Today at a glance.
- Citizen Lab reports a Saudi Pegasus operation.
- Avast collected and sold anonymized user data.
- Data in the cloud may be beyond enterprise control.
Pegasus and the operator Citizen Lab calls “KINGDOM.”
The University of Toronto’s Citizen Lab has concluded an investigation into an attempt to install spyware on a phone belonging to a New York Times journalist, Ben Hubbard, who was hit with an attack carrying Pegasus spyware in June of 2018. Apparently the attack failed to install the intercept tool: Hubbard cautiously declined to follow the link he was sent in a smishing attempt. The hyperlink went to a site associated with what Citizen Lab calls “KINGDOM,” a Pegasus operator the Lab connects to Saudi Arabia. Other KINGDOM targets included Saudi dissidents and at least one Amnesty International staffer. Amnesty International had itself earlier concluded that the domain to which the link belonged, arabnews365[dot]com, was part of KINGDOM’s infrastructure. The incident suggests the extent to which authoritarian governments use lawful intercept tools against targets perceived to be involved with domestic dissent.
Why it pays to offer free software.
It’s a loss leader, right? Sure, sometimes. But free software can also be monetized in other, more direct ways. Motherboard and PCMag have reported the results of a joint investigation into the data collection and sharing practices of Prague-based security company Avast, and they’ve found that even anonymized data can be valuable.
Avast and its subsidiary AVG were found last month to be using their browser extensions to collect user information, but they stopped the practice after being ejected from the Opera, Mozilla, and Google stores, and after receiving adverse public comment, including a request, described then in Motherboard, from US Senator Wyden (Democrat of Oregon) to explain what they thought they were about.
But collection by browser extension was replaced by collection via Avast’s free anti-virus software. The data were anonymized in some fashion--minimally they were stripped of association with a user name--and then sent to Avast’s market intelligence subsidiary Jumpshot, which sold them to a number of large companies, including Home Depot, Google, Microsoft, Pepsi, and McKinsey. There are a variety of use cases for anonymized data, but the problem is that it may not be that difficult to de-anonymize them. PCMag offers some examples of the data being sold and some common sense ways in which comparing them to other data can identify an individual user. For example, suppose you were a company that bought Jumpshot’s data, and the data included a purchase on your site. It would not be difficult to know who bought what at that particular moment in time.
Avast, which did obtain some form of consent from its users in the form of their acceptance of terms and conditions, is now offering users of its product a chance to opt out of the collection. That’s unlikely to satisfy critics: PCMag writes that US Senator Warner (Democrat of Virginia) has asked the Federal Trade Commission to increase enforcement actions against collection and sale of customer data.
Control of data in the cloud.
There are many reasons of convenience, economy, and security for moving to the cloud, but a McAfee study concludes that there are downsides as well, particularly from the point of view of data security. “Enterprise Supernova: The Data Dispersion Cloud Adoption and Risk Report” finds that too many enterprises move to cloud services without adequate vetting, due diligence, or data loss prevention programs.