In February, Reddit’s CEO called TikTok “fundamentally parasitic,” according to a report on TechCrunch, adding “it’s always listening, the fingerprinting technology they use is truly terrifying, and I could not bring myself to install an app like that on my phone… I actively tell people, ‘Don’t install that spyware on your phone.'”

TikTok called his remarks “baseless accusations made without a shred of evidence.”

But now Apple “has fixed a serious problem in iOS 14, due in the fall, where apps can secretly access the clipboard on users’ devices…” reports Forbes cybersecurity contributor Zak Doffman, noting that one of the biggest offenders it revealed still turns out to be TikTok:

Worryingly, one of the apps caught snooping [in March] by security researchers Talal Haj Bakry and Tommy Mysk was China’s TikTok. Given other security concerns raised about the app, as well as broader worries given its Chinese origins, this became a headline issue. At the time, TikTok owner Bytedance told me the problem related to the use of an outdated Google advertising SDK that was being replaced.

Well, maybe not. With the release of the new clipboard warning in the beta version of iOS 14, now with developers, TikTok seems to have been caught abusing the clipboard in a quite extraordinary way. So it seems that TikTok didn’t stop this invasive practice back in April as promised after all. Worse, the excuse has now changed. According to TikTok, the issue is now “triggered by a feature designed to identify repetitive, spammy behavior,” and has told me that it has “already submitted an updated version of the app to the App Store removing the anti-spam feature to eliminate any potential confusion.” In other words: We’ve been caught doing something we shouldn’t, we’ve rushed out a fix…

iOS users can relax, knowing that Apple’s latest safeguard will force TikTok to make the change, which in itself shows how critical a fix this has been. For Android users, though, there is no word yet as to whether this is an issue for them as well.

Long-time Slashdot reader schwit1 also shares an online rumor from an anonymous Redditor (with a 7-year-old account) who claims to be a software engineer who’s reverse engineered TikTok’s software and learned more scary things, concluding that TikTok is a “data collection service that is thinly-veiled as a social network.”

So far the most reputable news outlets that have repeated his allegations are Bored Panda, Stuff, Hot Hardware, and Illinois radio station WBNQ.

Originally posted on Slashdot under their own copyright.

We are glad to see Zoom’s announcement today that it plans to offer end-to-end encryption to all its users, not just those with paid subscriptions. Zoom initially stated it would develop end-to-end encryption as a premium feature. Now, after 20,000 people signed on to EFF and Mozilla’s open letter to Zoom, Zoom has done the right thing, changed course, and taken a big step forward for privacy and security.

Other enterprise companies like Slack, Microsoft, and Zoom’s direct competitor Cisco should follow suit and recognize, in the Zoom announcement’s words, “the legitimate right of all users to privacy” on their services. Companies have a prerogative to charge more money for an advanced product, but best-practice privacy and security features should not be restricted to users who can afford to pay a premium.

The pandemic has moved more activities online—and specifically onto Zoom—than ever before. For an enterprise tool like Zoom, that means new users that the company never expected and did not design for, and all the unanticipated security and privacy problems that come with that sudden growth. Zoom’s decision to offer end-to-end encryption more widely is especially important because the people who cannot afford enterprise subscriptions are often the ones who need strong security and privacy protections the most. For example, many activists rely on Zoom as an organizing tool, including the Black-led movement against police violence.

To use Zoom’s end-to-end encryption, free users will have to provide additional information, like a phone number, to authenticate. As Zoom notes, this is a common method for mitigating abuse, but phone numbers were never designed to be persistent all-purpose individual identifiers, and using them as such creates new risks for users. In different contexts, Signal, Facebook, and Twitter have all encountered disclosure and abuse problems with user phone numbers. At the very least, the phone numbers that users give Zoom should be used only for authentication, and only by Zoom. Zoom should not use these phone numbers for any other purpose, and should never require users to reveal them to other parties.

The early beta of end-to-end encryption on Zoom will arrive next month. Users should still take steps to harden their Zoom settings to defend against trolls and other privacy threats. In the meantime, we applaud Zoom’s decision to make these privacy and security enhancements available to all of their hundreds of millions of users.

Originally posted on EFF with their own copyright (CC-BY).

Zoom sign about being on the Nasdaq list

Teleconferencing company Zoom acknowledged it shut down the accounts of several activists and online commemorations of the Tiananmen Square massacre at China’s request. The revelation followed media reports, citing Hong Kong and U.S.-based activists, who found their accounts suspended.

Zoom confirmed the reports, in a blog post Thursday, saying China had notified it in late May and early June of four public gatherings hosted on the platform.

According to the post, China asserted the activities were illegal and requested the events and hosts’ accounts be terminated. Zoom said it determined a majority of participants in three of the events came from China and shut them down. The host accounts for the gatherings were then suspended.

“Zoom does not currently have the ability to remove specific participants from a meeting or block participants from a certain country from joining a meeting,” the company said.

None of the three accounts — two belonging to U.S.-based activists and the third to a Hong Kong activist — were based in mainland China. The company said it would no longer block accounts outside of mainland China at Beijing’s request, but did not say outright how it would handle such requests that affect users within mainland China. Instead, Zoom said, it would develop technology to block users based on geography.

“This will enable us to comply with requests from local authorities when they determine activity on our platform is illegal within their borders; however, we will also be able to protect these conversations for participants outside of those borders where the activity is allowed,” the company said.

Thursday’s acknowledgement also drew the attention of U.S. lawmakers, over Zoom’s cooperation with Chinese authorities. On Friday, a bipartisan group of senators, including Marco Rubio, R-Fla., and Ed Markey, D-Mass., sent a letter to the company’s CEO Eric Yuan.

In the letter, lawmakers asked which Chinese laws mandated that the company suspend the accounts of U.S.-based activists Zhou Fengsuo and Wang Dan. The senators also wanted to know why the company terminated the account of labor leader Lee Cheuk Yan who is based in Hong Kong. Lawmakers called the suspensions deeply concerning.

“Your company has admitted that it did so at the request of the Chinese government to comply with the laws of the People’s Republic of China (PRC), because some of the participants resided inside the PRC. … Zoom’s millions of daily users across the world who support and demand basic freedoms deserve answers,” the senators wrote.

On Friday, Lee told NPR that his event was part of a series of weekly talks: “Is China’s autocratic regime a threat to the world?” He said he found his account was blocked just before the third session.

“If you said that, you know, you follow the law of [a] country, but that country [suppresses] free speech. …Which side are you on? Free speech or suppression of free speech?” Lee said.

NPR’s John Ruwitch contributed to this story. (original story)

Windows box from FSF

Often, a proprietary software company’s silence can speak as loudly
as their latest campaign against a computer user’s right to freedom.
This is the case with Microsoft’s developer-centric “Build” event.
While Microsoft announced a few more welcome additions to its free
software output, it missed the opportunity to demonstrate a real
commitment to user freedom by upcycling its recently abandoned Windows
7 operating system under a free software license.

The predictable failure here fits together well with the
corporation’s complex history of mixed messaging on freedom,
which once compared copyleft to “a virus that gobbles up intellectual
property like a Pac-Man,” and yet now would have you believe
that it “loves [free software].” Our Upcycle Windows 7 petition
has given Microsoft the perfect opportunity to take the next step in
its promotion of free software, to show that its “love” was real. We
are disappointed, but not surprised, that they have ignored this call
from us and thousands of potential users.

Although the petition signatures and “special gift” were signed,
sealed, and delivered safely to their Redmond, WA headquarters, the
FSF has not received any response from a Microsoft representative. Of
course, the COVID-19 pandemic has impacted the operations of even the
largest companies, but as of yet, we haven’t heard anything from
Microsoft suggesting this was the reason for the lack of response.
They certainly seem to have had the resources to put on a 48-hour
video marathon about proprietary software.

We can only take this to mean that it’s “business as usual” as
far as the corporation is concerned, but things don’t have to remain
that way. And while Microsoft has failed to live up to its own words,
we (and all of our petition signers) aren’t just shouting into the
void. 13,635 free software supporters from around the globe signed the
petition, and the initiative saw more than 6,000 newcomers subscribe
to the monthly Free Software Supporter newsletter.

Of course, this small setback is just another bump in the road in our
fight for a world in which people can use their computers to work,
hack, and play in complete freedom. In this vein, we encourage
everyone Microsoft has left in the lurch to give a fully free
operating system a try. Your friends, colleagues, and loved ones
might be surprised by how free software’s elegance and ease-of-use
continues to improve each day, and you might get your first glimpse of
participating in a collaborative digital community: one in
which your contributions, whether they’re in the form of code,
translations, graphic design, or bug reports, can benefit the
experience of users everywhere. And unlike a certain operating system
from Redmond, we can assure you that GNU/Linux isn’t going anywhere
anytime soon. After all, it powers the Internet!

There’s still time for Microsoft to step up and show its respect for
user freedom, and if they do, we’re ready to give them all the
assistance that they need. We’ll continue to welcome the contributions
Microsoft has been making to various free software programs. It’s not
that we don’t appreciate those. Rather, it’s that they still exist in
a context where the company appears to be trying to get the best of
both worlds — proprietary and free — and they just passed up a huge
opportunity to show their commitment by ending the waffling. But if
they still choose not to, we and every other free software activist
can take consolation in the fact that to deny users freedom is to be
on the wrong side of history.

Greg Farough from FSF

 

In a stunning victory for nonprofits and NGOs around the world working in the public interest, ICANN today roundly rejected Ethos Capital’s plan to transform the .ORG domain registry into a heavily indebted for-profit entity. This is an important victory that recognizes the registry’s long legacy as a mission-based, non-for-profit entity protecting the interests of thousands of organizations and the people they serve.

We’re glad ICANN listened to the many voices in the nonprofit world urging it not to support the sale of Public Interest Registry, which runs .ORG, to private equity firm Ethos Capital. The proposed buyout was an attempt by domain name industry insiders to profit off of thousands of nonprofits and NGOs around the world. Saying the sale would fundamentally change PIR into an “entity bound to serve the interests of its corporate stakeholders” with “no meaningful plan to protect or serve the .ORG community,” ICANN made clear that it saw the proposal for what it was, regardless of Ethos’ claims that nonprofits would continue to have a say in their future.

The sale threatened to bring censorship and increased operating costs to the nonprofit world. As EFF warned, a private equity-owned registry would have a financial incentive to suspend domain names—causing websites to go dark—at the request of powerful corporate interests and governments.

In a blog post about its decision, ICANN also pointed out how the deal risked the registry’s financial stability. They noted that the $1.1 billion proposed sale would change PIR “from a viable not-for-profit entity to a for-profit entity with a US$360 million debt obligation.” The debt was not for the benefit of PIR or the .ORG community, but for the financial interests of Ethos and its investors. And Ethos failed to convince ICANN that it would not drain PIR of its financial resources, putting the stability and security of the .ORG registry at risk.

“ICANN entrusted to PIR the responsibility to serve the public interest in its operation of the .ORG registry, and now ICANN is being asked to transfer that trust to a new entity without a public interest mandate.”

ICANN was not convinced by the token “stewardship council” that Ethos proposed in an attempt to add an appearance of accountability. Echoing EFF’s own letter, they noted that “the membership of the Stewardship Council is subject to the approval of PIR’s board of directors and, as a result, could become captured by or beholden to the for-profit interests of PIR’s owners and therefore are unlikely to be truly independent of Ethos Capital or PIR’s board.”

Many organizations worked hard to persuade ICANN to reject the sale. We were joined by the National Council of Nonprofits, NTEN, Access Now, The Girl Scouts of America, Consumer Reports, the YMCA, Demand Progress, OpenMedia, Fight for the Future, Wikimedia, Oxfam, Greenpeace, Consumer Reports, FarmAid, NPR, the American Red Cross, and dozens of other household names. Nonprofit professionals and technologists even gathered in Los Angeles in January to tell ICANN their concerns in person. The coalition defending the .ORG domain was as diverse as .ORG registrants themselves, encompassing all areas of public interest: aid organizations, corporate watchdogs, museums, clubs, theater companies, religious organizations, and much, much more. Petitions to reject the sale received over 64,000 signatures, and nearly 900 organizations signed on. Joining them in their concerns were Members of Congress, UN Special Rapporteurs, and state charity regulators [pdf].

A late development that affected ICANN’s decision was the letter [pdf] from California’s Attorney General, Xavier Becerra. Citing EFF and other members of the coalition, Becerra’s letter urged ICANN to reject the sale. Although ICANN received many last-minute appeals from some parts of its policymaking community urging the organization to ignore Becerra’s letter, ICANN acknowledged that as it is a California nonprofit, it could not afford to ignore its state regulator.

Because PIR is incorporated in Pennsylvania, that state’s courts must approve its conversion into a for-profit company. Pennsylvania’s attorney general is investigating the sale, and may also weigh in. In its rationale, ICANN states that it will allow PIR and Ethos to submit a new application if they are able to get the approval of this other body with authority over the deal. But all of the reasons behind ICANN’s rejection of the sale will confront Ethos in Pennsylvania, as well.

This decision by ICANN is a hard-fought victory for nonprofit Internet users. But the .ORG registry still needs a faithful steward, because the Internet Society has made clear it no longer wants that responsibility. ICANN should hold an open consultation, as they did in 2002, to select a new operator of the .ORG domain that will give nonprofits a real voice in its governance, and a real guarantee against censorship and financial exploitation.

EFF.org

Don’t watch TV coverage of Covid-19! (Or “social media”; the details are different.) Watching repetitive coverage of something frightening can interfere with clear thinking, even traumatize people.

TV news coverage of a crisis struggles to fill 24 hours a day with “information”, notwithstanding the fact that the actual flow of new information about the crisis is nowhere near sufficient to fill that time. What do they do? They repeat. They present tangential and minor details. They make the same points in different ways. They belabor the obvious. They repeat.

If your goal is to be informed, you don’t need to dwell on the crisis for hours every day. Not even one hour a day. Getting your news in this inefficient matter will waste a lot of time — and worse.

In addition, it will make you more and more anxious. Someone I knew in 2001, who lived in California. spent all day on Sep 11 and following days watching the TV coverage. Afterward perse was afraid to go outside, watching for terrorist airplanes. TV made it possible for per to be traumatized by events 3000 miles away.

That was an unusually strong case. Most people did not get so traumatized as that. That does not imply it did not affect them. I suspect that the TV coverage may have shifted millions of people’s perceptions, so that they overestimated the danger of terrorism while downplaying the danger of laws that take away freedom. This would have smoothed the path for careless passage of the dangerous USA PAT RIOT Act and its massive surveillance.

In any a good, general textual news site, you can read the things you really want to know about Covid-19 in 10 or 20 minutes a day. Then you won’t fall behind on your work, and you won’t be brainwashed into panic.

Keep calm and carry on!

Richard Stallman (original edition)