The UpStream

Russian security firm Kaspersky made tracking users online easier

posted Saturday Aug 17, 2019 by Scott Ertz

Russian security firm Kaspersky made tracking users online easier

One of the hardest things to do online these days is protecting your privacy. Between tracking cookies, Facebook pixels, and the like, it can be difficult to keep websites from following you across the web. Incognito mode in your browser does an okay job of hiding your activity by preventing the cookies. Tools like PureVPN allow you to obfuscate your browsing history by adjusting your IP address, and even your global location, as you browse. Other tools, such as Tor, create an untraceable route to hide your activities. While there are certain ways to identify some users, these processes do a good job for most users.

However, another security tool created a scenario that made tracing user activity incredibly easy. Since 2015, Kaspersky Anti-Virus has injected a small block of JavaScript into every page you visit in an attempt to identify safe links on pages, including search results. However, the code included a unique identifier, making it very easy for a website to read the injected JavaScript and identify the user. The UUID was consistent across browsers, including Chrome, Edge, and Firefox, and was present even in incognito mode. That means that switching browsers or entering incognito did not prevent the ability to track.

The issue was discovered by Ronald Eikenberg, a reporter for c't, who published the story after Kaspersky was alerted to the problem. Kaspersky removed the code in an update released in June of this year, and they alerted users through a security advisory a month later. A statement from the company said,

Kaspersky has changed the process of checking webpages for malicious activity by removing the usage of unique identifiers for the GET requests. This change was made after Ronald Eikenberg reported to us that using unique identifiers for the GET requests can potentially lead to the disclosure of a user's personal information.

After our internal research, we have concluded that such scenarios of user's privacy compromise are theoretically possible but are unlikely to be carried out in practice, due to their complexity and low profitability for cybercriminals. Nevertheless, we are constantly working on improving our technologies and products, resulting in a change in this process.

We'd like to thank Ronald Eikenberg for reporting this to us.

Despite the company's belief that it was unlikely to be exploited, it is a fairly simple and financially rewarding process. If this had been discovered by others before this disclosure, it would have been easy to build a full browsing history for a unique user, which could have high value for marketers. It would also have been far more precise and less cumbersome than scanning the installed fonts, extensions, and configuration, which can also be used to identify some users, but not most, as the average user doesn't add fonts or extensions, or even change browser settings.

Twitch made a new page for Ninja, accidentally suggested porn

posted Saturday Aug 17, 2019 by Scott Ertz

Twitch made a new page for Ninja, accidentally suggested porn

At the beginning of the month, popular Twitch streamer Tyler "Ninja" Blevins announced that he would be leaving his home of 8 years on Twitch to exclusively stream on Microsoft's Mixer platform. He was streaming the next day on Mixer, leaving his Twitch channel offline for the first time in a while. Ninja did a great job of keeping the transition smooth and professional, never saying anything bad about his former home because he had nothing negative to say. He had been happy on Twitch, but Microsoft made him an offer he couldn't refuse.

Twitch, on the other hand, did not treat the situation with the same level of professionalism. Unlike other channels, whose page shows previous streams and the ongoing chat for the user, Twitch changed Ninja's offline profile to promote other channels. The page showed the most popular active streams under the "Fortnite" category, which is the game that made Ninja a household name.

While that is already disrespectful to Ninja and his fans, what came next was worse. The top suggested stream listed on Ninja's page at one point was pron. It is important to remember that many of Ninja's biggest fans are children, making this even more disturbing. In response, Ninja tweeted out a video apology for a situation that he did not create, saying,

We haven't said anything bad or negative about Twitch, obviously, because there really hadn't been any reason to. Over the past couple of days there have been some things that have been going on that, you know, we let slide. They were kind of annoying. Little jabs, we felt like, but it didn't matter. We wanted to stay professional. But now, if you go to Twitch.tv/ninja, they advertise other channels. They don't do this for anyone else that's offline, by the way - just me. And there are also other streamers who have signed with other platforms whose stream and channel still remains the same. You can see their VODs, they don't promote other streams, they don't promote other popular channels. But they do on mine. I've been streaming for eight years to build my brand and build that channel: 14.5 million followers. And they were still using my channel to promote other streamers.

He goes on to discuss the porn incident, apologizing for the incident, and showing his frustration because he has no say in what is being shown attached to his name. Shortly after, Twitch CEO Emmett Shear sent his own series of tweets discussing the incident, stating,

Our community comes to Twitch looking for live content. To help ensure they find great, live channels we've been experimenting with showing recommended content across Twitch, including on streamer's pages that are offline.

This helps all streamers as it creates new community connections. However, the lewd content that appeared on the @ninja offline channel page grossly violates our terms of service, and we've permanently suspended the account in question.

We have also suspended these recommendations while we investigate how this content came to be promoted.

On a more personal note, I apologize want to apologize directly to @ninja that this happened. It wasn't our intent, but it should not have happened. No excuses.

Since the incident, Twitch has reverted Ninja's channel to a standard offline page, but it has brought up a long-standing issue with Twitch regarding their inconsistent rules enforcement. While there is an explicit content policy, it tends to apply less to popular female channels than it does to others. But, as Ninja points out,

his wouldn't even have been an issue if they didn't use my channel to promote others in the first place...

Apple and Ireland to fight European Union control over taxes

posted Saturday Aug 17, 2019 by Scott Ertz

Apple and Ireland to fight European Union control over taxes

In 2016, the European Union decided that Ireland had not charged Apple enough in taxes, and demanded that Ireland collect an additional 13 billion euro (or roughly $14.4 billion) in "back taxes." This would be far from the first time a company, especially a tech company, was accused of avoiding taxes. For example, Bernie Sanders believes that Amazon has skirted tax law in the United States. However, this might be the first time that the country in question believes that the company paid what they were supposed to.

In this case, Ireland is on Apple's side, not the side of the EU. In fact, the Irish government will be heading to court with Apple to argue against the EU's imposed penalties over Apple paying exactly what the country asked them to pay. The EU has essentially argued that Apple has an unfair advantage in Ireland, where the company houses its European headquarters.

Publicly, the issue revolves around how Apple reports profits. Since the company's European headquarters are in Ireland, they report the profit from their various divisions within Europe through their corporate office. This allows them to pay 3.8 percent on their European profits. However, the EU believes that the amount collected should be reflective of the countries in which the company operates, including design and manufacturing.

In 2016, the Obama administration claimed that the EU was trying to help itself to cash that rightly belongs within the United States' economy. Many in Silicon Valley have argued that it is just one example of many of the jealousy of the EU over constantly losing out on the highly profitable tech market, and trying to rig EU regulations against US companies. This argument has been made many times, often referencing the "Google Tax", which has already claimed services in Europe, like Google News.

YouTube has different rules for the platform's biggest stars

posted Friday Aug 9, 2019 by Scott Ertz

YouTube has different rules for the platform's biggest stars

Over the last year, there has been a lot of discussion about YouTube and, in particular, the way their Community Guidelines are implemented and enforced. The company has changed its public rules to define what is true, as well as demonetizing videos that don't fit into a particular political or social view. The problem is that, while the rules are usually written clearly, the enforcement is not.

It often seems that the majority of content creators are bound to the published Community Guidelines, the bigger creators are not. The biggest example of inconsistent policy enforcement for big-name content creators has been Logan Paul. Early last year, Paul posed with and seemed to mock a dead body that he found in a forest in Japan, known for suicides, in a video posted to YouTube. The company took two full weeks to respond to the incident, removing him from the Preferred partner program. Afterward, YouTube released new policies and procedures, theoretically preventing the problem in the future. When Paul tazed a rat in another video a few weeks later, the company ignored the policies and removing monetization for 2 weeks, essentially a slap on the wrist.

It has long been believed that YouTube turns a blind eye to what the big creators do until criticism no longer allows them to pretend they didn't know. According to The Washington Post, who interviewed current and former content moderators for YouTube, this is exactly what happens. One former moderator told the Post,

Our responsibility was never to the creators or to the users. It was to the advertisers.

That should be a surprise to no one. YouTube is owned by Google, which is an advertising company through and through. Everything they do is intended to increase eyeballs and advertising returns. If a content creator creates popular videos, they will attract more advertising dollars, even if they push the boundaries.

Instagram facing some of the same privacy issues as parent Facebook

posted Friday Aug 9, 2019 by Scott Ertz

Instagram facing some of the same privacy issues as parent Facebook

Facebook has definitely become the face of the online privacy debates in the past few years. The biggest issue for the company came about with Cambridge Analytica, a company that accessed the Facebook API and gathered and stored information on users who had used the company's apps. Essentially, this was done by promoting the "which character from *random 90s show* are you" type "games" which ask for permission to access certain profile data. From there, the company stored that information and used it for advertising purposes. While this is a massive breach of both user privacy and Facebook data policies, Facebook didn't act on knowledge of the behavior until it became public. Cambridge Analytica is far from the only data breach at Facebook, however.

Now, Facebook-owned Instagram is beginning to see similar issues with companies accessing the brand's API, as well as scraping data from the app and website. Hyp3r, which markets itself as "the award winning location-based marketing platform" was banned from Instagram this week for violating Instagram's data collection and storage policies. In particular, the company scraped data from profiles and posts to identify user locations, which fed its marketing platform. Hyp3r CEO Carlos Garcia told Business Insider,

Hyp3r is, and has always been, a company that enables authentic, delightful marketing that is compliant with consumer privacy regulations and social network Terms of Services. We do not view any content or information that cannot be accessed publicly by everyone online.

The problem with that argument is that, even though data is being made publicly viewable, does not mean that the data is legally permitted to be scraped or stored by third-parties. Instagram does not generally allow any external storage of user data, no matter how it is obtained. According to an Instagram spokesperson,

Hyp3r's actions were not sanctioned and violate our policies. As a result, we've removed them from our platform. We've also made a product change that should help prevent other companies from scraping public location pages in this way.

The change mentioned is small but significant. Hyp3r had gotten a lot of their data from Instagram's Locations page, which shows photos from public user profiles that are tagged to a location. Previously, this page was available to everyone, but now it will require a user to be logged into their Instagram account to access the data. This should allow the company to monitor who is pulling large amounts of location data and take action.

Loot box odds to be made public by 2020 thanks to self-regulation

posted Friday Aug 9, 2019 by Scott Ertz

Loot box odds to be made public by 2020 thanks to self-regulation

Loot boxes have long been an annoyance of videogames, especially when you pay for the box. When you spend your $5, will you get three $1 skins, or will you get a $25 weapon? There is never any telling, and it has caused a lot of trouble. There is no better example than Star Wars: Battlefront II, the game synonymous with the problem. Gamers were not happy with the almost requirement of purchasing boxes with no idea of what they would be buying. EA eventually killed the feature, but not before taking a huge hit in sales.

Since then, governments the world over, including the US Federal Trade Commission have investigated the legality of the practice. With unknown chances, the governments maintain that the practice amounts to gambling, which is illegal outside of designated areas in most countries. As with most government activities, these inquiries have been slow going, and will likely not amount to much. However, the gaming industry has always been great at regulating itself, thanks to the ESA, most famous for the game rating program.

This week, at an event, called "Inside the Game," Michael Warnecke, the chief counsel of tech policy for the ESA announced that Microsoft, Nintendo, and Sony had worked together to require loot box odds disclosure on future games.

I'm pleased to announce this morning that Microsoft, Nintendo, and Sony have indicated to ESA a commitment to new platform policies concerning the use of paid loot boxes in games that are developed for their platform. Specifically, this would apply to new games and game updates that add loot box features. And it would require the disclosure of the relative rarity or probabilities of obtaining randomized virtual items in games that are available on their platforms.

This will not apply to games that are out in the wild already, as some of those games would be outside of their update period. However, it will apply to all new games released on the big three platforms, as well as any existing games that add loot boxes after the rules go into effect. The exact timeline for implementation is unknown, but it will be completed by the end of 2020.

This comes as other members of the industry have been abandoning paid loot boxes entirely. Fortnite is phasing out the concept now, as will Rocket League, which was recently acquired by Fortnite developer Epic. This is definitely the direction that most gamers would prefer, and these changes from such a large publisher are a move in the right direction.

We're live now - Join us!
PLuGHiTZ Keyz

Email

Password

Forgot password? Recover here.
Not a member? Register now.
Blog Meets Brand Stats