprehensive guide for the modern parent.

The FBI asks that if young people are being exploited, they are the victim of a crime and should report it. Contact your local FBI field office, call 1-800-CALL-FBI, or report it online at tips.fbi.gov.

Stay safe!

**We don’t just report on threats – we help protect your social media**

Cybersecurity risks should never spread beyond a headline. Protect your social media accounts by using Cyrus, powered by Malwarebytes.

 Meta takes down 63,000 sextortion-related accounts on Instagram 

After the July Microsoft update some systems boot into a BitLocker Recovery screen. How can you find the key you need?

Some Windows users may see a BitLocker Recovery screen after applying the Microsoft patch Tuesday updates. BitLocker is a Windows security feature that encrypts entire drives. It prevents someone that has obtained a stolen or lost device from reading the files stored on that drive.

Unfortunately, though, Microsoft launched an update this month that has caused problems for some Windows systems. Without telling the public what, exactly, has gone wrong, Microsoft provided some details about what might happen on the Windows release health dashboard.

Affected systems are running Windows 10 and 11 or one of the server versions (Windows Server 2022, Windows Server 2019, Windows Server 2016, Windows Server 2012 R2, Windows Server 2012, Windows Server 2008 R2, Windows Server 2008.). And the affected systems are very likely to have Device Encryption enabled.

You can find out if you have Device Encryption enabled by looking at:

*   Settings
*   Privacy & Security
*   Device encryption

If Device encryption doesn’t appear under Privacy & Security, it isn’t available for your system.

Under normal circumstances you wouldn’t see the BitLocker Recovery screen unless you enter the wrong PIN too many times or when you’ve made some hardware or firmware changes.

If you are affected by this faulty update, you will be presented with a screen similar to this one when you boot the system.

BitLocker recovery screen

On the screen, you’re asked to **Enter the recovery key for this drive**. Windows will also show a recovery ID to identify your key. Keep it handy since you may need this to find the recovery key.

**How to get the recovery key**

On another device, you can log in at  https://aka.ms/myrecoverykey with your Microsoft account ID that you use on the currently affected system. Once logged in, you’ll see a list of the devices registered to that ID showing:

*   The Device name
*   The Key ID
*   The Recovery Key
*   Which drive type (OSV drive is a Primary drive containing the Operating System. FDV drive is a Secondary drive)
*   Key upload date

Find the Recovery key you need by looking for the Key ID that matches the Recovery key ID shown in the BitLocker Recovery screen and enter the Recovery Key listed behind that Key ID in the BitLocker Recovery screen.

Once you’ve entered the correct Recovery Key, your system should boot to the normal login screen.

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

 Windows update may present users with a BitLocker recovery screen 

Prepay wireless provider TracFone has been slapped on the wrist to the tune of $16 million for insufficient customer data protection

Following three separate data breaches between 2021 and 2023 which exposed the proprietary information (PI) of TracFone Wireless customers, the Federal Communications Commission (FCC) announced that the Verizon-owned company has agreed to pay a $16 million civil penalty to settle the government investigation, and it has made an agreement to improve its application programming interface  (API) security.

TracFone Wireless Inc. is an American prepay wireless service provider wholly owned by Verizon. TracFone services are used by the brands Straight Talk, Total by Verizon Wireless, and Walmart Family Mobile.

The settlement ends an investigation into TracFone’s security practices to uncover whether the breaches were the result of ineffective cybersecurity protocols. The Enforcement Bureau (EB) of the FCC found that cybercriminals gained access to certain TracFone customer information, including PI and customer proprietary network information (CPNI), by exploiting vulnerabilities related to customer-facing APIs.

APIs allow different computer programs or components to communicate with one another. When the security behind the APIs is not secure enough, cybercriminals can abuse them to gather information without authorization.

The FCC media release explains in detail that it is possible to leverage numerous APIs to access customer information from websites. And according to the FCC’s own Enforcement Bureau, that is exactly what happened at TracFone.

In addition to the civil penalty, the FCC secured extra assignments for TracFone in the Consent Decree:

*   TracFone has to deploy a mandated information security program, with novel provisions to reduce API vulnerabilities in ways consistent with widely accepted standards, like those identified by the National Institute of Standards and Technology (NIST) and the Open Worldwide Application Security Project (OWASP).
*   TracFone must improve protection measures against SIM-swapping. SIM swapping (and the very similar port-out fraud) is the unlawful use of someone’s personal information to steal their phone number and swap or transfer it to another device. With this, criminals can intercept calls, messages, and certain multi-factor authentication (MFA) codes.
*   TracFone has to undergo annual assessments—including by independent third parties—of its information security program.
*   Employees and certain third parties are to receive privacy and security awareness training.

The Enforcement Bureau reported to the FCC that:

> “After gaining access to customer information during one of the three breaches, the threat actors completed an undisclosed number of unauthorized port-outs.”

 All this occurs as the FCC has continued a mission against SIM-swapping.

**Protecting yourself after a data breach**

There are some actions you can take if you are, or suspect you may have been, the victim of a data breach.

*   **Check the vendor’s advice.** Every breach is different, so check with the vendor to find out what’s happened and follow any specific advice they offer.
*   **Change your password.** You can make a stolen password useless to thieves by changing it. Choose a strong password that you don’t use for anything else. Better yet, let a password manager choose one for you.
*   **Enable two-factor authentication (2FA).** If you can, use a FIDO2-compliant hardware key, laptop or phone as your second factor. Some forms of two-factor authentication (2FA) can be phished just as easily as a password. 2FA that relies on a FIDO2 device can’t be phished.
*   **Watch out for fake vendors.** The thieves may contact you posing as the vendor. Check the vendor website to see if they are contacting victims and verify the identity of anyone who contacts you using a different communication channel.
*   **Take your time.** Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.
*   **Consider not storing your card details**. It’s definitely more convenient to get sites to remember your card details for you, but we highly recommend not storing that information on websites.
*   **Set up identity monitoring.** Identity monitoring alerts you if your personal information is found being traded illegally online, and helps you recover after.

****Check your exposure****

You can verify whether your information is available online due to data breaches by using the Malwarebytes Digital Footprint portal. Just enter your email address (it’s best to submit the one you most frequently use) to our free Digital Footprint scan, and we’ll give you a report. For those whose information was not included, you’ll still likely find other exposures in previous data breaches.

**We don’t just report on threats – we help safeguard your entire digital identit**y

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

 TracFone will pay $16 million to settle FCC data breach investigation 

Google has taken a new turn in the approach to eliminating third-party cookies. This time it's back to the Privacy Sandbox

For more than a year, Google has said it would phase out the third-party tracking cookies that power much of its advertising business online, proposing new ideas that would allegedly preserve user privacy while still providing businesses with steady revenue streams.

This week, Google tossed much of that work aside.

In an update about Google’s Privacy Sandbox, the tech giant said that due to feedback from authorities and other stakeholders in advertising, it is looking at a new path forward in finding the balance between privacy and an ad-supported internet.

The underlying grounds for the difficulty in finding the balance are not hard to understand. The effectiveness of advertising is determined by whether you’re able to reach your target audience, but the processes involved in determining whether a website visitor belongs to your target audience or not often means that the website publisher gathers information about said visitor, which can quickly become a privacy issue.

The common method to track a visitor’s online behavior was and still involves third-party cookies. You can look at them as small files that your browser drags along the internet while sites record your interests and online behavior in them. They are the reason why you suddenly see advertisements for an article you have looked at in an online store.

When the advertising industry collectively decided they needed something better than cookies, Google introduced the Privacy Sandbox  as a “secure environment for personalization that also protects user privacy.” The idea was to get rid of third-party cookies altogether.

Later, Google started experimenting with FLoC, or “Federated Learning of Cohorts.” FLoC aimed to become a privacy-focused solution intent on delivering relevant ads by clustering large groups of people with similar interests. This way, user behavior would be processed as anonymized accounts, grouped by interests. Most importantly, user information would processed on-device rather than broadcast across the web.

The idea was to get rid of third-party cookies by 2022, but the implementation of FLoC caused so much push-back from privacy experts that Google abandoned the idea.

Then Google came up with Topics, an idea based on Privacy Sandbox where the user does not get tracked based on the sites they visit, but where each site displays contextual advertising, which means the ads match with the content on the page. But Google had to ask websites not to abuse the topics API and other browser developers showed no interest in adopting the API.

Despite Google Chrome’s browser market share (>60%), it does not have the influence needed to persuade its competitors. And the pressure is on, since other browsers like Safari and Firefox went ahead and already started blocking third-party cookies. Ironic, because the push to eliminate third-party cookies was set in motion by Google and now it’s lagging behind.

So, Google is back with a new path for the Privacy Sandbox. It proposes:

> “An updated approach that elevates user choice. Instead of deprecating third-party cookies, we would introduce a new experience in Chrome that lets people make an informed choice that applies across their web browsing, and they’d be able to adjust that choice at any time.”

Strengthened with a new feature called IP Protection in Chrome’s Incognito Mode, this should protect the user from being identified by third parties as a potential target IP address for web-wide cross-site tracking.

Does that mean there will be yet another prompt asking the user what they want? It looks like it. But first, Google intends to put out its feelers to find out what regulators and the advertising industry have to say about this new approach.

We have a feeling that this will not be the end of this saga, and we will keep our readers informed about new developments.

**Summer mega sale**

Go into your vacation knowing you’re much more secure: This summer you can get a huge **50% off a Malwarebytes Standard subscription** or **Malwarebytes Identity bundle**. Run, don’t walk!

Source

Malwarebytes