The FBI has issued a warning to Apple and Android device users regarding potential vulnerabilities in Rich Communication Services (RCS). While RCS was designed to replace traditional SMS with enhanced features, a critical security flaw has made it a risky option for messaging. Currently, RCS messages exchanged between Apple and Android devices lack end-to-end encryption, exposing users to potential cyber threats.
Apple introduced RCS support to its iMessage app with iOS 18 to facilitate seamless communication between iPhone and Android users. However, unlike secure messaging apps like Signal or WhatsApp, RCS lacks end-to-end encryption for messages exchanged across these platforms. This absence of encryption leaves sensitive information vulnerable to interception by unauthorized individuals, including hackers and rogue actors.
The FBI’s warning follows a significant breach known as the Salt Typhoon attack, which targeted major U.S. telecommunications carriers. This breach highlighted the vulnerabilities in unencrypted messaging systems. In response, both the Federal Bureau of Investigation and the Cybersecurity and Infrastructure Security Agency have recommended using secure messaging platforms to mitigate such risks.
The GSMA, which oversees RCS technology, is actively working to implement end-to-end encryption for RCS messages. While progress has been made through industry collaboration, no specific timeline has been provided for the rollout of these crucial security updates.
Until RCS achieves full encryption, users are advised to switch to secure messaging apps that offer robust end-to-end encryption. Popular options include:
In related news, Apple users are urged to update their devices to iOS 18.2 to address a critical vulnerability in the Apple Password app. This flaw could potentially expose sensitive user information, making the update essential for enhanced security.
While the integration of RCS messaging aims to enhance cross-platform communication, the current lack of encryption poses significant risks. As the industry works toward resolving these vulnerabilities, users are encouraged to rely on secure messaging apps and keep their devices updated with the latest security patches. Taking proactive steps and making informed decisions remain vital for ensuring safety in the digital landscape.
The evolving relationship between travel and data privacy is sparking significant debate among travellers and experts. A recent Spanish regulation requiring hotels and Airbnb hosts to collect personal guest data has particularly drawn criticism, with some privacy-conscious tourists likening it to invasive surveillance. This backlash highlights broader concerns about the expanding use of personal data in travel.
This trend is not confined to Spain. Across the European Union, regulations now mandate biometric data collection, such as fingerprints, for non-citizens entering the Schengen zone. Airports and border control points increasingly rely on these measures to streamline security and enhance surveillance. Advocates argue that such systems improve safety and efficiency, with Chris Jones of Statewatch noting their roots in international efforts to combat terrorism, driven by UN resolutions and supported by major global powers like the US, China, and Russia.
Despite their intended benefits, systems leveraging Passenger Name Record (PNR) data and biometrics often fall short of expectations. Algorithmic misidentifications can lead to unjust travel delays or outright denials. Biometric systems also face significant logistical and security challenges. While they are designed to reduce processing times at borders, system failures frequently result in delays. Additionally, storing such sensitive data introduces serious risks. For instance, the 2019 Marriott data breach exposed unencrypted passport details of millions of guests, underscoring the vulnerabilities in large-scale data storage.
The European Union’s effort to create the world’s largest biometric database has sparked concern among privacy advocates. Such a trove of data is an attractive target for both hackers and intelligence agencies. The increasing use of facial recognition technology at airports—from Abu Dhabi’s Zayed International to London Heathrow—further complicates the privacy landscape. While some travelers appreciate the convenience, others fear the long-term implications of this data being stored and potentially misused.
Prominent figures like Elon Musk openly support these technologies, envisioning their adoption in American airports. However, critics argue that such measures often prioritize efficiency over individual privacy. In the UK, stricter regulations have limited the use of facial recognition systems at airports. Yet, alternative tracking technologies are gaining momentum, with trials at train stations exploring non-facial data to monitor passengers. This reflects ongoing innovation by technology firms seeking to navigate legal restrictions.
According to Gus Hosein of Privacy International, borders serve as fertile ground for experiments in data-driven travel technologies, often at the expense of individual rights. These developments point to the inevitability of data-centric travel but also emphasize the need for transparent policies and safeguards. Balancing security demands with privacy concerns remains a critical challenge as these technologies evolve.
For travelers, the trade-off between convenience and the protection of personal information grows increasingly complex with every technological advance. As governments and companies push forward with data-driven solutions, the debate over privacy and transparency will only intensify, shaping the future of travel for years to come.
In a recent video hearing for the case Acevedo v. eXp, related to a sexual assault claim, a judge deliberated on whether to grant a protective order that would prevent a forensic examination of eXp founder and chairman Glenn Sanford's cell phone during the discovery process.
The plaintiff argued that Sanford’s right to privacy does not override their request for electronically stored information (ESI) to review metadata. Courtrooms increasingly rely on text message screenshots as evidence, but the authenticity of these screenshots is frequently called into question. In a prior case, Sanford provided screenshots of text messages, but these alone failed to meet evidentiary standards for authenticity.
Sanford submitted screenshots of text message conversations in court, which the plaintiffs argued were insufficient for evidentiary purposes. According to RisMedia, the self-collection method allegedly used by Sanford was inadequate. The US District Court for the Southern District of New York, under Judge Judith Rosenberg, issued a protective order requiring Sanford to collaborate with a digital evidence expert. This ensures that the extraction and verification of text messages from the physical device adhere to strict privacy safeguards.
Forensic analysis plays a pivotal role in ensuring the authenticity of digital evidence. The process retrieves all available data without bias, including potentially deleted content, to present a complete and credible picture of the evidence while respecting privacy concerns.
Forensic investigations rely on cutting-edge tools like Cellebrite and Magnet Forensics GrayKey to extract comprehensive data from mobile devices. This process, known as forensic acquisition, systematically retrieves all available data fields without prefiltering, ensuring that no evidence is overlooked.
The complexity of mobile data storage presents challenges, making exhaustive and unbiased data collection essential to meet evidentiary standards. Forensic analysis goes beyond recovering visible messages by retrieving associated metadata, deleted communications, and other artifacts to provide a complete picture of the evidence.
While forensic investigations are invaluable for uncovering the truth, their intrusive nature raises significant privacy concerns. Judge Rosenberg's protective order aims to strike a balance between maintaining the integrity of the forensic process and safeguarding individual privacy. The order emphasizes responsible handling of sensitive data while ensuring that the evidence presented in court is credible.
Traditional SMS and MMS messages are logged by mobile carriers, generating call detail records (CDRs) that include timestamps, phone numbers, and network information. However, these records do not contain the content of the messages, which is typically deleted shortly after transmission. Internet-based messaging platforms like iMessage, WhatsApp, and Telegram bypass traditional cellular networks, leaving carriers unable to log these communications.
Forensic analysis of physical devices remains the most reliable way to retrieve complete messaging data, including metadata and deleted content, from these platforms. Such detailed analysis ensures that digital evidence can withstand rigorous scrutiny in court.
The eXp Realty case highlights the increasing reliance on advanced digital forensic methods to address the limitations of traditional evidence like screenshots. Comprehensive forensic investigations provide verifiable records, capturing nuanced details that enhance the reliability of evidence.
Courts are increasingly adopting protective orders to balance privacy with evidentiary needs, emphasizing the importance of accurate and trustworthy evidence. This case illustrates how digital forensic methods are evolving to meet the demands of modern legal disputes in an era dominated by technology.
A VPN enhances online privacy by encrypting internet traffic and masking IP addresses. However, how often should you switch servers? The answer depends on your goals and usage patterns, as server hopping offers benefits but is not always necessary.
A VPN server acts as an intermediary between your device and the internet, creating an encrypted tunnel for your data. This ensures that your online activity remains private and your information is protected from hackers, ISPs, and other snoopers. The VPN server assigns a new IP address to mask your location and identity.
Switching servers can sometimes boost privacy in specific situations, such as for users facing surveillance or censorship. For most users, however, keeping the VPN connected to a single server is sufficient to maintain privacy. Regularly switching servers can disrupt your browsing experience without significantly enhancing security.
One of the primary reasons for server switching is to bypass geographic restrictions. Many streaming platforms and websites restrict content based on location, but connecting to a server in a different country can help access otherwise unavailable material. This is particularly useful for travelers or those in regions with heavy internet censorship.
Some VPNs offer specialized servers for tasks like streaming, torrenting, or gaming. While these servers are optimized for specific activities, switching back to a general server after completing the task can provide a better overall experience for everyday browsing.
Server performance can vary based on factors like server load and proximity to your physical location. If a server is overcrowded or located far away, switching to a closer or less busy one can improve connection speed and stability. This is especially helpful for users seeking faster downloads or uninterrupted streaming.
Server hopping can also help save money when shopping online. Many websites adjust prices based on the user’s location. By connecting to servers in different regions, you may find lower prices on flights, hotels, or products. Experimenting with various locations can help uncover better deals.
Access issues can arise when certain VPN IP addresses are flagged or blacklisted due to misuse by other users. In such cases, switching to a different server can resolve the problem. Some VPNs also offer dedicated IP addresses for an additional fee, reducing the risk of being blocked.
Despite these advantages, most users don’t need to switch servers frequently. A consistent connection to a single server already provides privacy and security benefits. Unless you’re trying to bypass geo-restrictions, troubleshoot access issues, or improve connection speed, sticking to one server is generally sufficient.
Ultimately, server hopping is a useful feature for those with specific needs but isn’t essential for everyday VPN use. By understanding how and when to switch servers, you can make the most of your VPN experience while maintaining privacy and performance.
The US Federal Trade Commission (FTC) has filed actions against two US-based data brokers for allegedly engaging in illegal tracking of users' location data. The data was reportedly used to trace individuals in sensitive locations such as hospitals, churches, military bases, and other protected areas. It was then sold for purposes including advertising, political campaigns, immigration enforcement, and government use.
The Georgia-based data broker, Mobilewalla, has been accused of tracking residents of domestic abuse shelters and protestors during the George Floyd demonstrations in 2020. According to the FTC, Mobilewalla allegedly attempted to identify protestors’ racial identities by tracing their smartphones. The company’s actions raise serious privacy and ethical concerns.
The FTC also suspects Gravy Analytics and its subsidiary Venntel of misusing customer location data without consent. Reports indicate they used this data to “unfairly infer health decisions and religious beliefs,” as highlighted by TechCrunch. These actions have drawn criticism for their potential to exploit sensitive personal information.
The FTC revealed that Gravy Analytics collected over 17 billion location signals from more than 1 billion smartphones daily. The data was allegedly sold to federal law enforcement agencies such as the Drug Enforcement Agency (DEA), the Department of Homeland Security (DHS), and the Federal Bureau of Investigation (FBI).
Samuel Levine, Director of the FTC’s Bureau of Consumer Protection, stated, “Surreptitious surveillance by data brokers undermines our civil liberties and puts servicemembers, union workers, religious minorities, and others at risk. This is the FTC’s fourth action this year challenging the sale of sensitive location data, and it’s past time for the industry to get serious about protecting Americans’ privacy.”
As part of two settlements announced by the FTC, Mobilewalla and Gravy Analytics will cease collecting sensitive location data from customers. They are also required to delete the historical data they have amassed about millions of Americans over time.
The settlements mandate that the companies establish a sensitive location data program to identify and restrict tracking and disclosing customer information from specific locations. These protected areas include religious organizations, medical facilities, schools, and other sensitive sites.
Additionally, the FTC’s order requires the companies to maintain a supplier assessment program to ensure consumers have provided consent for the collection and use of data that reveals their precise location or mobile device information.
CFPB Director Rohit Chopra emphasized the agency’s commitment to addressing the “widespread evasion” of federal privacy laws by data brokers. He noted that these companies often operate outside the regulatory frameworks governing credit bureaus and tenant screening firms, profiting from data sales while exposing consumers to significant risks.
"This rule represents a decisive step to ensure that those trafficking in Americans' most sensitive information face accountability," Chopra stated during a press briefing.
The proposed rule aims to reclassify data brokers under the same legal framework as credit bureaus and background check companies, thereby closing a longstanding regulatory gap. It would impose restrictions on selling data that identifies individuals, such as Social Security numbers, income histories, and credit scores, limiting the ability of data brokers to monetize private information.
The CFPB’s proposal aligns with momentum from President Biden’s recent executive order targeting the sale of Americans’ personal data. The move reflects growing public and governmental scrutiny of data brokers, who have faced criticism for exploiting lax regulations to generate profits at the expense of consumer privacy.
Chopra underscored the dangers of unregulated data sales, describing the risks as "staggering." He highlighted the threat to individuals and national security posed by the unrestricted availability of Americans’ private information to virtually anyone willing to pay.
The FCRA, enacted in 1970, was designed to ensure the privacy and accuracy of consumer data managed by reporting agencies. However, the absence of comprehensive national data protection laws has left Americans more vulnerable compared to citizens in other Western democracies.
If enacted, the new rule would represent a significant step in federal efforts to regulate data brokers, building on Congress’s original intent in passing the FCRA—to protect Americans’ personal data. The public will have until March 2025 to provide comments on the proposed rule, which could face challenges from the incoming administration's deregulatory stance.
Despite potential political obstacles, Chopra pointed to bipartisan acknowledgment of the risks posed by data brokers: "This isn’t a partisan issue. The dangers of unregulated access to Americans’ private data are recognized across the political spectrum."
Stakeholder reactions, including those from consumer advocacy groups and the data broker industry, are expected to shape the final form of the rule. While some industry players may resist the changes, advocates for stronger privacy protections view the proposal as a much-needed step to safeguard consumer rights in an increasingly data-driven economy.
If adopted, the rule would signify a pivotal shift in how sensitive data is handled in the U.S., setting a potential precedent for broader privacy protections. By regulating data brokers more stringently, the CFPB aims to strike a balance between protecting privacy rights and accommodating commercial interests.
To advance the proposal, the CFPB recommends:
As the CFPB leads the charge on this critical issue, the debate over privacy rights versus commercial interests enters a decisive phase. The proposed rule has the potential to reshape the digital economy’s relationship with personal data, paving the way for stronger consumer protections and greater accountability among data brokers.
A U.S. appeals court has ruled that the Treasury Department overstepped its authority when it imposed sanctions on the cryptocurrency mixer Tornado Cash in 2022. The department accused Tornado Cash of facilitating over $7 billion in the laundering of funds, a portion of which was reportedly linked to North Korean hackers. However, the court stated that the sanctions were not lawfully justified under federal law.
Tornado Cash is a cryptocurrency mixer—a type of software that anonymizes digital transactions. It helps users conceal the origin and ownership of their cryptocurrencies by pooling and shuffling deposits. The Treasury's Office of Foreign Assets Control (OFAC) has blacklisted Tornado Cash under the International Emergency Economic Powers Act (IEEPA), as it was alleged that it had been used for laundering cybercrime proceeds, among which is $455 million reportedly stolen by the Lazarus Group, a North Korean hacking group.
Court's Ruling and Key Arguments
This came about with a decision by a panel of three judges from the New Orleans 5th U.S. Circuit Court of Appeals. A spokesperson from the panel, Judge Don Willett, wrote, "The smart contracts forming Tornado Cash did not constitute 'property.'" Law puts the authorization of regulating the property to OFAC but held that because these were immutables and unchangeables, the codes could neither be owned nor controlled hence would exempt from sanctions.
The court acknowledged that the risks that technologies like Tornado Cash pose are legitimate, but it held that updating the law to address such issues is the job of Congress, not the judiciary.
The lawsuit challenging the sanctions was brought by six Tornado Cash users with the financial support of Coinbase, a major cryptocurrency exchange. The court's decision was called a "historic win for crypto and liberty" by Paul Grewal, Coinbase's chief legal officer. Coinbase had argued that sanctioning an entire technology could stifle innovation and harm privacy rights.
Legal Troubles for Tornado Cash Developers
Despite the court ruling, there are still legal problems for those associated with Tornado Cash. In May, developer Alexey Pertsev was sentenced to over five years in prison in the Netherlands for money laundering. Founders of Tornado Cash, Roman Semenov and Roman Storm, are also charged with money laundering and sanctions violations in the United States.
The Bigger Picture
This case, therefore, underlines the legal and ethical challenges of privacy-focused technologies such as cryptocurrency mixers. It also calls for updated regulations to balance innovation, privacy, and security in the digital age.
Microsoft has finally turned a page in making the internet safer by offering protection against shared passwords. The establishment of sharing the same password among different users, for account management or accessing team resources, was a common practice but unsafe in the past. Such practices increase the likelihood of illegal access to data that might lead to a breach. At the Ignite 2024 developer conference, Microsoft revealed the solution to this problem: encrypted password sharing for users on Microsoft 365.
Simplifying Password Sharing for Microsoft 365 Users
Soon, a new feature for Microsoft 365 Business Premium, E3, and E5 subscribers will roll out. It lets administrators deploy encrypted passwords in the browser Microsoft Edge for both corporate and web sites. This will be shared amongst designated users, thus allowing them to log on smoothly at these web sites without ever having to see the actual passwords.
According to group product manager for Edge enterprise at Microsoft, Lindsay Kubasik, this feature diminishes the possibility of unauthorized access and enhances organizational security. Because the encrypted passwords are uniformly distributed and only to a configured group of users, it keeps any organization from being exposed to security threats. The deployment will be gradual over the next few months with the idea of improving password management for enterprise users.
Essential Security Tips for Microsoft Edge Users
While firms benefit from shared encrypted passwords, Microsoft recommends that personal consumers of the Edge browser eliminate password sharing outright. Shared password use may increase vulnerabilities and become an entry point for many cyberattacks.
For users, Edge will automatically encrypt sensitive data such as passwords, credit card details, and cookies when stored locally on a device. This means such data will stay safe, with access limited only to the logged-in user. Even if an attacker gains admin access to the device, they cannot retrieve plaintext passwords unless they also obtain the user’s operating system credentials.
Best Practices for Password Security
Microsoft is keen on proper security practice, recommending that all users employ strong passwords, two-factor authentication, and even password managers as online account protection tools. Another alternative: passkeys, essentially biometric or device-based authentication methods, can eliminate reliance on a traditional password altogether.
The Bottom Line
Microsoft’s encrypted password sharing marks a pivotal advancement in digital security for enterprise users, setting a new standard for password management. For individual users, adopting recommended security practices remains crucial to staying protected in an increasingly digital world.