MediaNama - Digital India भारत

Medianama.com

India . 2 posts 0 subscribers

Exclusive: Reliance Digital exposes personal data of several prospective PlayStation 5 buyers - MediaNama.com

Reliance Digital took a pre-registration survey of people who were interested in purchasing the game console, but in the process, left their personal details such as names, email addresses, phone numbers, cities, and pin codes exposed.

You are reading it here first: At least a hundred Indians interested in buying the PlayStation 5 might have to shell out more than just money. Reliance Digital took out a pre-registration survey of people who were interested in purchasing the game console, but in the process, left their names, email addresses and phone numbers exposed. Reliance Digital took the survey down after MediaNama reached out to them asking if they were aware of this. The company did not respond to our queries. At the time of publishing, more than 800 people had taken the survey, and MediaNama could see personal details of around a hundred people. The survey was being run on a Google Form, and after taking the survey, an option popped up to see others responses. When we clicked on the option, the webpage was redirected to responses submitted by other participants in the survey, where their personal details were displayed. It was also possible to see user details as Reliance Digital appears to have “published” responses to the form by having lax privacy settings on the form. Aside from exposing users personal data, the survey webpage also exposed commercial data on the demand for the PlayStation 5 hardware, software and peripheral devices. This included details about when people are likely to purchase the device, when it eventually launches in India, the additional accessories people are likely to purchase, and whether they will buy a PS Plus membership, which allows for multiplayer gaming on many titles. Some examples of the kind of commercial intelligence data that the survey left exposed: Charts generated on Google Forms by Reliance Digital’s exposed survey results. MediaNama has also reached out to Sony to understand whether users’ data was being handled by Reliance Digital in accordance to Sony’s privacy policy. Cybersecurity company Kaspersky said earlier this month that it had found over 130 suspicious resources online claiming to sell the PlayStation 5 at a much lower price than the retail price, indicating a growing number of scam attempts to push the console. The PlayStation 5 is out of stock nearly everywhere, and has not yet been launched in India. But there is nevertheless high consumer interest, with a “steady” amount of demand from Indians paying twice the Indian official price to snag a unit in India, according to a report by The Mako Reactor. Exposure of users’ contact information like Reliance Digital’s may have given scammers an in to exploit the console’s fervent demand by letting them fraudulently solicit desperate consumers. In response to our queries, a Sony spokesperson sent us the following statement: “Thank you for bringing this to our notice, we have shared this information with Reliance to take necessary action. Sony India follows strict privacy protocols to safe guard its customer data. This is not an isolated instance where data of Indians was left exposed owing to poor data security practices adopted by companies:

Earlier this month, data of over 2 crore BigBasket users, including their names, email IDs, password hashes, pin, and contact numbers, among others, was leaked and is being sold on the dark web.
In October, PTI was hit with a ransomware attack that forced the news agency to suspend its publishing services for several hours.
In August, a breach at ticketing and travel website RailYatri exposed details of over 700,000 users. The leaked details included sensitive details such as travel itineraries, and financial data such as credit and debit card information and UPI Ids.

Aroon Deep contributed reporting. *Update at 7:24 PM: Updated with statement from Sony’s spokesperson. Also read:

https://avalanches.com/world_news/in/medianamacom/medi_excl1036166_21_11_2020

+10

Apple and Google are making an interoperable COVID-19 tracking tool - MediaNama.com

Apple and Google are joining forces to develop a contact-tracing system based on Bluetooth technology to track the spread of the coronavirus

In an unprecedented move, Apple and Google are joining forces to develop a contact-tracing system based on Bluetooth technology to track the spread of the coronavirus. The companies will initially develop APIs to ensure interoperability between contact-tracing apps developed by public health authorities, and subsequently will embed contact-tracing capability in both iOS and Android. The companies said theyre relying on Bluetooth technology to prevent wireless tracking of the device. APIs in May: In the first phase of the project, the two companies, in May, Apple and Google will release Application Program Interfaces (APIs) to enable interoperability between Android and iOS devices using contact-tracing apps from public health authorities, like the Aarogya Setu app. This way, official contact-tracing apps on the two different operating systems (Android and iOS) would be able to communicate better, helping in better contact-tracing, in theory. OS integration in ‘coming months’: Then, in the coming months, the two companies will enable a broader Bluetooth-based contact tracing platform by building this functionality into the underlying platforms. However, at the moment we dont know if this functionality would remain in both the operating systems after the pandemic ends and there is perhaps no need of contact-tracing; although the companies did say that the system will “only be used for contact tracing by public health authorities for COVID-19 pandemic management”. How the system would work, in theory After users update their operating systems with the latest updates, their phones would exchange anonymised keys every 5 minutes. The exchange will only happen after a user has consented to opt-in to the contact-tracing tool. The exchangeable anonymised keys, called rolling proximity identifier, would be sent over Bluetooth, and change every 15 minutes to prevent wireless tracking of the device. When a user tests positive for the virus and updates the same on the contact tracing app, their phone would upload their keys from the previous 14 days to the cloud, but only if they consent to it. If a user remains healthy and never tests positive, these keys never leave the device. After they choose to upload their keys to the server, other people, who might have come in contact with that person, would be notified of coming in contact with them (without revealing the identity of the person). Notifying other people becomes possible because their phone periodically downloads the anonymous keys of everyone who has tested positive for COVID-19 in their region. Apple and Google have not specified how big or small a “region” would be; we’ve reached out to them for details. How the system would be built A Tracing Key, unique to every device would be generated when contact tracing is enabled. This key is stored in users devices, and never leaves the device. From the Tracing Key, a Daily Tracing Key is generated every 24 hours. When a user tests positive for the virus the daily tracing key for days where the user could have been affected are derived on the device from the Tracing Key. This subset, now called the Diagnosis Key is then uploaded to the server so that other people who might have come in contact with that user can be notified. The cryptography standards and Bluetooth standards can be found here and here. Privacy measures The system, on paper, does take a number of steps to ensure that people can not be identified, including broadcasting an anonymised key over Bluetooth. It also claims that it doesnt collect personally identifiable information or user location data, and the list of people users have been in contact with never leaves their phone. Also, people who test positive are not identified to other users, Google or Apple. Other privacy measures include:

A users Rolling Proximity Identifiers cannot be correlated without having the Daily Tracing Key. Apple and Google claim that this will reduce the risk of privacy loss from broadcasting them. Not having the Daily Tracing Key will also prevent impersonation attacks.
A server operator implementing this protocol does not learn who users have been in proximity with, or their location unless it also has the unlikely capability to scan advertisements [Bluetooth broadcasts] from users who recently reported Diagnosis Keys.
Putting onus on the server, the companies said that it must not retain metadata from clients uploading Diagnosis Keys after including them into the aggregated list of Diagnosis Keys per day.

Potential problems: However, it is worth noting that relying on Bluetooth alone doesn’t necessarily guarantee privacy. Also, for now, the proposed system doesn’t include any measure to mitigate for false positive confirmations by people. The system will also potentially suffer from the same problem that affects contact-tracing apps it needs more people to opt-in to the service, and if that doesn’t happen, the entire system becomes less effective. For instance, a recent report by The Indian Express claims that for India’s Aarogya Setu app to be effective, at least 50% of the country’s population needs to register on it.

https://avalanches.com/world_news/in/medianamacom/media_apple72630_11_04_2020

+10