Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label wiretapping. Show all posts
wiretapping
Cyber Security keystroke Privacy surveillance Tracking wiretapping

Study Reveals 40% of Websites Secretly Track User Keystrokes Before Form Submission

 

Researchers from UC Davis, Maastricht University, and other institutions have uncovered widespread silent keystroke interception across websites, revealing that many sites collect user typing data before forms are ever submitted. The study examined how third-party scripts capture and share information in ways that may constitute wiretapping under California law. 

Research methodology 

The research team analyzed 15,000 websites using a custom web crawler and discovered alarming privacy practices. They found that 91 percent of sites used event listeners—JavaScript code that detects user actions like typing, clicking, or scrolling. While most event listeners serve basic functions, a significant portion monitor typing activities in real time. 

Key findings revealed that 38.5 percent of websites had third-party scripts capable of intercepting keystrokes. More concerning, 3.18 percent of sites actually transmitted intercepted keystrokes to remote servers, behavior that researchers note matches the technical definition of wiretapping under California's Invasion of Privacy Act (CIPA). 

Data collection and privacy violations 

The captured data included email addresses, phone numbers, and free text entered into forms. In documented cases, email addresses typed into forms were later used for unsolicited marketing emails, even when users never submitted the forms. Co-author Shaoor Munir emphasized that email addresses serve as stable identifiers, enabling cross-site tracking and data broker enrichment. 

Legal implications 

Legal implications center on CIPA's strict two-party consent requirement, unlike federal wiretapping laws requiring only one-party consent. The study provides evidence that some tracking practices could qualify as wiretapping, potentially enabling private lawsuits since enforcement doesn't rely solely on government action. 

Privacy risks and recommendations

Privacy risks extend beyond legal compliance. Users have minimal control over data once it leaves their browsers, with sensitive information collected and shared without disclosure. Munir highlighted scenarios where users type private information then delete it without submitting, unaware that data was still captured and transmitted to third parties. 

This practice violates user expectations on two levels: that only first-party websites access provided information, and that only submitted information reaches different parties. For organizations, customer trust erosion poses significant risks when users discover silent keystroke capture. 

The researchers recommend regulatory clarity, treating embedded analytics and session-replay vendors as third parties unless users expressly consent. They also advocate updating federal consent requirements to mirror CIPA's two-party protection standards, ensuring nationwide user privacy protection.
Read more »
wiretapping
CALEA China Cybersecurity Data Breach Encryption Hackers Privacy surveillance Telecom wiretapping

China-backed Hackers Breach U.S. Telecom Wiretap Systems, Sparking Security Concerns

 

China-backed hackers infiltrated wiretap systems of multiple U.S. telecom and internet providers, reportedly seeking to collect intelligence on American citizens. This revelation has raised alarm in the security community.

Wiretap systems, required by a 30-year-old U.S. federal law, allow a small number of authorized employees access to sensitive customer data, including internet activity and browsing history. These systems, now compromised, highlight long-standing concerns about their vulnerability.

Security experts had long warned about the risks of legal backdoors in telecom systems. Many saw this breach as an inevitable outcome of such vulnerabilities being exploited by malicious actors. Georgetown Law professor Matt Blaze remarked that this scenario was “absolutely inevitable.”

According to the Wall Street Journal, the hacking group, Salt Typhoon, accessed systems used by major U.S. internet providers like AT&T, Lumen, and Verizon. The group reportedly collected large amounts of internet traffic, and a U.S. government investigation is now underway.

The hackers' goals remain unclear, but experts believe the breach could be part of a larger Chinese effort to prepare for potential cyberattacks in the event of conflict, possibly over Taiwan. The intrusion reinforces the dangers of security backdoors.

Riana Pfefferkorn, a Stanford academic, pointed out that this hack exposes the risks of U.S. wiretap systems, arguing that these measures jeopardize citizens’ privacy rather than protecting them. She advocates for increased encryption as a solution to these vulnerabilities.

The compromised wiretap systems are part of the Communications Assistance for Law Enforcement Act (CALEA), a law enacted in 1994 to help the government access telecom data through lawful orders. However, this system has become a target for hackers and malicious actors.

After 9/11, U.S. surveillance laws expanded wiretapping to collect intelligence, sparking an entire industry dedicated to facilitating these operations. Yet, the extent of government access to private data was only exposed in 2013 by whistleblower Edward Snowden.

Post-Snowden, tech giants like Apple and Google began encrypting customer data to prevent unauthorized access, even from government agencies. However, telecom companies have been slower to follow suit, leaving much U.S. phone and internet traffic vulnerable to wiretapping.

Governments worldwide continue to push for legal backdoors into encrypted systems. In the EU, for example, proposed laws aim to scan private messages for illegal content, raising security concerns among experts.

Signal, the encrypted messaging app, warned of the dangers of backdoors, pointing to the Chinese hacking incident as an example of why such measures pose severe cybersecurity risks. Meredith Whittaker, Signal’s president, stressed that backdoors cannot be restricted to just "the good guys."

Blaze called the CALEA law a cautionary tale, emphasizing the dangers of building security systems with inherent vulnerabilities.
Read more »
Subscribe to: Comments (Atom)