\n
\nOne of the types of problematic interaction the reviewers were helping Apple deal with was accidental triggers. In other words, they were reviewing snippets of content from those times when Siri would just randomly wake up when you didn’t intentionally trigger the feature by saying the wake-word.<\/p>\n
Contractors described hearing deeply personal information while reviewing snippets including medical discussions, legal advice, and even possible criminal conspiracies in the making.<\/p>\n
Technically speaking Apple did not violate their privacy policy or public statements, but we all seem to have assumed that the analysis<\/em> we knew was happening was being done by computers, not humans, and we definitely didn’t assume it was being done by humans who don’t work directly for Apple.<\/p>\n The story soon grew legs, and it became clear this is not just an Apple thing, but that all the major voice assistants use humans (we’d known Amazon did this before, and that there were horrible abuses going on with those recordings). It also seems this is bigger than just voice assistants, Skype’s real-time translation service also apparently relies on human review of clips, as may Cortana.<\/p>\n The end-result is that all the major voice assistants (Apple, Google & Amazon) have suspended their human review programs. Apple have said that they will add a setting to allow users to use Siri but opt out of human review. (I’ve found no further details on the situation with Skype\/Cortana so I presume human review continues at Microsoft.)<\/p>\n In the end, we’ve ended up with a better future for Siri, and I’m sure Google and Amazon will follow suit before they un-suspend their review services too.<\/p>\n A major report by the Washington Post in conjunction with security researchers have shone a light on a long-standing avenue of abuse \u2014 browser plugins.<\/p>\n JavaScript within web pages is sandboxed. It can’t interact with the underlying OS, its interactions with the browser are extremely limited, and it can’t access information in tabs from other websites that are open at the same time.<\/p>\n Browser plugins are different. They are still sandboxed very heavily, but in a much larger playground! They can have some interaction with the underlying OS, though that’s very tightly controlled. What’s much more important to understand is that they have a lot of free rein within the browser. The whole point of a plugin is to add new functionality to the browser, so this is not just sensible, it’s essential. This is absolutely a feature, and definitely not a bug!<\/p>\n Browser plugins can see all the tabs you have open, and can see into them and interact with the HTML, CSS & JavaScript within them. Browser plugins can also make their own network connections, so they can communicate directly with servers on the internet. Again, if plugins couldn’t do this they wouldn’t be able to do their thing! Imagine if the 1Password plugin couldn’t use a local socket to talk to the master 1Password app to access usernames and passwords, and if it couldn’t interact with web pages to write the usernames and passwords into the text boxes. What use would it be? What use would any plugin be if it couldn’t interact with the contents of your tabs?<\/p>\n 1Password is using the access plugins have as users expect. It does what it promises to do, and nothing more. There is of course nothing stopping less scrupulous developers adding code to their plugins that does things users are not expecting!<\/p>\n What this means is that installing a plugin is an act of trust. You are trusting that the developer who wrote the plugin has your best interests at heart, and that they’re being completely honest in the plugin’s description.<\/p>\n Unsurprisingly, it turns out many are not 🙁<\/p>\n This is yet another follow the money<\/em> story. The existence of free plugins from for-profit companies should raise red flags in all our minds. How are they making money from these plugins?<\/p>\n Well, one of the ways developers can monetise their plugins is to collect and sell browsing data. Plugins can see every URL you go to, how long you stay there, and how actively you interact with each page. They even know what buttons and links you pushed while on the page. This is a positive gold-mine for the ad industry, so of course there is a market for this information 🙁<\/p>\n What the Washington Post found is that this type of privacy abuse is absolutely rampant, affecting millions of users every day, and that this kind of bad behaviour is not limited to obscure developers, but affects many popular free plugins.<\/p>\n The bottom line is very simple \u2014 every time you install a plugin, you are trusting the author, so be conscious of that, and only install plugins you have a good reason to trust. Perhaps they are by a developer you trust, or, perhaps they have been recommended by a person or site you trust.<\/p>\n The days of just installing any plugin on a whim are over, or at least they should be!<\/p>\n Capital One announced that their systems have been hacked and that attackers accessed customer data and data on people who merely applied for credit cards from Capital One.<\/p>\n According to their official FAQ, 100M Americans and 6M Canadians are affected. The data accessed does not include credit card details, though in about 1% of cases it included Social Security Numbers\/Social Insurance Numbers (about 140K in the US and 1M in Canada). In general the data included “names, addresses, zip codes\/postal codes, phone numbers, email addresses, dates of birth, and self-reported income”<\/em>. For customers the data also included “credit scores, credit limits, balances, payment history [&] contact information”<\/em> as well as “fragments of transaction data from a total of 23 days during 2016, 2017 and 2018”<\/em>, and even “about 80,000 linked bank account numbers”<\/em>.<\/p>\n Note:<\/strong> When the textual description of a link is part of the link it is the title of the page being linked to, when the text describing a link is not part of the link it is a description written by Bart.<\/em><\/p>\n","protected":false},"excerpt":{"rendered":" Security Medium 1 \u2014 Human Review of Voice Assistant Recordings The Guardian newspaper started what turned out to be a far-ranging controversy be reporting that when Apple said they kept anonymised Siri recordings for analysis, that analysis included grading by human beings. Specifically, by outside contractors.<\/p>\n","protected":false},"author":4,"featured_media":19030,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[147,214],"tags":[221,2650,3532,3533,2133,3531,50,569,1115],"class_list":["post-19024","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-blog-posts","category-security-bits","tag-alexa","tag-breach","tag-browser-plugins","tag-capital-one","tag-google-assistant","tag-human-review-voice-assistants","tag-security","tag-security-bits","tag-siri"],"jetpack_featured_media_url":"https:\/\/www.podfeet.com\/blog\/wp-content\/uploads\/2019\/08\/security_bits_logo_400px_no_alpha.jpg","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts\/19024","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/comments?post=19024"}],"version-history":[{"count":3,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts\/19024\/revisions"}],"predecessor-version":[{"id":19031,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts\/19024\/revisions\/19031"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/media\/19030"}],"wp:attachment":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/media?parent=19024"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/categories?post=19024"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/tags?post=19024"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}Links<\/h4>\n
\n
Security Medium 2 \u2014 Beware of Privacy-Invading Browser Plugins<\/h3>\n
Links<\/h4>\n
\n
Security Medium 3 \u2014 🇺🇸 🇨🇦 The Capital One Breach<\/h3>\n
Links<\/h4>\n
\n
Notable Security Updates<\/h3>\n
\n
Notable News<\/h3>\n
\n
\n
Suggested Reading<\/h3>\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
Palate Cleansers<\/h3>\n
\n
\n
![\"The](\"https:\/\/imgs.xkcd.com\/comics\/devotion_to_duty.png\")
xkcd.com\/705<\/a><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n