Discovery of Microphone in Google’s Nest Guard Prompts Backlash
The discovery of a microphone in Google’s Nest Guard product that was not listed in tech spec has been put down to an erroneous omission by Google, but it has also caused a backlash that escalated to the US Congress.
What Happened?
One of Google’s products is the Nest Secure product which is a home security system that operates using a phone app, alarm, keypad, and motion sensor with Google Assistant built in (which is the main hub), Nest Detect Sensors for doors and windows, and a tag which the homeowner taps on the main hub when they enter the house to disarm the system. Earlier this month, the addition of Google’s digital assistant to the product led to the surprise discovery that the main hub unit has always had a microphone installed in it, but the microphone was not mentioned on the technical specifications for the product.
The discovery of what appeared to be a “secret” microphone has, therefore, prompted anger and discussion among privacy and security advocates and commentators, concern from consumers, bad publicity for Google, and calls for action by a Senator, a Congressman, and many others.
Google Says …
Google’s response to the discovery was simply to apologise for what was an “error” and oversight on its part for not listing the microphone in the tech spec for the system, and to stress that the microphone was not intended to be ‘secret’ and had not been used until the addition of the Google Assistant.
It has also been reported that Google has said that one of the reasons for the microphone’s inclusion had originally been to allow future functionality, for example, to detect breaking glass in the home.
Criticism
Google has faced anger and criticism from many different angles over the discovery of the microphone including:
- Maryland Congressman John Delaney calling for privacy legislation to now be applied to a broad range of tech products. Mr Delaney also proposed that electronic tech products should have labelling on them like that on food products, so consumers can be quickly and easily alerted to any privacy and security implications.
- Virginia Senator Mark Warner, chairman of the Senate Intelligence Committee, calling for hearings with federal agencies and the U.S. Congress about the digital economy, and the smart home ecosystem.
- The Electronic Privacy Information Center (EPIC) calling on the Federal Trade Commission (FTC) to request via an enforcement action, that Google divests of its Nest hardware products, and that Google disgorges any data that it may wrongfully have obtained from Nest customers.
What Does This Mean For Your Business?
Smart electronic products and devices are now in homes and businesses everywhere, but consumers and business owners should have the right to be clearly informed about the security and privacy implications of those products so that they can make an informed choice about whether to buy and operate them.
As some commentators have noted, the arguments that it’s easier to ask for forgiveness than seek permission or that ‘it’s in the fine print’, shouldn’t be acceptable privacy policies from tech companies. The idea of food packaging-style labelling on smart tech products to help inform about security and privacy implications may not be a bad one, and if the tech industry can’t regulate itself on this matter then more legislation to protect consumers and businesses seems likely.
This is a damaging story in terms of trust and reputation for Google, particularly in the US where the story has been given greater prominence and may cause consumers to think twice about the kinds of smart products that they let into their homes and businesses.
New York’s Governor Orders Investigation Into Facebook Over App Concerns
The Governor of New York, Andrew Cuomo, has ordered an investigation into reports that Facebook Inc may be using apps on users’ smartphones to collect personal information about them.
Alerted By Wall Street Journal
The Wall Street Journal prompted the Governor to order New York’s Department of State and Department of Financial Services (DFS) to investigate Facebook when the paper reported that Facebook may have more access than it should to data from certain apps, sometimes even when a person isn’t even signed in to Facebook.
Health Data
It has been reported that the kind of data that some apps allegedly share with Facebook includes health-related information such as weight, blood pressure and ovulation status.
The alleged sharing of this kind of sensitive and personal data, whether or not a person is logged-in Facebook, prompted Governor Cuomo to call such practice an “outrageous abuse of privacy.”
Defence
Facebook’s defence against these allegations, which appears to have prompted a short-lived but noticeable fall in Facebook’s share value, was to point out that WSJ’s report focused on how other apps use people’s data to create ads.
Facebook added that it requires other app developers to be clear with their users about the information they are sharing with Facebook and that it prohibits app developers from sending sensitive data to Facebook.
The social media giant also stressed that it tries to detect and remove any data that should not be shared with it.
Lawsuits Pending
This appears to be just one of several legal fronts where Facebook will need to defend itself. For example, Facebook is still facing a U.S. Federal Trade Commission investigation into the alleged inappropriate sharing of information belonging to 87 million Facebook users with now-defunct political consulting firm Cambridge Analytica.
Apple Also Accused By Governor Over FaceTime Bug
New York’s Governor Cuomo and New York Attorney General Letitia James have also announced an investigation into Apple Inc’s alleged failure to warn customers about a bug in its FaceTime app that could inadvertently allow eavesdropping as iPhones users were able to listen to conversations of others who have not yet accepted a video call.
DFS Involvement
The Department of Financial Services (DFS), which is one of the two agencies that have been ordered to investigate this latest Facebook app sharing matter has only recently begun to get more involved in digital matters, particularly by producing the country’s first cybersecurity rules governing state-regulated financial institutions such as banks, insurers and credit monitors.
Some commentators have expressed concern, however, about the DFS saying last month that DFS life insurers could use social media posts in underwriting their policies, on the condition that they did not discriminate based on race, colour, national origin, sexual orientation or other protected classes.
What Does This Mean For Your Business?
You could be forgiven for thinking that after the scandal over Facebook’s unauthorised sharing of the personal details of 87 million users with Cambridge Analytica, that Facebook may have learned its lesson about the sharing of personal data and may have tried harder to uncover and plug any loopholes that could allow this to happen. The tech giant still has several lawsuits and regulatory inquiries over privacy issues pending, and this latest revelation about the sharing very personal health information certainly won’t help its cause. Clearly, as the involvement of the FDS shows, there needs to be more oversight of (and investigation into) apps that share their data with Facebook, and possibly the need for more legislation and regulation of the smart app / smart tech ecosystem.
There are ways to stop Facebook from sharing your data with other apps via your phone settings and by disabling Facebook’s data sharing platform. You can find instructions here: https://www.techbout.com/stop-facebook-from-sharing-your-personal-data-with-other-apps-37307/
Tech Tip – Encrypting Documents Stored on Google Drive
If you use Google Drive to store files in the cloud but worried that Google doesn’t provide a true password protection feature, you may want to encrypt your files before uploading them. Here’s how:
If you have Microsoft Office on your PC, it has a built-in encryption feature.
– Go to: File > Protect Document > Encrypt with Password.
– Upload the file to Google Docs.
– Google can’t read the file, but it can be downloaded and opened on any PC with Microsoft Office Installed (using the password).
– If you don’t have Microsoft Office, you could use Boxcryptor. This is free for syncing one cloud storage service between two PCs.
– Install Boxcryptor (see boxcryptor.com).
– Enable Google Drive in Boxcryptor’s settings.
– Access Boxcryptor from Windows Explorer’s sidebar.
– Go to: Boxcryptor > Encrypt option, and watch the checkbox turn green.
The encrypted files will then be placed in Google Drive, but won’t be accessible unless you have Boxcryptor installed and logged in.
If you’re looking for a solution that’s free and can be used with any cloud storage service and any device, you may want to try Veracrypt (for Windows, macOS, and Linux). It creates an encrypted container where you can store files you want and put them anywhere for safe keeping.
– Install Veracrypt (see veracrypt.fr).
– Create a new encrypted file container within your Google Drive folder.
– Reach that file from Veracrypt’s main window (it will show as if it were an external hard drive).
– Drag your sensitive files there and unmount the volume.
You will need Veracrypt installed on any PC to access the documents inside that container.
Kellogg’s Uses Virtual Reality To Sell More Cornflakes
Breakfast cereal manufacturer Kellogg’s has been working with third-party VR companies to help it determine the best way to display its new products in stores.
Who?
Kellogg’s is reported to have been working on a pilot scheme with Accenture and Qualcomm. Accenture is a Dublin-based global management consulting and professional services firm with a strong digital skill-set, and Qualcomm Inc is a US-based world leader in 3G and next-generation mobile technologies.
What?
The pilot’s aim was to determine the best in-store placement for Kellogg’s new Pop Tart Bites. This involved the use of Accenture’s Extended Reality (XR) software and Qualcomm’s VR headsets. This combination gave test subjects an immersive and 360-degree experience of a simulated store environment in which they were able to ‘virtually’ pick products, place items in shopping trolleys and make purchases.
Monitoring
The VR headsets and XR software enabled Kellogg’s to closely and precisely monitor the user’s eye movements. The analytics meant that this test was also able to yield data such as which new products the test subjects looked at and how long they looked at the products.
New Insights Reveal Surprising Result
Whereas traditional understanding of in-store product placement points towards eye-level (or close to it) as an ideal spot, the new insights that the technology provided in this pilot concluded that positioning the new product on a lower shelf could increase sales of the product by 18%.
Growing Trend
The use of a combination of VR, AR and analytics in retail environments has been a growing trend among big brands in recent times.
Brick-and-mortar retail chains have, however, been criticised for reacting slowly to the introduction of technology that could help them and have found themselves at a disadvantage to online retailers who have been able to use digital technology to hyper-personalise retail experiences for their customers. The brick-and-mortar retailers have also been faced with challenges caused by economic and cultural shifts, e.g. customers moving more towards online shopping.
Change In The Landscape
It’s not just manufacturer brands that are now able to take advantage of the technological change in the landscape to benefit sales.
Retailers now have access to many affordable and relatively easy-to-use AI development tools available, such as those offered by big tech vendors e.g. Google, Microsoft and Amazon. This means that building an AI system/machine learning system has never been easier. Retail chains, for example, also have the advantage of having access to massive amounts of data which can be used in a value-adding way with analytics and AI.
What Does This Mean For Your Business?
This story illustrates how the combination of new technologies such as VR, AI and advanced analytics have yielded new insights which could make a greater contribution to sales than more traditional methods.
The portable nature of the technology (and the AI aspect) mean that they are also able to deliver these value-adding insights more quickly and cheaply than before, thereby contributing to faster and more effective product launches and more successful product strategies. The superior insights gained from combining new technologies such as these mean that it is now possible for business product placement decisions to be made that could positively impact total brand sales, versus only single product sales.
Potential Jail For Clicking on Terror Links
The new UK Counter-Terrorism and Border Security Act 2019 means that you could face up to 15 years in jail if you visit web pages where you can obtain information that’s deemed to be useful to ‘committing or preparing an act of terrorism’.
Really?
The government states that the Act is needed to “make provision in relation to terrorism; to make provision enabling persons at ports and borders to be questioned for national security and other related purposes; and for connected purposes”.
As shown online in at legislation.gov.uk, Chaper1, Section 3 of the Act, which relates to the amended Section 58 of the Terrorism Act 2000 (collection of information) for example, states that unless you’re carrying out work as a journalist, or for academic research, if a person “views, or otherwise accesses, by means of the internet a document or record containing information of that kind” i.e. (new subsection) information of a kind likely to be useful to a person committing or preparing an act of terrorism, you can be punished under the new Act.
Longer Sentences
The new Act increases the sentences from The Terrorism Act 2000, so that a sentence of 15 years is now possible in some circumstances.
The Most Terror Deaths in Europe in 2017
A Europol Report showed that the UK suffered more deaths as a result of terror attacks than any other country in Europe in 2017. The bill which has now become the new law was first introduced on 6th June 2018 after calls to for urgent action to deal with terrorism, following three terrorist attacks on the UK within 3 months back in 2017.
Online Problem
One of the key areas that it is hoped the law will help to tackle is how the internet and particularly social media can be used to recruit, radicalise and raise money.
Criticism
The new Act, which received royal assent on 12th February, has been criticised by some as being inflexible, based too much upon ‘thought crime’, and being likely to affect more of those at the receiving end of information rather than those producing and distributing it. The new law has also been criticised for infringing upon the privacy and freedom of individuals to freely browse the internet in private without fear of criminal repercussion, as long as that browsing doesn’t contribute to the dissemination of materials that incite violent or intolerant behaviour.
The new Act has been further criticised by MPs for breaching human rights and has been criticised by legal experts such as Max Hill QC, the Independent Reviewer of Terrorism Legislation, who is reported as saying that the new law may be likely to catch far too many people, and that a 15-year prison is “difficult to countenance when nothing is to be done with the material, it is not passed to a third party, and it is not being collected for a terrorist purpose.”
What Does This Mean For Your Business?
We may assume that most people will be unlikely to willingly view the kind of material that could result in a prison sentence, and many in the UK are likely to welcome a law that provides greater protection against those who plan and commit terror attacks or who are seeking to use online means to recruit, radicalise and raise money. The worry is that such a law should not be so stringent and inflexible as to punish those who are not viewing or collecting material for terrorist purposes, and there are clearly many prominent commentators who believe that this law may do this.
Businesses, organisations and venues of all kinds are often caught up in (or are the focus of) terror attacks and/or must ensure that they invest in security and other measures to make sure that their customers, staff and other stakeholders are protected. A safer environment for all in the UK is, of course, welcome, but many would argue that this should not be at the expense of the levels of freedom and privacy that we currently enjoy.
Scooter Hack Threat
An investigation by researchers at Zimperium® found a security flaw in the Xiaomi M365 electric scooter (the same model that is used by ridesharing companies) which could allow hackers to take control of the scooter’s acceleration and braking.
Xiaomi M365
The Xiaomi M365 is a folding, lightweight, stand-on ‘smart’ scooter with an electric motor that retails online for around £300 to £400. It is battery-powered, with a maximum speed of 15 mph, and features a “Smart App” that can track a user’s cycling habits, and riding speed, as well as the battery life, and more.
What Security Flaw?
The security flaw identified by the Zimperium® researchers is that the ‘smart’ scooter has a Bluetooth connection so that users can interact with the scooter’s features e.g. its Anti-Theft System or to update the scooter’s firmware, via an app. Each scooter is protected by a password, but the researchers discovered that the password is only needed for validation and authentication by the app, but commands can still be executed to the actual scooter without the password.
The researchers found that they could use the Bluetooth connection as a way in. Using this kind of hack, it is estimated that an attacker only needs to be within 100 meters of the scooter to be able to launch a denial-of-service attack via Bluetooth which could enable them to install malicious firmware. This firmware could be used by the attacker to take control of the scooter’s acceleration and braking capacities. This could mean that the rider could be in danger if an attacker chose to suddenly and remotely cause the scooter to brake or accelerate without warning. Also, the researchers found that they could use this kind of attack to lock a scooter by using its anti-theft feature without authentication or the user’s consent.
Told The Company
The researchers made a video of their findings as proof, contacted Xiaomi and informed the company about the nature of the security flaw. It has been reported that Xiaomi confirmed that it is a known issue internally, but that no announcement has been made yet about a fix. The researchers at Zimperium® have stated online that the scooter’s security can’t be fixed by the user and still needs to be updated by Xiaomi or any 3rd parties they work with.
Suggestion From The Researchers
The researchers have suggested that, in the absence of a fix to date, users can stop attackers from connecting to the scooter remotely by using Xiaomi’s app from their mobile before riding and connecting to the scooter. Once the user’s mobile is connected and kept connected to the scooter an attacker can’t remotely flash malicious firmware or lock the scooter.
What Does This Mean For Your Business?
This is another example of how smart products/IoT products of all kinds can be vulnerable to attack via their Bluetooth or Internet connections, and particularly where there are password issues. Usually, the risk comes from smart products from the same manufacturer all being given the same default password which the user doesn’t change. In this case, the password works with the app, but in this case it appears as though the password isn’t being used properly to protect the product itself.
There have been many examples to date of smart products being vulnerable to attack. For example, back in November 2017, German Telecoms regulator the Federal Network Agency banned the sale of smartwatches to children and asked parents to destroy any that they already have over fears that they could be hacked, and children could be spied-upon. Also, back in 2016, cyber-criminals were able to take over many thousands of household IoT devices (white goods, CCTV cameras and printers), and use them together as a botnet to launch an online DDoS attack (Mirai) on the DNS service ‘Dyn’ with global consequences i.e. putting Twitter, Spotify, and Reddit temporarily out of action.
Manufacturers of smart products clearly need to take great care in the R&D process to make sure that the online security aspects have been thoroughly examined. Any company deploying IoT devices in any environment should also require the supply chain to provide evidence of adherence to a well-written set of procurement guidelines that relate to specific and measurable criteria. In the mobile ecosystem and in adjacent industries, for example, the GSMA provides guidelines to help with IoT security.
As buyers of smart products, making sure that we change default passwords, and making sure that we stay up to date with any patches and fixes for smart products can be ways to reduce some of the risks. Businesses may also want to conduct an audit and risk assessment for known IoT devices that are used in the business.