SecureMac, Inc.

Checklist 131: The Good, the Bad, and the Buggly

March 28, 2019

On this week’s Checklist by SecureMac we’ll be discussing: The Good: Senators try to protect children’s data, The Bad: FEMA exposes the data of over 2-million disaster victims, and The Buggly: Apple fixes a boatload of security issues.

Checklist 131: The Good, the Bad, and the Buggly

On this week’s Checklist by SecureMac we’ll be discussing: The Good: Senators try to protect children’s data, The Bad: FEMA exposes the data of over 2-million disaster victims, and The Buggly: Apple fixes a boatload of security issues.

Sometimes, you’ll hear “the old days” of the Internet referred to as “the Wild West of the Web” – and by that we mean 10 or 15 years ago.  While it’s a cool nickname, it also implies that today’s digital landscape is more sophisticated and safer, with all the other hazards corralled away out of sight. We know that’s not true, though, and often, it can still feel like we’re smack in the middle of a duel at high noon between the bad guys and the good guys. So, saddle up, because this week, we’re checking off “the good, the bad, and the buggly” on our list. That means:

  • The Good: Trying to Protect Children
  • The Bad: Leaving Disaster Victims Prone to Scammers
  • The Buggly: Apple Plugs a Bunch of Security Vulnerabilities

Let’s kick the show off with a positive story that has some good news at its heart — for once. Now, you might not think that’s the case when you hear that yet again, we’re on our way back to Capitol Hill for this story. Let’s dig in and see what we have in store for our listeners today.

The Good: Trying to Protect Children

“Think of the children!” has been a bipartisan rallying cry since time immemorial — or at least since the introduction of child labor laws. “Think of the children” is what we’re hearing from a pair of Senators this week, but this time, it’s actually for a pretty good reason — because these senators are thinking about how to protect the data privacy of children. This welcome change comes to us through a story published in The Verge, which notes that Senators Josh Hawley, a Republican from Missouri, and Ed Markey, the Democratic Senator from Massachusetts, have jointly proposed a big update to an old law — the Children’s Online Privacy Protection Act, or COPPA. The goal of the new law: to put a blanket ban on any advertising targeted at children and to legislate a clear set of parental controls.

COPPA was quite famous back in its day as one of the first significant pieces of legislation passed governing the Internet; it got the president’s signature in 1998 and ultimately went into effect in 2000. COPPA’s primary provisions involved disallowing web services from collecting information on users under the age of 13 unless parents gave affirmative consent to the process. The updated language proposed by the senators would extend that prohibition to age 15, but delegate the task of giving consent to the children themselves between the ages of 13 and 15. 

Responding to a wealth of growing concerns, the senators said in a statement that, “We need to pass bipartisan and bicameral COPPA 2.0 legislation that puts children’s well-being at the top of Congress’s priority list,” and that it should not be a matter of difficulty to reach a consensus on the fact that “children deserve strong and effective protections online.”

On the one hand, this does seem like a good “first step” in the right direction in terms of attitudes from lawmakers towards digital privacy. On the other hand, is it really that big of a deal in its own right? Perhaps if the law completely prohibited data collection on this age group — or at least not allowing teens to provide their own consent, who may be more likely than not to simply click “yes” to any prompt standing in the way of their game or service. We talk about much bigger fish that need legislative frying every week on The Checklist, so while this looks good on the surface, it’s still (at least in part) a bit of grandstanding for good looks with an election year on the horizon.  

That said, it’s not all lip service. Indeed, there are good ideas nestled into the bill, including the concept of an “Eraser Button.” This proposed feature would mandate that websites implement a simple process for allowing parents (or children) to request a total and complete deletion of all their data on the website — without also deleting the account. Recall that if you want to obliterate your data on most services today, it means closing your account at the same time. Under this law, that wouldn’t be permissible.

If it sounds a little “pie in the sky,” though, that’s because it is in part. The nature of the way the web works — and the way that web server architecture works — means it’s simply not that easy to delete someone’s data in one fell swoop. There are backups of backups on top of backups and a whole host of other problems that make it a challenge.

It’s not like COPPA itself is a dusty old law with no teeth, though; in fact, the Federal Trade Commission just recently fined the company that operates Snapchat and Vine-like service TikTok nearly $6 million for collecting data on users under the age of 13. However, $6 million is merely a drop in the bucket for a company so large — so perhaps the issue is still that our privacy laws lack the teeth of something such as Europe’s GDPR.

Of course, as with almost all laws it seems, there must be something ridiculous tucked into its text, and we find this bill’s “strange idea” buried in a section about the Internet of Things-such as devices and toys for children. Regarding those, the bill would mandate that the product packaging include a require disclosure of how the device collects data on their children and interacts with that information — otherwise, the product would not be legal to sell. Can you imagine any way that could realistically work in a world where we don’t even read the Terms of Service? We can’t. 

If adopted, businesses would have a year to figure out how to meet these new requirements and put them into practice. While we might cast a cynical eye towards the motivations behind the law and criticize some of the aspects that may reveal a general ignorance about tech on the part of lawmakers, it’s still a good move overall. As small a step forward as it may be, it’s still a step forward. 

The Bad: Leaving Disaster Victims Prone to Scammers

All right — that’s the good out of the way, now what about the bad?

The Washington Post broke a major story this past week when it reported that FEMA, or the Federal Emergency Management Agency, mistakenly disclosed personal information on millions of disaster victims to contractors. Calling it a “major privacy incident,” FEMA says that the information included banking details and personal addresses, just the kind of information an identity thief would love to have for making a fresh start.

The leak was uncovered by the Office of the Inspector General during a review of FEMA procedures and actions. From where did all this data originate? The Post says that it originated from information supplied to FEMA by those who used its TSA service, or “Transitional Sheltering Assistance,” a housing program that helps disaster survivors obtain short or long-term shelter in the wake of the destruction of their homes. Individuals in TSA impacted by the agency’s mishandling of the data include victims from Hurricane Maria, Hurricane Irma, and Hurricane Harvey, along with those who lost property in the 2017 California wildfires.

Calling the mistake “oversharing,” FEMA was transmitting data to one of their third-party contractors apparently without appropriately sanitizing the information. According to an anonymous official, bank details and addresses were leaked for 1.8 million individuals, while about three-quarters of a million more had only their addresses leaked.

Why did FEMA have banking details for these individuals in the first place, especially if they weren’t intended for sharing with the contractor in question? The TSA program may lodge individuals in hotels, but the program doesn’t cover “incidentals” — so what would the info be for at all? The answer to that question is not known at this time, just as we do not know who the contractor that received the private data was. 

How is it possible for information to be “overshared”? This situation is a bit of a different case to one we discussed in an episode a few weeks ago, in which we wondered how information flowing from one server to another (in this case, apps to Facebook) could include extraneous data the receiver wasn’t expecting. It’s very possible this was a case of information shared from person to person — that is, someone from FEMA may have emailed a contractor a few big spreadsheets without remembering everything those sheets contained. You’d be surprised how often this vital data resides in mundane documents!

FEMA says it’s reviewed their procedures, ceased the unnecessary sharing and implemented policies to ensure the problem won’t happen again. While FEMA says that there’s no indication anything untoward has occurred with the data, that’s no guarantee. The Post says that the Inspector General report identified an elevated future risk of identity theft for those affected. Were those involved personally notified? We certainly hope so.

A quick reminder on what to do if you think you might be at risk for identity fraud:

  • Monitor your credit card statements carefully for suspicious activity.
  • Keep an eye on your credit report for accounts and balances you don’t recognize.
  • Watch out for phishing attempts, both digitally and over the phone. Don’t give away private information based on someone’s word. 

The Buggly: Apple Plugs a Bunch of Security Vulnerabilities

It’s time to update everything!

Apple rolled out a ton of updates this week, and while we won’t go into all of them, there is one bug that got fixed that’s pretty scary. Of the 41 total issues corrected in iOS 12.2, one of the most severe bugs was a flaw that would’ve allowed the bad guys to tap into the microphone on your iPad or iPhone without you ever knowing. Needless to say, these are essential fixes — so it’s time to get your device updating.

Don’t know how to update your iOS device on the fly? Here’s what you need to do:

  1. Plug in your device — you never know how long the update will take and you don’t want to run out of battery in the middle of the update.
  2. Tap Settings.
  3. Tap General.
  4. Tap Software Update.
  5. Tap Download and Install.

That’s it! However, there’s an even easier way — you can also enable automatic updates in your settings, too.

macOS got an update this week, too, with 35 holes plugged. Update your Mac! It’s quite similar to updating your phone:

  1. Go to the Apple menu.
  2. Choose System Preferences.
  3. Choose Software Update.
  4. Click Update Now — and you’re all done!

Do you have an Apple TV? Apple TVs running tvOS also got updated, bumping up to version 12.2 and plugging 27 security holes.

  1. On Apple TV, go to Settings.
  2. Go to System.
  3. Find “Software Updates.”
  4. Click “Update Software.”

Again, you can also enable automatic updates — and that may be best for your Apple TV since it’s easy to forget about this one!

watchOS 5.2 fixes 24 security issues too:

  1. Place your Apple Watch on the charger.
  2. Open your Watch app on your iPhone.
  3. Tap “My Watch.”
  4. Tap “General.”
  5. Tap “Software Update” and you’re done!

Apple released a few other updates this week, including 12 issues for iCloud for Windows and 11 more flaws fixed in iTunes for Windows, with the latest version now being 12.9.4. If you happen to use those products, don’t forget to download your updates there, too. 

On that final note for today, we’ll draw our discussion to a close. As we keep our eyes on the potential changes to COPPA and you wait for your new updates to install, why not look back into The Checklist Archives for other interesting stories you might have missed in recent weeks? We make it fast and easy to access complete show notes, helpful links, and of course, the complete recordings of all our conversations (also available on your favorite streaming service). And why not share your favorite episodes with friends and family while you’re at it, too?

Get the latest security news and deals