TL;DR: Lend me your ears… for biometric verification

There were seismic changes in the tech world this week. Here’s the news that affects the way journalists and sources in digital journalism work, including shadowy hacking teams, stolen transcription, and earholes:

  • As the GDPR regulations came into effect in Europe, every major social platform professed a simultaneous attack of respect for user privacy. Of particular note are the Twitter terms of service, changed on Wednesday to include deeper privacy and ad controls, and the Yahoo contract, which now requires users to forfeit the right to file a class-action suit—something Yahoo has seen no shortage of in the wake of the company’s hacking scandal, starting in 2013 but not fully revealed until last October, which affected all 3 billion accounts.
  • Will the next Wikileaks-style email dump come from information stolen by officially-sanctioned Google apps? A state-sponsored hacking team, similar to the group that spread disinformation in the 2016 election, got its wares into Google’s official app store. Security blog ThreatPost reports that Google removed three apps last week from its Play store for Android apps because they were being used to gather surveillance for an “advanced persistent threat” (APT) group—well-funded and malicious software development teams that typically turn out to be a national government’s intelligence service. The apps were identified by researchers at security firm Lookout. It may also been linked to spying on Palestinian political and military operations, according to previous reporting by tech news site Cyberscoop and a threat report by Chinese Internet company Qihoo 360’s SkyEye Labs. Cyberscoop notes in reporting from December that the group’s malware is associated with domains linked to Hamas. The APT groups are distinct from garden-variety cyber-crooks in the way they seek personal information from political figures and government workers, rather than money; they’re also known to distribute that information, as Russian threat group APT 28, more commonly known as Fancy Bear, did with John Podesta’s emails in the 2016 election. That one of these operations was able to successfully place its app in the Android store suggests that state actors are seeking the imprimatur of supposedly security-conscious tech companies to lull users into more readily giving up their credentials.
  • In the words of New York Times comedy critic Jason Zinoman, “If the Devil offered me a deal that in exchange for killing a man, I would never have to transcribe another interview, my response would be: Who are we talking about here?” Turns out transcription is occasionally a bargain with the forces of darkness: MEDantex, a transcription service based in Kansas, stored sensitive medical records on the open internet, without any authentication, available to anyone with the URL and a web browser. Former Washington Post reporter Brian Krebs broke the news via his blog Krebs on Security: among the hospitals exposed were NYU Medical Center, San Francisco Multi-Specialty Medical Group, and many others.
  • As the rise of so-called “deep-fake” images and video causes journalists to worry about authentic sourcing and source protection, the NEC Corporation has developed a new biometric for when the your fingerprints, voiceprint, retina scan, dental records, face, and mother’s maiden name get compromised: ear shape. The map of an ear cavity can be measured with a sonar earphone that emits a sound out of the range of human hearing and uses the reflected sound to construct a unique earprint. NEC announced its development of the biometric a couple of years ago, but now it has a technology that can read it. The company hopes that its smart earphones will prevent identity fraud by making sure sensitive systems are open only to people with the right sort of ear hole.
  • The Russian government loudly botched its ban of messaging app Telegram, a popular service often used by journalists and their sources in the country. Technologist Bruce Schneier notes that it’s not clear that Telegram is especially secure in the first place, but blocking 16 million IP addresses is probably not the way to go about banning it even if you want to. The move seems to have been a punishment for Telegram’s refusal to provide as-needed backdoor access to the Russian government, but its mass blocking of IPs, many from widely used services like AWS and Google, caused widespread connectivity problems around the Russian web, as Techdirt notes.

Thanks to Kelsey Ables for Mandarin translation.
Correction: A typo in an earlier version of this article misstated Lookout’s role in identifying malicious apps

ICYMI: Do people really want to watch a Netflix show about BuzzFeed journalism?

Has America ever needed a media watchdog more than now? Help us by joining CJR today.

Sam Thielman is the Tow editor at Columbia Journalism Review.