Tag Archives: google

Google Responds to Warrants for “About” Searches

Post Syndicated from Bruce Schneier original https://www.schneier.com/blog/archives/2020/10/google-responds-to-warrants-for-about-searches.html

One of the things we learned from the Snowden documents is that the NSA conducts “about” searches. That is, searches based on activities and not identifiers. A normal search would be on a name, or IP address, or phone number. An about search would something like “show me anyone that has used this particular name in a communications,” or “show me anyone who was at this particular location within this time frame.” These searches are legal when conducted for the purpose of foreign surveillance, but the worry about using them domestically is that they are unconstitutionally broad. After all, the only way to know who said a particular name is to know what everyone said, and the only way to know who was at a particular location is to know where everyone was. The very nature of these searches requires mass surveillance.

The FBI does not conduct mass surveillance. But many US corporations do, as a normal part of their business model. And the FBI uses that surveillance infrastructure to conduct its own about searches. Here’s an arson case where the FBI asked Google who searched for a particular street address:

Homeland Security special agent Sylvette Reynoso testified that her team began by asking Google to produce a list of public IP addresses used to google the home of the victim in the run-up to the arson. The Chocolate Factory [Google] complied with the warrant, and gave the investigators the list. As Reynoso put it:

On June 15, 2020, the Honorable Ramon E. Reyes, Jr., United States Magistrate Judge for the Eastern District of New York, authorized a search warrant to Google for users who had searched the address of the Residence close in time to the arson.

The records indicated two IPv6 addresses had been used to search for the address three times: one the day before the SUV was set on fire, and the other two about an hour before the attack. The IPv6 addresses were traced to Verizon Wireless, which told the investigators that the addresses were in use by an account belonging to Williams.

Google’s response is that this is rare:

While word of these sort of requests for the identities of people making specific searches will raise the eyebrows of privacy-conscious users, Google told The Register the warrants are a very rare occurrence, and its team fights overly broad or vague requests.

“We vigorously protect the privacy of our users while supporting the important work of law enforcement,” Google’s director of law enforcement and information security Richard Salgado told us. “We require a warrant and push to narrow the scope of these particular demands when overly broad, including by objecting in court when appropriate.

“These data demands represent less than one per cent of total warrants and a small fraction of the overall legal demands for user data that we currently receive.”

Here’s another example of what seems to be about data leading to a false arrest.

According to the lawsuit, police investigating the murder knew months before they arrested Molina that the location data obtained from Google often showed him in two places at once, and that he was not the only person who drove the Honda registered under his name.

Avondale police knew almost two months before they arrested Molina that another man ­ his stepfather ­ sometimes drove Molina’s white Honda. On October 25, 2018, police obtained records showing that Molina’s Honda had been impounded earlier that year after Molina’s stepfather was caught driving the car without a license.

Data obtained by Avondale police from Google did show that a device logged into Molina’s Google account was in the area at the time of Knight’s murder. Yet on a different date, the location data from Google also showed that Molina was at a retirement community in Scottsdale (where his mother worked) while debit card records showed that Molina had made a purchase at a Walmart across town at the exact same time.

Molina’s attorneys argue that this and other instances like it should have made it clear to Avondale police that Google’s account-location data is not always reliable in determining the actual location of a person.

“About” searches might be rare, but that doesn’t make them a good idea. We have knowingly and willingly built the architecture of a police state, just so companies can show us ads. (And it is increasingly apparent that the advertising-supported Internet is heading for a crash.)

Android Apps Stealing Facebook Credentials

Post Syndicated from Bruce Schneier original https://www.schneier.com/blog/archives/2020/06/android_apps_st.html

Google has removed 25 Android apps from its store because they steal Facebook credentials:

Before being taken down, the 25 apps were collectively downloaded more than 2.34 million times.

The malicious apps were developed by the same threat group and despite offering different features, under the hood, all the apps worked the same.

According to a report from French cyber-security firm Evina shared with ZDNet today, the apps posed as step counters, image editors, video editors, wallpaper apps, flashlight applications, file managers, and mobile games.

The apps offered a legitimate functionality, but they also contained malicious code. Evina researchers say the apps contained code that detected what app a user recently opened and had in the phone’s foreground.

Malware in Google Apps

Post Syndicated from Bruce Schneier original https://www.schneier.com/blog/archives/2020/05/malware_in_goog_1.html

Interesting story of malware hidden in Google Apps. This particular campaign is tied to the government of Vietnam.

At a remote virtual version of its annual Security Analyst Summit, researchers from the Russian security firm Kaspersky today plan to present research about a hacking campaign they call PhantomLance, in which spies hid malware in the Play Store to target users in Vietnam, Bangladesh, Indonesia, and India. Unlike most of the shady apps found in Play Store malware, Kaspersky’s researchers say, PhantomLance’s hackers apparently smuggled in data-stealing apps with the aim of infecting only some hundreds of users; the spy campaign likely sent links to the malicious apps to those targets via phishing emails. “In this case, the attackers used Google Play as a trusted source,” says Kaspersky researcher Alexey Firsh. “You can deliver a link to this app, and the victim will trust it because it’s Google Play.”

[…]

The first hints of PhantomLance’s campaign focusing on Google Play came to light in July of last year. That’s when Russian security firm Dr. Web found a sample of spyware in Google’s app store that impersonated a downloader of graphic design software but in fact had the capability to steal contacts, call logs, and text messages from Android phones. Kaspersky’s researchers found a similar spyware app, impersonating a browser cache-cleaning tool called Browser Turbo, still active in Google Play in November of that year. (Google removed both malicious apps from Google Play after they were reported.) While the espionage capabilities of those apps was fairly basic, Firsh says that they both could have expanded. “What’s important is the ability to download new malicious payloads,” he says. “It could extend its features significantly.”

Kaspersky went on to find tens of other, similar spyware apps dating back to 2015 that Google had already removed from its Play Store, but which were still visible in archived mirrors of the app repository. Those apps appeared to have a Vietnamese focus, offering tools for finding nearby churches in Vietnam and Vietnamese-language news. In every case, Firsh says, the hackers had created a new account and even Github repositories for spoofed developers to make the apps appear legitimate and hide their tracks.

Contact Tracing COVID-19 Infections via Smartphone Apps

Post Syndicated from Bruce Schneier original https://www.schneier.com/blog/archives/2020/04/contact_tracing.html

Google and Apple have announced a joint project to create a privacy-preserving COVID-19 contact tracing app. (Details, such as we have them, are here.) It’s similar to the app being developed at MIT, and similar to others being described and developed elsewhere. It’s nice seeing the privacy protections; they’re well thought out.

I was going to write a long essay about the security and privacy concerns, but Ross Anderson beat me to it. (Note that some of his comments are UK-specific.)

First, it isn’t anonymous. Covid-19 is a notifiable disease so a doctor who diagnoses you must inform the public health authorities, and if they have the bandwidth they call you and ask who you’ve been in contact with. They then call your contacts in turn. It’s not about consent or anonymity, so much as being persuasive and having a good bedside manner.

I’m relaxed about doing all this under emergency public-health powers, since this will make it harder for intrusive systems to persist after the pandemic than if they have some privacy theater that can be used to argue that the whizzy new medi-panopticon is legal enough to be kept running.

Second, contact tracers have access to all sorts of other data such as public transport ticketing and credit-card records. This is how a contact tracer in Singapore is able to phone you and tell you that the taxi driver who took you yesterday from Orchard Road to Raffles has reported sick, so please put on a mask right now and go straight home. This must be controlled; Taiwan lets public-health staff access such material in emergencies only.

Third, you can’t wait for diagnoses. In the UK, you only get a test if you’re a VIP or if you get admitted to hospital. Even so the results take 1-3 days to come back. While the VIPs share their status on twitter or facebook, the other diagnosed patients are often too sick to operate their phones.

Fourth, the public health authorities need geographical data for purposes other than contact tracing – such as to tell the army where to build more field hospitals, and to plan shipments of scarce personal protective equipment. There are already apps that do symptom tracking but more would be better. So the UK app will ask for the first three characters of your postcode, which is about enough to locate which hospital you’d end up in.

Fifth, although the cryptographers – and now Google and Apple – are discussing more anonymous variants of the Singapore app, that’s not the problem. Anyone who’s worked on abuse will instantly realise that a voluntary app operated by anonymous actors is wide open to trolling. The performance art people will tie a phone to a dog and let it run around the park; the Russians will use the app to run service-denial attacks and spread panic; and little Johnny will self-report symptoms to get the whole school sent home.

I recommend reading his essay in full. Also worth reading are this EFF essay, and this ACLU white paper.

To me, the real problems aren’t around privacy and security. The efficacy of any app-based contact tracing is still unproven. A “contact” from the point of view of an app isn’t the same as an epidemiological contact. And the ratio of infections to contacts is high. We would have to deal with the false positives (being close to someone else, but separated by a partition or other barrier) and the false negatives (not being close to someone else, but contracting the disease through a mutually touched object). And without cheap, fast, and accurate testing, the information from any of these apps isn’t very useful. So I agree with Ross that this is primarily an exercise in that false syllogism: Something must be done. This is something. Therefore, we must do it. It’s techies proposing tech solutions to what is primarily a social problem.

EDITED TO ADD: Susan Landau on contact tracing apps and how they’re being oversold. And Farzad Mostashari, former coordinator for health IT at the Department of Health and Human Services, on contact tracing apps.

As long as 1) every contact does not result in an infection, and 2) a large percentage of people with the disease are asymptomatic and don’t realize they have it, I can’t see how this sort of app is valuable. If we had cheap, fast, and accurate testing for everyone on demand…maybe. But I still don’t think so.

EDITED TO ADD (4/15): More details from Apple and Google.

Според данни за мобилността от Google: Българите са най-мобилни на Балканите в условията на строги ограничения

Post Syndicated from Атанас Чобанов original https://bivol.bg/bulgaria-balkans-google-mobility.html

петък 3 април 2020


Насред тежките ограничения заради пандемията от COVID-19, мобилността на българските граждани е намаляла най-малко в сравнение със съседните страни, показват данни разпространени от Google.

Данните са от геолокализацията на мобилни устройства и са анонимизирани. Те обхващат периода от 16 февруари до 29 март и са предоставени публично, за да могат правителствата да се информират за реалното положение със спазването на карантинните мерки – твърдят от световния интернет гигант.

Мобилността в България според данните на Google към 29 март.

Мобилността е разделена на три категории – Шопинг и развлечения (Retail & recreation)  или посещения в търговски центрове, кафенета, ресторанти, музеи, кина и атракциони; Хранителни стоки и аптеки (Grocery & pharmacy) или посещения в магазини за хранителни стоки, пазари и аптеки; Паркове (Parks) или посещения на паркове, градини и плажове. Данните са обобщени като разлика в проценти на посещаемост спрямо периода преди ограничителните мерки.

Дисциплината на българите в категориите “Развлечения” и “Пазаруване” е най-зле на Балканите, а в категорията “Паркове” е по-добре единствено от Босна и Херцеговина, показва сравнението на данните за различни страни, направено от Биволъ. Това заключение е условно, тъй като за Албания и Сърбия не са налични данни към този момент.

Шопинг и развлечения

Пазаруване и аптеки

Паркове

Всъщност България стои много по-близо до Нидерландия, където режимът на ограниченията е по-либерален. На Балканите шампион и в трите категории е Румъния. Без изненади, в Европа класацията по намалена мобилност се оглавява от най-засегнатите Италия и Испания.

Една от интерпретациите на тези данни е, че строгите мерки за ограничаване на социалната и физичска отдалеченост в България не се спазват. Ниска дисциплина в това отношение демонстрираха и българските народни представители, които преди два дни се наредиха на опашка за тестване от COVID-19 в две столични болници. На снимките, разпространени в медиите се вижда, че те не съблюдават регламентираната дистанция от метър и половина.

Снимка: Димитър Кьосермарлиев, Bulgaria ON AIR

Hacking Voice Assistants with Ultrasonic Waves

Post Syndicated from Bruce Schneier original https://www.schneier.com/blog/archives/2020/03/hacking_voice_a_1.html

I previously wrote about hacking voice assistants with lasers. Turns you can do much the same thing with ultrasonic waves:

Voice assistants — the demo targeted Siri, Google Assistant, and Bixby — are designed to respond when they detect the owner’s voice after noticing a trigger phrase such as ‘Ok, Google’.

Ultimately, commands are just sound waves, which other researchers have already shown can be emulated using ultrasonic waves which humans can’t hear, providing an attacker has a line of sight on the device and the distance is short.

What SurfingAttack adds to this is the ability to send the ultrasonic commands through a solid glass or wood table on which the smartphone was sitting using a circular piezoelectric disc connected to its underside.

Although the distance was only 43cm (17 inches), hiding the disc under a surface represents a more plausible, easier-to-conceal attack method than previous techniques.

Research paper. Demonstration video.

Deep Learning to Find Malicious Email Attachments

Post Syndicated from Bruce Schneier original https://www.schneier.com/blog/archives/2020/02/deep_learning_t.html

Google presented its system of using deep-learning techniques to identify malicious email attachments:

At the RSA security conference in San Francisco on Tuesday, Google’s security and anti-abuse research lead Elie Bursztein will present findings on how the new deep-learning scanner for documents is faring against the 300 billion attachments it has to process each week. It’s challenging to tell the difference between legitimate documents in all their infinite variations and those that have specifically been manipulated to conceal something dangerous. Google says that 63 percent of the malicious documents it blocks each day are different than the ones its systems flagged the day before. But this is exactly the type of pattern-recognition problem where deep learning can be helpful.

[…]

The document analyzer looks for common red flags, probes files if they have components that may have been purposefully obfuscated, and does other checks like examining macros­ — the tool in Microsoft Word documents that chains commands together in a series and is often used in attacks. The volume of malicious documents that attackers send out varies widely day to day. Bursztein says that since its deployment, the document scanner has been particularly good at flagging suspicious documents sent in bursts by malicious botnets or through other mass distribution methods. He was also surprised to discover how effective the scanner is at analyzing Microsoft Excel documents, a complicated file format that can be difficult to assess.

This is the sort of thing that’s pretty well optimized for machine-learning techniques.

Google Receives Geofence Warrants

Post Syndicated from Bruce Schneier original https://www.schneier.com/blog/archives/2020/01/google_receives.html

Sometimes it’s hard to tell the corporate surveillance operations from the government ones:

Google reportedly has a database called Sensorvault in which it stores location data for millions of devices going back almost a decade.

The article is about geofence warrants, where the police go to companies like Google and ask for information about every device in a particular geographic area at a particular time. In 2013, we learned from Edward Snowden that the NSA does this worldwide. Its program is called CO-TRAVELLER. The NSA claims it stopped doing that in 2014 — probably just stopped doing it in the US — but why should it bother when the government can just get the data from Google.

Both the New York Times and EFF have written about Sensorvault.

ToTok Is an Emirati Spying Tool

Post Syndicated from Bruce Schneier original https://www.schneier.com/blog/archives/2019/12/totok_is_an_emi.html

The smartphone messaging app ToTok is actually an Emirati spying tool:

But the service, ToTok, is actually a spying tool, according to American officials familiar with a classified intelligence assessment and a New York Times investigation into the app and its developers. It is used by the government of the United Arab Emirates to try to track every conversation, movement, relationship, appointment, sound and image of those who install it on their phones.

ToTok, introduced only months ago, was downloaded millions of times from the Apple and Google app stores by users throughout the Middle East, Europe, Asia, Africa and North America. While the majority of its users are in the Emirates, ToTok surged to become one of the most downloaded social apps in the United States last week, according to app rankings and App Annie, a research firm.

Apple and Google have removed it from their app stores. If you have it on your phone, delete it now.

Fooling Voice Assistants with Lasers

Post Syndicated from Bruce Schneier original https://www.schneier.com/blog/archives/2019/11/fooling_voice_a.html

Interesting:

Siri, Alexa, and Google Assistant are vulnerable to attacks that use lasers to inject inaudible­ — and sometimes invisible­ — commands into the devices and surreptitiously cause them to unlock doors, visit websites, and locate, unlock, and start vehicles, researchers report in a research paper published on Monday. Dubbed Light Commands, the attack works against Facebook Portal and a variety of phones.

Shining a low-powered laser into these voice-activated systems allows attackers to inject commands of their choice from as far away as 360 feet (110m). Because voice-controlled systems often don’t require users to authenticate themselves, the attack can frequently be carried out without the need of a password or PIN. Even when the systems require authentication for certain actions, it may be feasible to brute force the PIN, since many devices don’t limit the number of guesses a user can make. Among other things, light-based commands can be sent from one building to another and penetrate glass when a vulnerable device is kept near a closed window.

Phone Pharming for Ad Fraud

Post Syndicated from Bruce Schneier original https://www.schneier.com/blog/archives/2019/08/phone_farming_f.html

Interesting article on people using banks of smartphones to commit ad fraud for profit.

No one knows how prevalent ad fraud is on the Internet. I believe it is surprisingly high — here’s an article that places losses between $6.5 and $19 billion annually — and something companies like Google and Facebook would prefer remain unresearched.

Google Releases Basic Homomorphic Encryption Tool

Post Syndicated from Bruce Schneier original https://www.schneier.com/blog/archives/2019/07/google_releases_1.html

Google has released an open-source cryptographic tool: Private Join and Compute. From a Wired article:

Private Join and Compute uses a 1970s methodology known as “commutative encryption” to allow data in the data sets to be encrypted with multiple keys, without it mattering which order the keys are used in. This is helpful for multiparty computation, where you need to apply and later peel away multiple layers of encryption without affecting the computations performed on the encrypted data. Crucially, Private Join and Compute also uses methods first developed in the ’90s that enable a system to combine two encrypted data sets, determine what they have in common, and then perform mathematical computations directly on this encrypted, unreadable data through a technique called homomorphic encryption.

True homomorphic encryption isn’t possible, and my guess is that it will never be feasible for most applications. But limited application tricks like this have been around for decades, and sometimes they’re useful.

Boing Boing article.

Backdoor Built into Android Firmware

Post Syndicated from Bruce Schneier original https://www.schneier.com/blog/archives/2019/06/backdoor_built_.html

In 2017, some Android phones came with a backdoor pre-installed:

Criminals in 2017 managed to get an advanced backdoor preinstalled on Android devices before they left the factories of manufacturers, Google researchers confirmed on Thursday.

Triada first came to light in 2016 in articles published by Kaspersky here and here, the first of which said the malware was “one of the most advanced mobile Trojans” the security firm’s analysts had ever encountered. Once installed, Triada’s chief purpose was to install apps that could be used to send spam and display ads. It employed an impressive kit of tools, including rooting exploits that bypassed security protections built into Android and the means to modify the Android OS’ all-powerful Zygote process. That meant the malware could directly tamper with every installed app. Triada also connected to no fewer than 17 command and control servers.

In July 2017, security firm Dr. Web reported that its researchers had found Triada built into the firmware of several Android devices, including the Leagoo M5 Plus, Leagoo M8, Nomu S10, and Nomu S20. The attackers used the backdoor to surreptitiously download and install modules. Because the backdoor was embedded into one of the OS libraries and located in the system section, it couldn’t be deleted using standard methods, the report said.

On Thursday, Google confirmed the Dr. Web report, although it stopped short of naming the manufacturers. Thursday’s report also said the supply chain attack was pulled off by one or more partners the manufacturers used in preparing the final firmware image used in the affected devices.

This is a supply chain attack. It seems to be the work of criminals, but it could just as easily have been a nation-state.

Google+ is Shutting Down: Save Your Content By March 31

Post Syndicated from Roderick Bauer original https://www.backblaze.com/blog/google-is-shutting-down-save-your-content-by-march-31/

Farewell Google+

If you’re a user of Google+, the internet-based social network, you recently received a notice that the service is shutting down on April 2. If you have any content on Google+ that you’d like to save, you need to get it out by Sunday, March 31.

If the already have copies of that content, you’re OK, but if any of that content exists only on Google+, you’ll want to make sure you retrieve it prior to the deadline

No other Google products (such as Gmail, Google Photos, Google Drive, YouTube) are affected. Any photos and videos already backed up in Google Photos will not be deleted.

A Reminder to Keep Your Data Safe and Secure

This action by Google, as well as the recent Myspace content deletion accident, are good reminders that you never want to be in the situation where the only copy of your data is in one place if that one place isn’t expressly designed for long-term secure archiving. Any data you have that you value — whether on your local computer, on an external disk, on backup media, or in the cloud — shouldn’t exist only in one place.

If you Have Data in Google+, Here’s How To Retrieve It

How to download your data.

Google dialog to download your data
Google dialog to download your data

More Information from Google on Google+ Closure

For more information, see the full Google+ shutdown FAQ.

The post Google+ is Shutting Down: Save Your Content By March 31 appeared first on Backblaze Blog | Cloud Storage & Cloud Backup.

The Latest in Creepy Spyware

Post Syndicated from Bruce Schneier original https://www.schneier.com/blog/archives/2019/03/the_latest_in_c.html

The Nest home alarm system shipped with a secret microphone, which — according to the company — was only an accidental secret:

On Tuesday, a Google spokesperson told Business Insider the company had made an “error.”

“The on-device microphone was never intended to be a secret and should have been listed in the tech specs,” the spokesperson said. “That was an error on our part.”

Where are the consumer protection agencies? They should be all over this.

And while they’re figuring out which laws Google broke, they should also look at American Airlines. Turns out that some of their seats have built-in cameras:

American Airlines spokesperson Ross Feinstein confirmed to BuzzFeed News that cameras are present on some of the airlines’ in-flight entertainment systems, but said “they have never been activated, and American is not considering using them.” Feinstein added, “Cameras are a standard feature on many in-flight entertainment systems used by multiple airlines. Manufacturers of those systems have included cameras for possible future uses, such as hand gestures to control in-flight entertainment.”

That makes it all okay, doesn’t it?

Actually, I kind of understand the airline seat camera thing. My guess is that whoever designed the in-flight entertainment system just specced a standard tablet computer, and they all came with unnecessary features like cameras. This is how we end up with refrigerators with Internet connectivity and Roombas with microphones. It’s cheaper to leave the functionality in than it is to remove it.

Still, we need better disclosure laws.

Clever Smartphone Malware Concealment Technique

Post Syndicated from Bruce Schneier original https://www.schneier.com/blog/archives/2019/01/clever_smartpho.html

This is clever:

Malicious apps hosted in the Google Play market are trying a clever trick to avoid detection — they monitor the motion-sensor input of an infected device before installing a powerful banking trojan to make sure it doesn’t load on emulators researchers use to detect attacks.

The thinking behind the monitoring is that sensors in real end-user devices will record motion as people use them. By contrast, emulators used by security researchers­ — and possibly Google employees screening apps submitted to Play­ — are less likely to use sensors. Two Google Play apps recently caught dropping the Anubis banking malware on infected devices would activate the payload only when motion was detected first. Otherwise, the trojan would remain dormant.

Съд на ЕС: правата на издателите

Post Syndicated from nellyo original https://nellyo.wordpress.com/2019/01/01/vgmedia/

Стана известно заключението на Генералния адвокат по дело C299/17 VG Media Gesellschaft  срещу GoogleLLC.

Спорът

Преюдициалното запитване е отправено в рамките на спор пред Landgericht Berlin (Областен съд Берлин, Германия) между VG Media Gesellschaft zur Verwertung der Urheber- und Leistungsschutzrechte von Medienunternehmen mbH — организация за колективно управление, оправомощена съгласно германското право да управлява авторското право и сродните му права по-специално от името на издатели на периодични издания, и дружеството Google LLC, което управлява интернет търсачката Google search в домейните http://www.google.de и http://www.google.com, както и услугата Google News, която в Германия е достъпна отделно като news.google.de или news.google.com.

От името на своите членове VG Media предявява срещу Google иск за обезщетение във връзка с това, че считано от 1 август 2013 г., Google използва за собствените си услуги откъси от текст, изображения и видеоматериали от пресата и медийно съдържание, произведени от членове на VG Media, без да плаща възнаграждение за това.

Основанието: на 1 август 2013 г. Федерална република Германия въвежда за издателите на периодичен печат право, сродно на авторското право, съгласно членове 87f и 87h от Urheberrechtsgesetz (Закон за авторското право и сродните му права, наричан по-нататък „UrhG“). Германия e първата страна в Европа, която въведе сродно право в полза на издателите – с цел да им даде контрол върху нелицензираното използване на съдържанието на съответните издания от трети страни. Последва я Испания.

Въпросите

Като се има предвид, че въпросният законодателен проект не е бил нотифициран на Комисията в съответствие с член 8, параграф 1 от Директива 98/34 — а санкцията за неизпълнение на това задължение е неприложимостта на националните правни разпоредби, така че, ако не са били нотифицирани, те не могат да бъдат противопоставени на частноправните субекти — Landgericht Berlin (Областен съд Берлин) отправя два въпроса до Съда-

„1)      Национална разпоредба, която забранява единствено на търговците, управляващи интернет търсачки, и на търговците — доставчици на услуги за обработване на съдържание, но не и на други потребители, в това число търговци, да разгласяват публично периодични издания или части от тях (с изключение на отделни думи или съвсем кратки откъси от текст), представлява ли по смисъла на член 1, точки 2 и 5 от Директива [98/34] правило, което не е специално насочено към услугите, определени в тази точка,

и ако отговорът е отрицателен,

2)      национална разпоредба, която забранява единствено на търговците, управляващи интернет търсачки, и на търговците — доставчици на услуги за обработване на съдържание, но не и на други потребители, в това число търговци, да разгласяват публично периодични издания или части от тях (с изключение на отделни думи или съвсем кратки откъси от текст), представлява ли технически регламент по смисъла на член 1, точка 11 от Директива [98/34], и по-конкретно задължително правило, свързано с предоставянето на услуга?“.

Google  твърди, че германското право няма да бъде приложимо, тъй като германското правителство не е уведомило Комисията на ЕС за тази уредба.

Генералният адвокат:

Въпреки че защитата на авторското право попада в приложното поле на член 17, параграф 2 от Хартата на основните права на ЕС и законодателството на ЕС има за цел да установи „високо ниво на защита“, това не е абсолютно право.   Съдът на ЕС е изяснил, че  трябва да се вземат предвид и основните права на другите, включително свободата за извършване на бизнес (член 16 от Хартата). Всичко това изисква постигане на справедлив баланс между различните права.

29.      От практиката на Съда обаче е видно, че правата върху интелектуалната собственост не са абсолютни. Съдът подчертава, че такива изключителни права, и по-специално възможността да се търси правна защита — каквато е искът да се преустанови неправомерното използване или да се забрани извършването на дейност — за да се осигури закрилата им, може да засегне основните права на други субекти, като например свободата на стопанската инициатива, защитена в член 16 от Хартата, и правото на свобода на информация, защитено в член 11 от Хартата. Ако са нарушени няколко основни права, защитени от правото на Съюза, трябва да се осигури справедлив баланс между тях.

 

34.      В становището си испанското правителство посочва, че целта на разглежданите национални разпоредби е да се защитят сродните на авторското право права на издателите на вестници и списания, а не да се регулират по какъвто и да е начин услугите на информационното общество. Според мен фактът, че разглежданите национални законови разпоредби предоставят на такива издатели права върху интелектуална собственост, не показва сам по себе си, че тези разпоредби нямат за цел да регулират по какъвто и да е начин или дори само инцидентно услуги на информационното общество. Действително в становището си Комисията посочва, че според нея интелектуалната собственост не е изключена от приложното поле на Директива 98/34.

 

38.      По отношение на обхвата и въздействието на законодателството трябва, разбира се, да се подхожда реалистично, като се имат предвид актуалните обстоятелства. Според мен е ясно, че основната цел и предмет на тези законодателни промени е да се уреди въпросът с ефекта от интернет търсачките, като се има предвид, че медийното съдържание все повече се чете и разглежда онлайн, както и да се предвиди специално правило в областта на авторското право относно доставяните от операторите на такива интернет търсачки онлайн услуги, свързани с периодични издания. Следователно, дори ако все още има оператори, предоставящи такива търговски услуги офлайн, те едва ли са основният фокус на германския законодател. Макар че по този въпрос в крайна сметка ще се произнесе запитващата юрисдикция, това следва поне имплицитно от тълкуването ѝ на UrhG.

 

За тази цел германското правителство има задължението да уведоми Европейската комисия:

Би било глупаво и наивно да не признаваме, че традиционният търговски модел на вестниците в целия Съюз – продажби и реклама – е   подкопан през последните 20 години чрез онлайн четене на вестници от потребителите, чиято практика от своя страна е улеснена от появата на мощни търсачки като тази, която се управлява от ответника. Все пак, обаче, „нищо от това не означава, че държава-членка има право да заобиколи изискванията за уведомяване от Директива 98/34.”

 

45.      Следователно, тъй като тези национални разпоредби не са били нотифицирани на Комисията по изисквания от член 8, параграф 1 от Директива 98/34 начин, в съответствие с установената практика на Съда Landgericht Berlin (Областен съд Берлин) трябва да откаже да приложи член 87f, параграф 1 и член 87g, параграф 4 от UrhG в разглежданото от него производство между страните пред този съд.

 

В по-широк план, ако Съдът приеме тезата на ГА,   последици биха могли да възникнат

  • за испанското право – в Испания (макар и с различен механизъм) беше приета законодателна инициатива, насочена към постигане на същите цели като на германското право, и  правителството не е уведомило Европейската комисия. Ако Съдът на ЕС постанови в VG Media по начина, предложен от AG Hogan, то и испанското законодателство може да се счита за неприложимо.
  • за чл.11 от проекта за Директива за авторското право – макар формулировката на чл.11 да не изглежда насочена към определени субекти, което според ГА е поразително в случая с Германия (т.26).

 

 

 

 

Android Ad-Fraud Scheme

Post Syndicated from Bruce Schneier original https://www.schneier.com/blog/archives/2018/10/android_ad-frau.html

BuzzFeed is reporting on a scheme where fraudsters buy legitimate Android apps, track users’ behavior in order to mimic it in a way that evades bot detectors, and then uses bots to perpetuate an ad-fraud scheme.

After being provided with a list of the apps and websites connected to the scheme, Google investigated and found that dozens of the apps used its mobile advertising network. Its independent analysis confirmed the presence of a botnet driving traffic to websites and apps in the scheme. Google has removed more than 30 apps from the Play store, and terminated multiple publisher accounts with its ad networks. Google said that prior to being contacted by BuzzFeed News it had previously removed 10 apps in the scheme and blocked many of the websites. It continues to investigate, and published a blog post to detail its findings.

The company estimates this operation stole close to $10 million from advertisers who used Google’s ad network to place ads in the affected websites and apps. It said the vast majority of ads being placed in these apps and websites came via other major ad networks.

Lots of details in both the BuzzFeed and the Google links.

The Internet advertising industry is rife with fraud, at all levels. This is just one scheme among many.