Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Privacy Sandbox. Show all posts

Google Chrome Launches 'Privacy Sandbox' to Phase Out Tracking Cookies

 

Google has officially commenced the implementation of Privacy Sandbox within its Chrome web browser for a majority of its users. This move comes nearly four months after the initial announcement of the plan.

"We believe it is vital to both improve privacy and preserve access to information, whether it's news, a how-to-guide, or a fun video," Anthony Chavez, vice president of Privacy Sandbox initiatives at Google, said.

"Without viable privacy-preserving alternatives to third-party cookies, such as the Privacy Sandbox, we risk reducing access to information for all users, and incentivizing invasive tactics such as fingerprinting."

To facilitate thorough testing, the search giant has chosen to leave approximately three percent of users unaffected by the transition initially. Full availability is anticipated for all users in the upcoming months.

Privacy Sandbox serves as Google's comprehensive approach to a suite of technologies designed to replace third-party tracking cookies with privacy-conscious alternatives. This transition aims to maintain personalized content and advertisements while safeguarding user privacy.

Simultaneously, the company is in the beta testing phase of Privacy Sandbox on Android, extending it to eligible mobile devices running Android 13.

A pivotal component of this endeavor is the Topics API, which categorizes users into varying topics based on their site visitation frequency. Websites can utilize this API to discern a user's interests and deliver tailored ads without knowing the user's identity. Essentially, the web browser acts as an intermediary between the user and the website. Users also have the option to further customize their experience, including specifying ad topics of interest, enabling relevance and measurement APIs, or opting out entirely.

Despite its advancements, Privacy Sandbox has not been without criticism. The Movement For An Open Web recently pointed out that "Google gathers reams of personal data on each and every one of its users, sourced through an opt-in process that it's hard for most web users to avoid."

This development coincides with Google's efforts to enhance real-time protections against phishing attacks through enhancements to Safe Browsing, all without prior knowledge of users' browsing history.

While Google hasn't disclosed specific technical details, it has incorporated Oblivious HTTP relays (OHTTP relays) as part of Privacy Sandbox to enhance anonymity protections and mask IP address information.

"Previously, it worked by checking every site visit against a locally-stored list of known bad sites, which is updated every 30 to 60 minutes," Parisa Tabriz, vice president of Chrome, said.

"But phishing domains have gotten more sophisticated — and today, 60% of them exist for less than 10 minutes, making them difficult to block. By shortening the time between identification and prevention of threats, we expect to see 25% improved protection from malware and phishing threats."

Web Development Revolution: Chrome's Cookie-Free Tools

 


It has become increasingly common for browsers to use third-party cookies as part of their browsing process, which makes it possible for advertisers and bad actors to spy on large chunks of your browsing history to provide more relevant ads. There is no doubt that third-party cookies contribute to the functioning of websites and the experience of Internet users, but most experts agree that we need alternatives that are easier to control, regulate, and understand. 

Google announced in a blog post that it will enable the Privacy Sandbox APIs over the next few days to protect user privacy. There would be an initial rollout of these APIs for a small percentage of users with Chrome 115 installed. When the APIs become available, they would ramp up gradually over time. 

To get rid of browser cookies, Google developed a Privacy Sandbox in 2019 to rid itself of the problem. This is counter to Google's operation. The privacy feature on the site is not intended to completely stop advertisers from targeting audiences with their ads. Instead, it makes it harder for advertisers to access users' personal information. Google announced the Privacy Sandbox program in May 2023. It stated that the process would begin by July 2023 and be available to everyone. Finally, the day has come when that dream will become a reality. 

The Chrome Developers blog for Chrome 115 has more details about the upcoming "relevance and measurement APIs" introduced in Chrome 115. There are several APIs, including Topics APIs that categorize a user’s interests based on how they utilize the Internet. These APIs do not share this information with advertisers directly. There are also attribution reporting APIs, which can determine if ad clicks or views result in conversions. Besides the Protected Audience API (previously FLEDGE), which allows relevant advertising to be displayed to users based on their previous interactions with advertisers.

It is important to point out that these updates come shortly after the U.K.'s top privacy watchdog, Competition Markets & Authority, which is responsible for overseeing the development of Sandbox, released a set of guidelines for testing Sandbox just a few weeks ago. It has been proposed that Google will have to submit itself to more oversight by the CMA by 2021. This is to address concerns that removing third-party cookies may pose a new competitive challenge for companies that use personalized ads. As per the guidelines, reporting test results is particularly critical for ad-tech companies as it helps the CMA assess whether the Privacy Sandbox has addressed our competition concerns, which will help determine whether the Privacy Sandbox is effective. 

The matter of privacy and competition remains one of the biggest concerns facing Google and other digital advertising giants in Europe and the U.S. about the way they conduct their online advertising practices. A new lawsuit has been filed by the European Commission against Google, asserting that its ad-tech business violates the antitrust laws of the EU and suggesting potential steps to break up its massive ad-tech operation. It was noted by Norwegian legislators, as well as French regulatory agencies, that Meta was placed under state control due to its behavioral advertising. In contrast, Criteo was fined for using personal data for advertising. Various courts, lawmakers, and regulatory agencies in various countries have pressured other companies to use data for advertising purposes. 

A privacy sandbox, in essence, is a document that claims third-party cookies are a privacy disaster that needs to be fixed with an open, industry-wide standard that aims to accomplish this goal. A user tracking tool integrates into your browser so that it runs securely locally, which then means that data that is relevant and anonymous is only sent to websites and advertisers when it is relevant and relevant, such as what type of products or topics people may be interested in when visiting their website. By doing this, advertisers and publishers will not have to track users personally so they will no longer have to track their audience. 

The EFF, one of the privacy watchdogs that monitors privacy issues, has criticized the Privacy Sandbox for some of its original ideas. These include FLoC (Federated Learning of Cohorts), which was among its ideas. In response to feedback, Google pivoted and created a different approach, such as Protected Audience. This has not received the same criticism as the now-launched Protected Audience, as it does not follow the same approach. The Privacy Sandbox continues to be a subject of controversy among competitors such as Brave, partly because of concerns surrounding antitrust laws. 

In the beginning, the APIs will be turned on for a limited number of Chrome dev browser instances that are part of Google Chrome development. With the rollout progressing, Google will gradually increase the number of devices to monitor potential problems as the rollout progresses. The following are some of the APIs that were enabled for Chrome developers during this rollout - a few groups of developers will only encounter a subset of the newly available APIs activated so it is easier to detect and isolate issues associated with specific APIs during this rollout. 

There is a possibility that this process will begin next week, starting on the 24th of July, according to Google. The APIs will be released for about 35 percent of the browsers during the week so that the developers can test the APIs. According to the company, they plan to increase this to 60 percent by the end of August. During August, a Chrome 116 general availability date is expected to be announced. However, it is unclear when APIs will work for 99 percent of Chrome 115 browsers. 

At this stage of the testing program, Google says most of the small groups tested with limited access should have all the relevance and measurement APIs enabled. 'Only small, isolated groups are going to be maintained by the company, without each API being enabled for every small group. 

A couple of issues with onboarding and regulatory investigations have caused Google to delay the project, although it was originally projected to phase out third-party cookies in late 2023. The Competition and Markets Authority (CMA), which previously voiced concerns that the search giant's own advertising business would unfairly gain from the updated approach, published guidelines in June for third parties to follow when testing Google's Privacy Sandbox tools. 

It is well known that by passing the CMA's regulatory hurdles back in 2022, Google's plans for refusing or removing third-party cookies will have been approved (provided that Google sticks to the commitments it made to get approval), and the company said it "will continue to work closely with the CMA" before taking any further action to do so.

Microsoft: Provide Code for MacOS App Sandbox Flaw

 


MacOS has a vulnerability that was discovered by  Microsoft, it might allow specially created code to execute freely on the system and get past the App Sandbox. 

The security flaw, identified as CVE-2022-26706 (CVSS rating: 5.5), affects iOS, iPadOS, macOS, tvOS, and watchOS. It was patched by Apple in May 2022. In October 2021, Microsoft notified Apple of the problem via Microsoft Security Vulnerability Research (MSVR) and Coordinated Vulnerability Disclosure (CVD).

Sandbox Objective

A specifically written Office document with malicious macro code that allows for system command execution and sandbox limitation bypass can be used by an attacker to exploit the bug. Although Apple's App Sandbox is intended to strictly control a third-party app's access to system resources and user data, the vulnerability allows for obfuscation of these limitations and penetration of the system.

When a user runs malicious software, the main goal of the sandbox is to prevent damage to the system and the user's data.

Microsoft researchers showed that the sandbox rules may be evaded by utilizing specially written software. The sandbox escape vulnerability could be used by an attacker to take charge of the vulnerable device with elevated privileges or to carry out malicious operations like downloading malicious payloads.

The experts originally developed a proof-of-concept (POC) exploit to produce a macro that starts a shell script using the Terminal app, but it was intercepted by the sandbox since it had been given the extended attribute com.apple.quarantine, which inhibits the execution by the Terminal, automatically. The experts then attempted to use Python scripts, but the Python application had a similar problem running files with the mentioned attribute.

"However, this restriction can be removed by using the -stdin option for the open command in the Python exploit code. Since Python had no way of knowing that the contents of its standard input came from a quarantined file, -stdin was able to get around the 'com.apple.quarantine' extended attribute restriction," according to a report by Jonathan Bar Or of the Microsoft 365 Defender Research Team.


 Is Malware Analysis Challenging?

 

To minimize the likelihood and possible effect of cyberattacks, security teams require greater detection and analytic capabilities. Despite this, companies are limited in their ability to detect and respond to advanced and targeted assaults due to a lack of qualified cybersecurity personnel, an overabundance of tools, and broken processes. 

To answer these questions, OPSWAT has released two new solutions which aim to minimize the time and effort required for manual analysis, eliminate the requirement for specialized expertise, and break down barriers across diverse tools and workflows: 

  • OPSWAT Sandbox 
  • MetaDefender Malware Analyzer

"Malware analysis is a vital tool for management teams looking to go beyond check-the-box compliance procedures toward the proactive threat management and crisis response programs," said OPSWAT CEO Benny Czarny. "Organizations are undertaking a change to keep ahead of skilled adversaries which are attacking vital infrastructure to remain abreast of these attacks." 

These tools work together to make malware analysis more intelligent, resulting in faster and more accurate results with less manual effort. MetaDefender Malware Analyzer is a unified, fully integrated platform for malware tool integration, analysis orchestration, playbook automation, and aggregated reporting across several analysis tools.

Finding, training, and retaining malware analysts is difficult for businesses — The most difficult aspect of hiring new employees is that there are not enough qualified prospects. As a result, the vast majority of businesses rely on their staff to learn malware analysis skills, despite the fact, almost half of them say it's difficult to find good training programs. Furthermore, these firms recognize the malware analysis function is understaffed - more than half reported worker burnout in the last 12 months, and far more than half reported active recruitment of existing teams. 

Malware analysis technologies are ineffective due to a lack of automation, integration, and accuracy  The lack of automated tools which are not integrated is the biggest problem with malware analysis tools. Without these features, malware analysis might devolve into a time-consuming and error-prone manual procedure involving many tools and workflows. Accuracy is the most critical criterion to consider when assessing malware analysis tools — only around a quarter of businesses are confident in their capacity to detect, investigate, and resolve malware attacks.

Google Announces Privacy Sandbox on Android to Restrict Sharing of User Data

 

Google announced on Wednesday that it will extend its Privacy Sandbox activities to Android in an effort to broaden its privacy-focused, but less disruptive, advertising technologies beyond the desktop web. To that aim, Google stated it will work on solutions that prohibit cross-app tracking, similar to Apple's App Tracking Transparency (ATT) framework, essentially restricting the exchange of user data with third parties as well as removing identifiers like advertising IDs from mobile devices. 

Anthony Chavez, vice president of product management for Android security and privacy, stated, "The Privacy Sandbox on Android builds on our existing efforts on the web, providing a clear path forward to improve user privacy without putting access to free content and services at risk." 

Google's Privacy Sandbox, which was announced in 2019, is a collection of technologies that will phase out third-party cookies and limit covert monitoring, such as fingerprinting, by reducing the number of information sites that can access to keep track of users online behavior. 

The Alphabet Inc. company, which makes the majority of its revenue from advertising, says it can safeguard phone users' data while still providing marketers and app developers with new technology to deliver targeted promotions and measure outcomes. According to Anthony Chavez, vice president of product management for Android Security & Privacy, the proposed tools for the Android mobile operating system would limit the app makers' ability to share a person's information with third parties and prohibit data monitoring across several apps. Google stated the tools would be available in beta by the end of 2022, followed by "scaled testing" in 2023. Chavez said in an interview that the best path forward is an approach “that improves user privacy and a healthy mobile app ecosystem. We need to build new technologies that provide user privacy by default while supporting these key advertising capabilities." 

Google is aiming to strike a balance between the financial needs of developers and marketers and the expanding demands of privacy-conscious consumers and regulators. The company is gathering feedback on the proposal, similar to how its Privacy Sandbox effort is gradually building a new online browsing privacy standard. Google's initial idea was met with derision from UK authorities and lawmakers, but the corporation has subsequently proposed serving adverts based on themes a web user is interested in that are erased and replaced every three weeks. 

Meta Platforms Inc., the parent company of Facebook, has been at odds with Apple over the company's App Monitoring Transparency tool, which allows iPhone users to turn off tracking across all of their apps. According to executives, Google's YouTube has taken a minor financial hit as a result of the technology. In other words, it makes it more difficult for marketers to verify whether their iPhone advertising was effective. 

According to Chavez, the Android Privacy Sandbox would enable tailored advertising based on recent "topics" of interest, and enable attribution reporting, which will tell marketers if their ad was effective.