Facebook is secretly using your iPhone’s camera as you scroll your feed

Facebook is secretly using your iPhone’s camera as you scroll your feed

iPhone owners, beware. It appears Facebook might be actively using your camera without your knowledge while you’re scrolling your feed.

The issue has come to light after a user going by the name Joshua Maddux took to Twitter to report the unusual behavior, which occurs in the Facebook app for iOS. In footage he shared, you can see his camera actively working in the background as he scrolls through his feed.

The problem becomes evident due to a bug that shows the camera feed in a tiny sliver on the left side of your screen, when you open a photo in the app and swipe down. TNW has since been able to independently reproduce the issue.

Here’s what this looks like:

Maddux adds he found the same issue on five iPhone devices running iOS 13.2.2, but was unable to reproduce it on iOS 12. “I will note that iPhones running iOS 12 don’t show the camera (not to say that it’s not being used),” he said.

The findings are consistent with our own attempts. While iPhones running iOS 13.2.2 indeed show the camera actively working in the background, the issue doesn’t appear to affect iOS 13.1.3. We further noticed the issue only occurs if you have given the Facebook app access to your camera. If not, it appears the Facebook app tries to access it, but iOS blocks the attempt.

It remains unclear if this is expected behavior or simply a bug in the software for iOS (we all know what Facebook will say; spoiler: “Muh, duh, guh, it’s a bug. We sorry.”). For what it’s worth, we’ve been unable to reproduce the issue on Android (version 10, used on Google Pixel 4).

Whatever the reason for it, though, this behavior is particularly concerning — especially considering Facebook‘s atrocious track record when it comes to user privacy (remember Cambrdige Analytica?).

By now, everyone should be well aware that any iOS app that has been granted access to your camera can secretly record you. Back in 2017, researcher Felix Krause spoke to TNW about the same issue.

At the time, the researcher noted one way to deal with this privacy concern is to revoke camera access (though that arguably doesn’t make for a smooth software experience). Another thing he suggested is covering up your camera — like former FBI director James Comey and Facebook‘s own emperor Mark Zuckerberg do. Learn from the pros I guess.

We’ve reached out to Facebook for further comment, and will update this piece accordingly if we hear back.

 

Source: thenextweb.com

FaceApp is back and so are privacy concerns

FaceApp is back and so are privacy concerns

FaceApp, a Russia-based app that applies filters to photos, is having another moment in the spotlight this week. The app first went viral in 2017, but this time it’s catching on because of a filter that makes users look older or younger. As with the last viral moment, however, users have been surprised to learn that the app’s creators are harvesting metadata from their photos.

Close research suggests FaceApp isn’t doing anything particularly unusual in either its code or its network traffic, so if you’re worried about FaceApp, there are probably a bunch of other apps on your phone doing the same thing. Still, the conversation does bring attention to standard tech practices that might be more invasive than users realize.

To use the app, iOS users select specific photos they want to put filters on, and there’s no evidence of the app downloading a user’s entire photo roll. The company then uploads the specific images to its servers to apply the filter. FaceApp never spells out that it’s downloading the filtered photo, but it’s not unusual, as iOS researcher and CEO of Guardian Firewall Will Strafach noted on Twitter.

Theoretically, FaceApp could process these photos on the device itself, but Yaroslav Goncharov, an ex-Yandex exec and CEO of the Russian company that created the app, previously told The Verge that photos uploaded to the app are stored on the company’s servers to save bandwidth if several filters are applied, and that they get deleted not long after. In a statement to TechCrunch, FaceApp said it accepts requests from users to remove their data from its servers. The team is currently “overloaded,” but users can send the request through Setting>Support>Report a bug with the word “privacy” in the subject line.

Of course, we don’t know if FaceApp actually deletes the photo data, but it’s worth remembering that we upload photos of our faces to companies’ servers all the time. The only difference in this case is that unlike Facebook or Google, FaceApp is Russia-based, and thereby inherits ill will because of Americans’ perception of the country. FaceApp says no user data is transferred to Russia. Researcher Jane Wong also publicized her findings around FaceApp and noted that she wished users could delete their own data, although it now seems they can issue a request.

Another potential privacy issue people have taken note of is that the company’s privacy policy incorporates broad language that allows it to use people’s usernames, names, and likeness for commercial purposes. Lawyer Elizabeth Potts Weinstein also says the policy isn’t GDPR-compliant. Still, while this isn’t great, users often agree to wide-ranging policies that specifically use abstract language (a great way to avoid a lawsuit!). And they have no say in the matter; either they use the service or they don’t. FaceApp says it doesn’t sell user data to third parties.

 

FaceApp might not be a major privacy concern, but as with any app, there are always trade-offs. If you want to see what you could look like at 80 years old, you have to forfeit your photo, which includes your face. As some have pointed out, simply basing the app in Russia could expose your photos to the country’s security services. Similar claims could be made for apps based in China or even the US, but it doesn’t make the exposure any less troubling. Still, the FaceApp conversation is a worthy one to have; people should think about how their data is being used before sharing it with an unknown app.

 

Source; TheVerge

Google Duplex starts rolling out to iPhones and more Android phones

Google Duplex starts rolling out to iPhones and more Android phones

Google’s automated calling service, Duplex, is starting to roll out to iPhones and a lot more Android phones. The service, which lets a human-sounded robot voice make phone calls on your behalf to book restaurant reservations, launched on the latest Pixel devices in December. Google announced in March that it would come to more phones shortly, and now that rollout has begun.

In an email, a Google spokesperson confirmed that broader Duplex rollout started this week. The service is supposed to be available on all devices running Android 5.0 and higher as well as any iPhones with the Google Assistant app installed. Currently, the service only works in English, in 43 US states.

XDA-Developers reports seeing Duplex work on Samsung’s Galaxy S10 Plus. We haven’t seen reports of Duplex being live on any other phones yet, but it’s a sign that the expansion is underway.

Apple reactivates Facebook’s employee apps after punishment for Research spying

Apple reactivates Facebook’s employee apps after punishment for Research spying

After TechCrunch caught Facebook violating Apple’s employee-only app distribution policy to pay people for all their phone data, Apple invalidated the social network’s Enterprise Certificate as punishment. That deactivated not only this Facebook Research app VPN, but also all of Facebook’s internal iOS apps for workplace collaboration, beta testing and even getting the company lunch or bus schedule. That threw Facebook’s offices into chaos yesterday morning. Now after nearly two work days, Apple has ended Facebook’s time-out and restored its Enterprise Certification. That means employees can once again access all their office tools, pre-launch test versions of Facebook and Instagram… and the lunch menu.

A Facebook spokesperson issued this statement to TechCrunch: “We have had our Enterprise Certification, which enables our internal employee applications, restored. We are in the process of getting our internal apps up and running. To be clear, this didn’t have an impact on our consumer-facing services.”

Meanwhile, TechCrunch’s follow-up report found that Google was also violating the Enterprise Certificate program with its own “market research” VPN app called Screenwise Meter that paid people to snoop on their phone activity. After we informed Google and Apple yesterday, Google quickly apologized and took down the app. But apparently in service of consistency, this morning Apple invalidated Google’s Enterprise Certificate too, breaking its employee-only iOS apps.

Google’s internal apps are still broken. Unlike Facebook that has tons of employees on iOS, Google at least employs plenty of users of its own Android platform, so the disruption may have caused fewer problems in Mountain View than Menlo park. “We’re working with Apple to fix a temporary disruption to some of our corporate iOS apps, which we expect will be resolved soon,” said a Google spokesperson. A spokesperson for Apple said: “We are working together with Google to help them reinstate their enterprise certificates very quickly.”

TechCrunch’s investigation found that the Facebook Research app not only installed an Enterprise Certificate on users’ phones and a VPN that could collect their data, but also demanded root network access that allows Facebook to man-in-the-middle their traffic and even deencrypt secure transmissions. It paid users age 13 to 35 $10 to $20 per month to run the app so it could collect competitive intelligence on who to buy or copy. The Facebook Research app contained numerous code references to Onavo Protect, the app Apple banned and pushed Facebook to remove last August, yet Facebook kept on operating the Research data collection program.

When we first contacted Facebook, it claimed the Research app and its Enterprise Certificate distribution that sidestepped Apple’s oversight was in line with Apple’s policy. Seven hours later, Facebook announced it would shut down the Research app on iOS (though it’s still running on Android, which has fewer rules). Facebook also claimed that “there was nothing ‘secret’ about this,” challenging the characterization of our reporting. However, TechCrunch has since reviewed communications proving that the Facebook Research program threatened legal action if its users spoke publicly about the app. That sounds pretty “secret” to us.

Then we learned yesterday morning that Facebook hadn’t voluntarily pulled the app, as Apple had actually already invalidated Facebook’s Enterprise Certificate, thereby breaking the Research app and the social network’s employee tools. Apple provided this brutal statement, which it in turn applied to Google today:

We designed our Enterprise Developer Program solely for the internal distribution of apps within an organization. Facebook has been using their membership to distribute a data-collecting app to consumers, which is a clear breach of their agreement with Apple. Any developer using their enterprise certificates to distribute apps to consumers will have their certificates revoked, which is what we did in this case to protect our users and their data.

Apple is being likened to a vigilante privacy regulator overseeing Facebook and Google by The Verge’s Casey Newton and The New York Times’ Kevin Roose, perhaps with too much power, given they’re all competitors. But in this case, both Facebook and Google blatantly violated Apple’s policies to collect the maximum amount of data about iOS users, including teenagers. That means Apple was fully within its right to shut down their market research apps. Breaking their employee apps too could be seen as just collateral damage since they all use the same Enterprise Certification, or as additional punishment for violating the rules. This only becomes a real problem if Apple steps beyond the boundaries of its policies. But now, all eyes are on how it enforces its rules, whether to benefit its users or beat up on its rivals.