Tag Archives: Joe Lemonnier

Google Photos: the Faustian bargain of privacy

Unlimited backups of all your photos. For free. Now that’s hard bait to refuse, especially considering how photo-happy we’ve all become since our smartphones have replaced our pocket cameras. But this offer is just the tip of the iceberg in Google’s new app. After all, if you’re going to be uploading thousands upon thousands of photos, you’d expect sorting them would be a pain.

Google’s answer to that seems to be: Don’t. Instead, trust us to deliver the right photos when you use our in-app search bar.

 

Searching Photos

Google’s new Photos app leverages the search giant’s recent investments in machine learning to “read” your photos and figure out what they’re about without any need for you tag, label or date them.

Looking for photos of that holiday in London? Type “London”, and even without geo-location data enabled, Google’s algorithms will “read” the photos for any landscape it can recognize as coming from Old Foggy.

Type in “dog”, and it will do the same, pulling any photos of dogs it can find in your collection. If you’ve ever tagged a photo of your pet with its name, it will learn that too, and show you photos of “Rex” alone if you ever search for it.

None of this is happening with your input: Google’s engines have just learned to look at your photos, and understand what they’re looking at.

Facial recognition

Another feature you can choose to activate or deactivate, is the system’s ability to sort through faces. When you hit the search bar, you’ll be presented with a series of faces it has pulled out. Tap on one, and most if not all of the photos you have of that person will be presented. If your photo collections go back far enough, the system will sometimes be able to recognize the person as far back as childhood.

While not 100% accurate, it’s damn impressive, very useful, and whole lot of creepy.

Dealing with the Privacy Devil

The story of Faust is a quite apt description: in exchange for incredible powers, Dr. Faust sold his soul to the devil. You can bet that Google is not offering this much free backup storage and amazing machine analysis out of the goodness of its heart.

Just as Gmail made a breakthrough in the email market by offering enormous amounts of free storage in exchange for data-mining your communications to sell against ads, you can put down some good money on Photos going the same way.

While Google has affirmed that they will never sell your photos to third parties or publish them without your consent, that’s most likely not how they intend to use your collections. Instead, they will use them to get to know you better.

However the system manages it, it is somehow labeling your photos so that when you search for a term, it can deliver results against it. It will also be doing it for terms you may never search for.

Happen to be wearing Adidas shoes in a photo? In the future, you can expect Google Photos to make note of that, and the next time you are near a shoe store, don’t be surprised to receive discounted offers from Adidas.

Again, it’s unlikely that Adidas will ever see your photos. It will instead ask Google to target all the relevant users on its behalf.

In many ways, this is nothing new: it’s exactly the way any of Google’s other services work, whether that be Gmail, Google Now, or even the main Google search engine. Indeed it is how nearly all major web companies operate.

But it is taking that data-mining to a new, uncomfortably close-to-home level.

Google rolls out a new password manager

Unveiled at its 2015 I/O developer conference, Google has begun to roll out a new security feature to all Chrome browsers and virtually all Android devices: the Smart Lock Password manager.

From now on, any website login details that you save in your desktop Chrome browser will be accessible via any Android device signed in with your Google account. So, if you’ve saved your login details for, say, Facebook or Netflix, you will be automatically signed in when accessing them from the Chrome browser on your Android device, and vice-versa.

In addition, if you were to install the Facebook or Netflix apps on your phone, they will also be able to automatically retrieve your login details from your Google account and sign you in.

The last feature requires individual app developers to include the newly released API codes from Google, but it’s a relatively simple matter, so we expect to see this feature rolling out across a variety of apps soon.

How to feel about Google managing your passwords for you is for you to decide. If you’re already saving these accounts in your Chrome browser, chances are you will enjoy this feature. However, you’re now putting more of your eggs in the same basket, so make sure that your main Google Account is locked down with strong passwords and two factor authentication.

So given our recent post about the fragmented nature of Android update deployments, when can you expect this feature? Well, for the last few years, Google has been using the Google Play Services app to get around this roadblock and send out major system updates to Android users, regardless of brand or make (but that’s a story for another time).

Any device running Android 2.3 or above will be receiving the update to Google Play Services 7.5 and be able to use the feature.

 

How to turn on or off Smart Locks Passwords

Interested in using the feature, or just want to make sure it’s turned off and Google isn’t vacuuming up all your passwords?

In your Android device, open the Google Settings app. This where all the details concerning your Google Account reside. You’ll find the Smart Locks setting at the bottom of the main menu in the Google Settings app. From there, you can select to turn on or off the password manager, allow auto-sign ins, and add exceptions to certain sites or applications.

Google settings

Smart Lock

Smart Lock options

 

From your Chrome Browser, you won’t find the Smart Locks name per say, but you will find where to manage the passwords saved in your browser. Just click on the menu in the top right corner of the browser, and select settings.

Chrome Settings

Chrome password save

 

At the bottom of the settings page click on “Show advanced settings”. From there, you can scroll down to “Passwords and forms”. Any passwords you’ve saved can be found here.

If you feel the convenience isn’t worth the privacy tradeoff, you can delete them and also set the browser to no longer automatically sign you into websites. Just keep in mind: you will regularly be asked if you want Chrome to save your logins when you sign in to websites. Remember to say “no” and “Never ask for this website again”.

As always, stay safe out there.

Which is the most secure Android Smart Lock?

If you’re one of the lucky few to be running a phone or tablet with Android Lollipop (5.0 or above), you might be tempted to use one of its new Smart Lock security features. These features bypass your lock screen when certain conditions are met.

Here, we examine the various kinds of Smart Locks Lollipop offers, where they fail, and how reliable they are.

Trusted devices

Trusted devices is perhaps the safest of the new smart lock features. It works by confirming your identity with “something you have”; in this case a bluetooth device or NFC trigger. When your devices pair, your lock screen will be removed. The feature seems to have been designed with smartwatches in mind, but any bluetooth device like car or wireless headset will work.

This is particularly secure, as bypassing this lock would require both your devices be stolen at the same time. The other workaround includes spoofing the MAC address (or identity) of your bluetooth device, which is a difficult and highly unlikely process.

Trusted places

Trusted places creates geofences around specific areas you designate as “safe”. Usingbuilt-in GPS, WiFi scanning, and other location services, your device can determine whether you are inside the area and disable your phone’s lock screen. When the phone leaves the area, it automatically locks up again.

This feature can be particularly useful and safe if you designate your home as a safe zone, especially if you’re home is in an isolated area. However, we wouldn’t recommend setting any location you do not fully control as safe. Any passerby in the “safe zone” could potentially pick up your phone and use it. Furthermore, the feature isn’t as precise as it could be: the diameter of the “safe zone” can be up to 80 meters wide (nearly 90 yards or 262 feet).

Trusted face

Trusted face essentially confirms your identity by looking at you, using your device’s front facing camera to recognize your face. Because of that, hardware can be a limiting factor in this method’s reliability: a poor front-facing camera can quickly become a liability.

While the system is smart enough not to get fooled by a static photo of your portrait, it still requires you to “teach it” to recognize your face in several different lighting conditions or wearing various accessories.The more you do this, the more reliable it becomes, but it can require more “teaching” than most users would feel comfortable providing. Essentially, every time your phone doesn’t unlock is an opportunity to teach it.

Oh, and you can give up on getting this to work in low lighting conditions.

We leave it to you to determine the likelihood that a look-a-like will snatch your phone. Just don’t use this feature if you have an evil identical twin.

Trusted voice

Trusted voice relies on vocal recognition to confirm your identity. It works particularly well if you are a consistent user of Android’s voice activated features, since those learn to recognize your speaking patterns to better interpret your queries. If you do not use them often, you may find the reliability of this method to be somewhat limiting.

A secondary annoyance is that it relies on triggering the Google Launcher’s signature “Ok, Google” to unlock your screen, which will then wait for a search query or command. Unless you are a heavy user of the Launcher or Google Now, we don’t recommend this.

On-body detection

This is easily the least secure of the methods revealed so far, and we strongly recommend you do not use it. On-body detection relies on your phone’s internal accelerometers and gyroscopes to determine if you are carrying your phone. Unlock it once, and it will stay unlocked while in your hands or pocket. Put it down on a table, and it will lock immediately.

While this may seem to make sense and greatly simplify your life, it’s also a godsend to any pickpocket or straight-out thief that would snatch the phone out of your hands. So long as the phone is in movement, it doesn’t care who unlocked it. With over 3 million smartphones stolen every year in the US alone, and 2000 a day in the UK, we really cannot recommend this method.

 

How to turn the Smart Lock features on

If you decide you still want to use one or more of these securityfeatures, you’ll need to turn them on first, and Google has not made that easy.

First, in the Settings menu, you’ll need to scroll down to Advanced and select Trust agents. Inside this menu, you’ll need to activate the Smart Lock option.

Trust Sources

Smart Lock

 

Now, when you head back into the main Security menu, you’ll be able to find the Smart Lock menu, and activate whichever features you want.

Smart Lock

Options

 

If you see one of these features missing, make sure that you’re Google Services app is up-to-date.

 

Android’s factory reset may leave data behind

We’ve given tips in the past about what you could do with an older smartphone, and a few of those involved donating it to charity or selling it. A vital step before doing either of these is to perform a factory reset to clear out your data. New research has emerged that says that a factory reset may not be enough to keep your data safe from some more advanced data retrieval techniques.

Researchers at Cambridge University have just released a study outlining several flaws in the way most Android handsets handle factory resets. The issue arises from the way devices store information on flash memory. Reading data has a negligible impact on flash drives, but writing new data to them can cause considerable wear.

To prolong the drive’s health, instead of deleting content directly (“writing off” the data), flash drives will instead designate memory blocks where the data resided as “logically deleted”–meaning they are available to be overwritten.

So when you perform a factory reset, those “logically deleted” content blocks aren’t being overwritten, as they are already considered “empty” by the system. Given enough time and the right tools, the researchers were able to retrieve personal data such as photos and chat logs. They were also able to retrieve the master tokens for automatically signing in to Gmail and other Google apps as well as Facebook apps an alarming 80% of the time.

 

How to protect your data

If you are looking to sell or donate your phone, there are a few things you can do  to help keep your data private. We suggest you do all of these steps:

 

Encrypt your phone before factory resetting your data.

Devices running Android 3+ or above all allow you to encrypt your phone. The option can generally be found in the settings under the Security tab. Encrypting your phone before the reset ensures that any data that survives the factory reset has to be decrypted.

The Cambridge researchers were able to retrieve some encrypted data and run brute strength attacks until they found the right passwords. So make sure you create a long password of over 15 characters, using upper and lower cases, numbers and symbols: a longer, more complex password would take years to crack. Ideally, use a password generator: you don’t have to remember this password, since you’re “erasing this data”. Now complete the factory reset.

 

Remove your device from your Google account

From a browser on a new device, go to myaccount.google.com. Under Sign-in & Security you’ll find the Device activity & notifications section, which allows you to review all the devices currently connected to your account.

Device Activity

Select your old device, and Remove it. This will prevent any automatic sign-ins from your old device.

Remove device

 

Change your account passwords

Changing passwords regularly is simply good digital hygiene, so it makes a lot of sense to change your passwords when changing devices. Even if a hacker were to somehow retrieve your passwords to your Facebook or Google accounts after the factory reset, they would no longer work.

 

Though the risks of your data being exploited this way are relatively low, it pays to take extra precautions. With these three steps, you should be reasonably secure from even a determined criminal.

As always, stay safe out there!

 

The truth about Android updates

If you are using an Android-powered smartphone, you may have found yourself wondering about updating your operating system. With names such as Lollipop, Kit Kat and Jelly Bean, it’s not always clear which is the latest version and what are the benefits of updating your device.

 

Why is it importIant to update?

Beyond their cute sounding names, each Android update brings new features, improvements and most importantly, security fixes.

It’s this last bit that matters most, as even basic activities like emails hold an enormous amount of valuable information about you. The latest versions of Android fix vulnerabilities that can help keep your data safe.

As of writing, the latest version of Android is 5.1, codenamed “Lollipop”. You can check which version your phone has by going into your settings, and into “About Phone”. (Tap on the Android Version section a few times for a surprise.) If you want to check if there’s an update available for you, you’ll find a Software update tab in this menu.

Most likely, there won’t be.

Why aren’t you receiving the update?

According to Google’s own stats, you’re most likely running  an old version of Android. In fact, most of us are running Jelly Bean (Android 4.1, 4.2, 4.3) or Kit Kat (Android 4.4).

Android versions

This is because Google doesn’t push updates directly to you. Instead, they are generally sent to phone manufacturers like Samsung, Sony and HTC. Manufacturers then make their own changes to the software, adding features to improve compatibility with their devices or differentiate themselves from their competition. If you got your phone through a carrier like Verizon, Vodafone or Orange, they will also certainly make additional changes to the update. This process can sometimes take over a year, so don’t hold your breath.

Often the whole process is so complicated and time consuming, that many manufacturers may not even issue an Android update more than once per phone. This encourages customers to purchase new handsets to get the latest updates.

 

What can you do to stay safe without an update?

While it’s possible to install up-to-date versions of Android yourself, the methods can be quite technical, risky and will certainly void your warranty. For most people this is not an option, and so updates are unobtainable, short of buying a new phone.

However, this should not stop you taking steps to protect your device.

That’s where having a strong antivirus app like AVG AntiVirus for Android becomes a must have. It will help keep you safe by keeping an eye on what happens in your phone, even if your phone is not updated. So stay protected!

Four tips for safer Wi-Fi surfing

Here’s what you can do to stay protected while hopping from hotspot to hotspot—or at home.

 

Make sure you’re connected to a real network 

You may never have wondered if the coffee houses you walk into really have a network. After all, if your computer’s found a network, they must have one, right? Think again. Hackers can easily create a fake hotspot imitating the name of your favorite coffee house, library or other establishment. Connect to one of these fake hotspots, and then everything you do online would be going through them.

Always confirm the name of the network with the owners before you connect to it.

 

Use HTTPS encryption 

What a mouthful, right? But it’s really quite simple. Most Internet URLs (the addresses or links that you use to navigate the web) start with the four letters http. This is short for Hypertext Transfer Protocol. Well, some web sites offer to connect with a secure, encrypted version of this protocol, called HTTP Secure (or HTTPS for short). Whenever you connect with a website via this secure method, your data to and from it are encrypted so no one else on the same network can see it.

HTTPS

 

Most important websites like Google, Facebook and more support HTTPS automatically, but keep an eye out for s in the address, and add it if it doesn’t appear. Some browsers have extensions like HTTPS Everywhere that make sure your browser is always seeking the secure connection.

This kind of encryption only works for what happens in your browser. If you have other applications that connect to the Internet, like a mail client such as Outlook or Apple Mail, you’ll need to make sure they have some form of encryption and that its settings are on.

 

Adjust your settings for maximum protection 

Free Wi-Fi hotspots are high in demand, so you’ll rarely be the only one connected to a network. That means others can reach out through the network and connect to your device if you haven’t changed your sharing and network discovery settings (network discovery lets others find you).

Here’s how you do it:

On Windows: open the start menu (or press the windows key) and type “Manage advanced sharing settings”, then type enter. Make sure that any sharing options are switched off, and that network discovery is also off. Some versions of Windows automatically change these settings for you when you specify you are on a public network vs a home or work one.

Sharing settings

 

On a Mac:  Open System Preferences and choose Sharing. Make sure all the boxes are unchecked. Head back to the main System Preferences menu, select Security & Privacy and then the Firewall tab. In the Firewall Options, make sure that stealth mode is checked.

 

Use a clean browser 

You probably have a favorite browser that you use for everything you do online—and that’s exactly why you should use a “clean browser”. Your usual browser is probably set up to give you a lot of handy features like remembering your passwords and keeping cookies from your favorite websites to load them with your personal settings faster. This is all sensitive information worth stealing. A clean browser knows none of that, so there is nothing there for anyone on the same network to steal.

 

Use a VPN

Virtual Private Networks (VPN) make sure that anything coming in or out of your device is wrapped in strong encryption—not just your browser or email client. This is the safest method of connecting to the Internet when in public. Traditionally used by businesses and governments, VPNs have become affordable for individuals concerned with their security and privacy.

Even with these precautions, however, you should avoid any sensitive browsing like accessing your online bank accounts or making online purchase with your credit card while in public. If it can wait, you should probably do it at home.

How to secure your home network

If you’re looking to protect your home network from strangers, there are really two main things to keep in mind when setting up your Wi-Fi router:

  • Make sure you are using WPA2 encryption.
  • Make sure your password is long.

Our own Michael McKinnon has more on how to protect your network:

Video

Securing your home network