At a glance.
- Zero-day exploitation correlated with spyware deployment.
- Class action complaint alleges Google's G Suite for Education violated minor students' privacy.
- Senator calls for an explanation of Zoom's privacy policies and practices.
Zero-day exploitation rose in 2019, much of it associated with spyware vendors.
A FireEye study concludes that zero-day exploitation now depends upon money more than it does on skill. 2019 saw an uptick in zero-day attacks. "We surmise that access to zero-day capabilities is becoming increasingly commodified based on the proportion of zero-days exploited in the wild by suspected customers of private companies."
Many of the incidents the report tracks, especially those in the Middle East, have some connection to NSO Group. The researchers conjecture that the increase in zero-day use observed over the course of 2019 could indicate either that intelligence services are making more use of private contractors, or that the vendors are selling tools to customers who themselves have more slipshod operational security, and poor opsec simply makes the use of zero-days more obvious. Or, of course, it could be both.
Google faces class action suit over G Suite for Education.
A class action suit has been filed in the the US District Court of Northern California alleging that Google has illegally collected personally identifiable information, including facial and vocal biometric data. The plaintiffs allege that the improper data collection occurred through Chromebooks students used that came preloaded with G Suite for Education, which includes student versions of Gmail, Calendar, Drive, Docs, Sheets, and other Google applications. The two plaintiffs are minor children who are bringing the action through their father.
The complaint says that Google violated the Illinois Biometric Information Privacy Act (regarded as the strongest state biometric privacy bill in the US) as well as California’s Unfair Competition Law and the Federal Children’s Online Privacy Protection Act. In addition to face templates and voiceprints, Google is alleged to collect and store the following kinds of personally identifiable information on users, the majority of whom are minor children, and to have done so without proper notification and permission:
- physical locations,
- websites visited,
- every search term used in Google’s search engine, and the results the users clicked on,
- videos watched on YouTube,
- personal contact lists,
- voice recordings,
- saved passwords, and
- "other behavioral information."
Zoom attracts more Congressional scrutiny, now from the US Senate.
Senator Michael Bennett (Democrat of Colorado) added a letter yesterday to the one his House colleagues sent Zoom CEO Eric Yuan. He's particularly concerned with privacy, and among other things wants a comprehensive account of the data Zoom collects on its users and a list of all the third parties with whom it shares such data. He would like a reply by April 15th.