Apple yesterday removed Boom the Encryption Keyboard, an app that allowed Chinese internet users to bypass censorship, from the China app store, according to its developer.

Wang Huiyu, a New York-based Chinese citizen in his 20s, told Quartz that he developed Boom together with one of his university classmates during the outbreak of the coronavirus. Part of the motivation for Wang to develop the app, which went live on Feb. 15, was to offer people a chance to counter rigid online surveillance, and to provide them with an entertaining private messaging app.

According to an email sent by Apple to Wang, the app was removed because it contained content that is illegal in China. The app is still available in other regions, including Hong Kong, he said.

I designed the app because I wanted to remind people of the importance of privacy, and my target customers are people born after 1995 or 2000. I feel those under 20 will be able to accept new things and ideas the fastest, said Wang.

Boom encrypts text, both in Chinese and English, by turning them into emoji or Japanese or Korean characters, as well as rearranging lines of text in random order. The receivers of such messages can decrypt them by copying the emoji or characters using the app, with the original text then displayed automatically on the keyboards interface. As Chinas blanket online censorship relies heavily on the detection of key words or even pictures containing sensitive words, apps like Boom can help users avoid such scrutiny.

Another app developed by Wang, which offered animated wallpapers featuring political figures including former Chinese leader Jiang Zemin, was also removed (link in Chinese) from Apples mainland China app store on the same day as Boom, he said.

Apple has removed apps from its China app store in the past for containingillegal content. Among the apps that have been pulled were Quartzs news app, which was removed from the China app store last year.

Apple did not immediately reply to a request for comment.

While most apps that enable encrypted messages and communications have long been banned in China, Wang said he suspects Boom drew the attention of authorities because of the way Chinese internet users quickly moved to preserve a particular coronavirus-linked article from being scrubbed by censors recently.

The article in question is an interview with Ai Fen, a Wuhan doctor who said she was reprimanded for alerting other people about the novel coronavirus. The article, published on March 10 by Chinas Ren Wu magazine, was deleted within hours of its publication. Various versions of the article, including those reproduced in emoji, English, and even Hebrew, emerged after the deletion as people scrambled to save Ais story, part of a broader wave of efforts by internet users in China to prevent censors from removing crucial stories and memories related to the epidemic. Wang said downloads of Boom from mainland China surged after the incident.

Apple has been repeatedly accused of bowing to China by removing apps, such as a Hong Kong live map app that allowed protesters to crowdsource police movements during last years protests in the city.

Continued here:
Encryption app to avoid coronavirus censorship removed by Apple in China - Quartz

Theres a new bill in the works to fight against child sexual abuse material (CSAM) and other risky services on the internet but it could come at a cost to online privacy.

Eliminating Abusive or Rampant Neglect of Interactive Technologies (EARN IT) was proposed by the Senate Judiciary Committee and sponsored by senators from both sides of the aisle such as Lindsey Graham (R-SC) and Richard Blumenthal (D-CT). The bill is also supported by the National Center for Missing and Exploited Children and the National Center on Sexual Exploitation.

However, this bill is problematic for both freedom of speech and privacy online according to Riana Pfefferkorn, associate director of Surveillance and Cybersecurity at the Center for Internet and Society.

This bill is trying to convert your anger at Big Tech into law enforcements long-desired dream of banning strong encryption, argued Pfefferkorn in a blog post. Pfefferkorns detailed explanation says EARN IT appears less like a legitimate way to prevent the spread of child exploitation content and more like a covert attempt to ban end-to-end encryption, without having to ban it outright.

At the end of January 2020, a draft of the proposal was leaked and met with similar apprehension not only by Big tech juggernauts (Facebook, Google, etc.) but also their sometimes opposing counterparts, freedom of speech advocates.

Were concerned the EARN IT Act may be used to roll back encryption, which protects everyones safety from hackers and criminals, and may limit the ability of American companies to provide the private and secure services that people expect, Facebook spokesperson Thomas Richards said in a statement to the Washington Post.

Clearly, the issue could not be more sensitive. Patrick A. Trueman, president and CEO of the National Center on Sexual Exploitation, recently voiced this opinion, apparently advocating for EARN IT.

Right now, Big Tech has no incentive to prevent predators from grooming, recruiting, and trafficking children online and as a result countless children have fallen victim to child abusers on platforms like Instagram, Snapchat, and TikTok, said Trueman.

While everyone who has publicly condemned EARN IT has also stated a universal commitment to child safety online and in the real world, many say the bills far-reaching approach to content moderation could do more harm than good by essentially eliminating private conversations across the internet, particularly on social media platforms and messaging apps.

To fully comprehend what EARN IT proposes, one needs to understand the importance of two bills passed in the 90s. These laid the groundwork for how privacy and free speech are supposed to operate for U.S. citizens.

First, Section 230 of the Communications Decency Act (CDA), passed in 1996, allows for the continued development of the internet as a free market and universal good for free speech. Section 230 says that online platforms or providers of interactive computer services mostly cannot be held responsible for the things their users say or do on their platforms. It uses the term mostly instead of always because platforms are still liable for exceptions that violate intellectual and federal criminal law. Essentially, this means if someone is defamed for being a fraud, that person can sue their defamer, but they cannot sue the platform for providing the space for free speech.

Second, the Communications Assistance for Law Enforcement Act (CALEA), passed in 1994, requires telecom providers to make their networks wiretappable for law enforcement. However, it also ensured a carve-out for encrypted messages and information services where websites, email, social media, messaging apps and cloud storage fall out of CALEAs jurisdiction.

The purpose of these carve-outs was to reach a compromise between the competing interests of network security providers, privacy advocates, civil liberties, technological growth and law enforcement. In combination, Section 230 and CALEA prevent regulation from suffocating growth and development of the U.S. information economy.

Since the 90s, more regulation has passed to undo Section 230. Section 230 has been amended since it was passed: SESTA/FOSTA, enacted in 2018, pierces providers immunity from civil and state-law claims about sex trafficking, wrote Pfefferkorn. SESTA/FOSTA is currently being challenged in federal court being unconstitutional and doing more harm than good.

There is also already a regulatory reporting scheme for online providers combatting CSAM. Also, Section 230 does not keep federal prosecutors from holding providers accountable for CSAM on their services.

While the current reporting schemes success is questionable, there is reasonable evidence to believe that EARN IT is an attempt to regulate communication on the internet more broadly.

The so-called EARN IT bill will strip Section 230 protections away from any website that doesnt follow a list of best practices, meaning those sites can be sued into bankruptcy, writes Joe Mullin, a policy analyst with the Electronic Freedom Foundation.

Mullin is referring to how EARN IT would target CSAM. It proposes to do this by creating a federal commission to develop a list of best practices for preventing CSAM that online platform providers would have to follow or else lose their immunity under Section 230 meaning they could be sued into bankruptcy. This commission would largely be made up of law enforcement and allied groups such as the National Center for Missing and Exploited Children (NCMEC).

According to Mullin, The best practices list will be created by a government commission, headed by Attorney General Barr, who has made it very clear he would like to ban encryption and guarantee law enforcement legal access to any digital message.

Although the word encryption does not appear anywhere in the EARN IT bill, Mullin is suspicious of how the federal commission might design best practices. For instance, in an earlier draft of the bill, the NCMEC Vice-President stated that online services should be made to screen all messages using screening technology approved by themselves and law enforcement, report what they find in messages to the NCMEC and be held legally responsible for the content of the messages sent by others.

In short, the commission could quietly give backdoor access to all U.S. hosted information services, undoing encrypted messages altogether.

Mullin, Pfefferkorn and other outspoken critics of EARN IT all agree that the bills proposed execution is opening the door for the elimination of encryption: the fact that it is never explicitly addressed is especially concerning..

According to Mullin, its also possible that the current draft of EARN IT will be amended to undo the damage it could do to online privacy. Could be as straightforward as putting a clause in[,] saying the bill doesnt apply to encryption, he writes.

However, until some amendment occurs, critics are wary of a federal commission consisting of fewer than twenty people, according to the latest reports, who would be making large-scale privacy and security decisions for the entire U.S. population.

Such a potentially big power grab would seem a bit ridiculous, but Pfefferkorn also acknowledged that EARN IT rides on a wave of resentment or techlash the U.S. population has begun to harbor against many internet-based companies. This animosity is directed toward both U.S. tech juggernauts, whose business models run off of surveillance capitalism and online free speech platforms which, for the average person, can feel like the concentrated font of human venality every time we open our phones, according to Pfefferkorn.

In general, free speech on social media platforms is already a nuanced and complicated topic. Even under Section 230, social media platforms can still censor content when they deem it inappropriate internally. For example, Twitter has a keyword blacklist and the protocol for how it works can change on a dime.

For Nozomi Hayase, social psychologist and writer, surveillance of encrypted messaging is a movement toward forfeiting democracy. By Hayases reasoning, privacy is a prerequisite for a kind of solitude that allows people to think and act independently and is, therefore, essential to a functioning democratic society.

Democracy requires sovereign individuals who are able to communicate with one another freely. This freedom comes with great responsibility, said Hayase, who recognized EARN IT as the newest installment of a dangerous trend toward online censorship. If we really want to have a truly democratic society, we have to accept the fact that it is the duty of each person to develop his or her own moral capacity to determine what is right and wrong, instead of depending on an external authority to tell us what we should or should not do.

Currently, EARN IT has been referred to the Senate Judiciary Committee. Citizens can contact their congressmen directly or take action through the Electronic Frontier Foundations website.

More here:
EARN IT: The US Anti-Encryption Bill That Threatens Private Speech... - Bitcoin Magazine

While the whole world is being crippled by the coronavirus pandemic, China, the country to be first affected, says that its not improving drastically.

It is, however, questionable whether they improved as a result of the prompt healthcare delivery or blatant censorship that hides whats really going on in the country.

The latter may be equally true, considering Chinas rampant authoritarian censorship practices.

Apple is now amidst more censorship drama with the Chinese government.

The big tech company is under pressure for removing an app from the Chinese App Store that was being used to share news related to the pandemic inside the country.

The Boom Text Encryption Keyboard app by Huiyu Wang, a New York-based Chinese developer, was developed in an effort to encrypt and decrypt text messages.

Chinese citizens used the app to share information and get a hold of the recent developments surrounding the coronavirus pandemic.

At a juncture where the Chinese government may end up tightening the leash around information circulation, apps such as Boom are invaluable.

The app makes use of techniques such as emoji replacement and word jumbling to facilitate encrypted message communication.

The app allowed Chinese users to share information about the coronavirus without being detected by the filters deployed by the Chinese government.

It was first available when the coronavirus infestation reached up to mainland China. Based on Wangs recent tweet, it was found that Apple pulled out the app as it was content that is illegal in China.

Wang says that the app must have attracted attention from the Chinese officials when it was used to circulate an interview related to Coronavirus that the government was trying to censor.

Whats more, Wang says that his social media profiles as well as an app, completely unrelated to the encrypted keyboard, were now removed.

Alas, this hasnt been the first time Apple has censored on behalf of the Chinese government.

Time and again, Apple took down several apps, especially VPN applications from the App Store just because the Chinese government directed it to do so.

While proclaiming that privacy is a human right, the tech giant ends up removing several applications that allow the Chinese netizens to have private conversations and steer clear of the censorship imposed by their government.

Continued here:
Apple censors encrypted chat app BOOM on behalf of Chinese government - Reclaim The Net

from the encrypt-ALL-the-things! dept

Be it Cambridge Analytica, Equifax, or wireless carrier location data, the U.S. has already faced a steady parade of privacy and security related scandals. Now as countries around the world hunker down to slow the rate of COVID-19, the problem could easily grow even larger as a chain reaction of implications make privacy, security, and tools like encryption more important than ever.

Millions of Americans are now telecommuting for the first time. As they do so, more than a few of them won't be wise enough to use basic security precautions while handling sensitive work or health related data. And as we've noted for years, services like VPNs often don't provide reliable protection, given it's hard to verify just how secure or trustworthy service owners are. Many services were already shady as hell, and even the reliable offerings may struggle under the load.

Many folks are already using the pandemic as scam fodder. As a result, the shift to home work -- and the dramatic spike in healthcare information being shoveled around the internet -- means that the battle over encryption is also more important than ever:

As with everything this pandemic is going to touch, there are layers and layers of complications here. Many popular teleconferencing services don't have particularly great privacy standards. And with no U.S. privacy law to speak of for the internet era (outside of the problematic COPPA), it shouldn't be hard to see how we might run into some additional problems. It should also be easy to see how the pandemic may provide justification for all manner of problematic privacy and security related behavior, from the war on encryption to the quest to expand domestic surveillance.

Israel, for example, has started using a previously unknown database of phone location data to help track the spread of COVID-19. The Washington Post this week indicated that both Google and Facebook (that bastion of privacy-related trust) are also working with the U.S. government to explore the use of location data to help combat the spread of the virus. Experts suggest that we should be able to walk and chew gum at the same time, including data sharing and sunset provisions into any efforts designed to battle the pandemic:

We're only going to have so much attention to go around as we worry about ourselves, our families, and our livelihoods. Unfortunately, the pandemic could easily provide cover for the steady expansion of problematic domestic surveillance efforts that continues at a pretty brisk clip, even in normal times.

Filed Under: covid-19, encryption, privacy, surveillance, tracking

See more here:
Privacy & Encryption Will Be More Important Than Ever In Wake Of Coronavirus - Techdirt

The Covid-19 pandemic is impacting communities around the world. For the 2 billion of those people who also use the encrypted communication service WhatsApp, now more than ever is a time for calling, messaging, and seeking trustworthy information. So the World Health Organization is going where the people are, launching a new tool called WHO Health Alert on WhatsApp today.

When you text "hi" to +41 79 893 1892 over WhatsApp, you'll receive back a text from the WHO that includes a variety of menu items for the latest information, like novel coronavirus infection rates around the world, travel advisories, and misinformation that should be debunked. Think of it like a hotline: Text 1 for the latest statistics, 4 for mythbusters, that type of thing. The WHO can also send out proactive alerts as needed to everyone who's signed up.

Read all of our coronavirus coverage here.

The WHO isn't the first to enlist WhatsApp in this manner. The Facebook-owned app's ubiquity and experience handling disinformation has made an obvious choice for governments and international organizations, placing it squarely at the center of the novel coronavirus responsewith all the responsibility and controversy that entails.

"We already have over one million people signed up even though we havent even announced it yet," says Will Cathcart, who runs WhatsApp, of WHO Health Alert. "It's great. There seems to be a lot of appetite from people for ways to get good, accurate information and were happy to do what we can there to help."

Helplines are preferable in many ways to landing pages, social media profiles, or massive open channels, because they allow governments to use WhatsApp like regular users, having one-to-one interactions with constituents. The only difference is that the responses are automated.

Organizations can find out their options for setting up similar chatbot mechanisms at this landing page for WhatsApp's Coronavirus resources. The bots run through WhatsApp's business application programming interface, which maintains WhatsApp's encryption and allows entities to manage their services

All the new institutional uses combined with widespread social isolation means that more people than ever are using WhatsApp for messagingand an especially large volume of phone calls and video chats. To keep up with demand, Cathcart says that WhatsApp has nearly doubled its server capacity in the last few weeks.

"We dont know whats coming, and we view WhatsApp as a lifeline for people to communicate when they need it. And the core thing we offer is that itll be there and work," he says. "Were hearing all these amazing anecdotes especially out of places on the front lines of things like health care workers using WhatsApp to communicate with patients, to communicate with each other. Schools using it to try to do remote education, people using it to keep in touch with their friends and family, either through messaging, but actually exceptionally through video calling and voice calling. And were seeing that in the data with a ton of extra usage."

On a platform that has struggled for years to curb misinformation, all of that extra usage has also bred pandemic-related rumors and myths. WhatsApp's end-to-end encryption means that only the devices at either end of a communication hold data unencrypted. WhatsApp itself is totally boxed out of being able to access user communications other than metadata like which accounts are interacting. This means the company can't moderate content on the service like social networks can. Users can communicate on WhatsApp without being surveilled by oppressive governments, but those same protections can also make it easier for misinformation to spread. Meanwhile, law enforcement in the US and around the world have increasingly lobbied to undermine end-to-end encryption.

Cathcart says WhatsApp's priority, even more so during the pandemic, is to elevate accurate information and support fact-checking organizations around the world. The company announced a $1 million donation on Wednesday to the Poynter Institute's International Fact-Checking Network. The goal is to help buoy the #CoronaVirusFacts Alliance, which is bringing together 100 local organizations in more than 45 countries to fight Covid-19-related disinformation.

Read the original here:
WhatsApp Is at the Center of Coronavirus Response - WIRED

Proof-of-concept exploit code has emerged for last month's data-leaking Krk vulnerability present in a billion-plus Wi-Fi-connected devices and computers.

The team at infosec outfit Hexway told The Register on Friday it has crafted a working exploit for the flaw which is present in equipment that uses Broadcom's communications chipsets. This design blunder can be abused by nearby miscreants to snatch snapshots of private data, such as web requests, messages, and passwords, over the air from devices as they are transmitted, if said data is not securely encrypted using an encapsulating protocol, such as HTTPS, DNS-over-HTTPS, a VPN, and SSH.

Crucially, to pull this off, a hacker does not need to be on the same Wi-Fi network as the victim: just within radio range of a vulnerable phone, gateway, laptop, or whatever is being probed.

"Among the devices vulnerable to this attack are the ones from Samsung, Apple, Xiaomi and other popular brands," Hexway told The Register. "To perform the Krk attack, a hacker just needs his or her victim to be connected to the Wi-Fi."

Designated CVE-2019-15126, the Krk bug revolves around the transmission data buffers in Broadcom chips. Researchers at ESET found that, in specific circumstances, an attacker can force a nearby device to disconnect from its Wi-Fi point, causing it to emit any data still in its transmit buffer with an encryption key value of zero. Thus a nearby snooper can decrypt this transmitted information flushed from the buffer. If the data isn't wrapped up in additional encryption, such as HTTPS, it can be read as plain text.

Hexway has managed to weaponize the design error in Broadcom's hardware by using a Raspberry Pi 3 with a Python script. This setup was able to yield keys and private data from a Sony Xperia Z3 Compact and Huawei Honor 4X, because they use the vulnerable chipset.

It is also believed that certain models of Amazon Echo and Kindle, Google Nexus smartphones, and both the iPad and iPhone are vulnerable to the flaw.

"After testing this PoC on different devices, we found out that the data of the clients that generated plenty of UDP traffic was the easiest to intercept," Hexway said in an advisory accompanying its code.

"Among those clients, for example, there are various streaming apps because this kind of traffic (unlike small TCP packets) will always be kept in the buffer of a Wi-Fi chip."

Those so inclined can get the script from Hexway via GitHub. Meanwhile, security outfit Thice has cooked up its own exploit proof-of-concept as well.

The Thice report includes further details on the flaw, which may not be as bad as feared.

"So, yeah, Krk is real and not that hard to exploit when a vulnerable router is involved," says the Thice recap. "However, the amount of data that you can steal this way is limited since it is only a couple of packets per disconnect."

If you haven't already done so, and if you're able to, and if it's necessary, check for and install software patches from your devices' manufacturers to address the Krk vulnerability.

Sponsored: Webcast: Why you need managed detection and response

Visit link:
Bored during lockdown? Why not try out these data-spilling Krk Wi-Fi bug exploits against your nearby devices - The Register