An anonymous reader quotes a report from TechCrunch: A hacker stole thousands of documents from Mexico's embassy in Guatemala and posted them online. The hacker, who goes by the online handle @0x55Taylor, tweeted a link to the data earlier this week. The data is no longer available for download after the cloud host pulled the data offline, but the hacker shared the document dump with TechCrunch to verify its contents. The hacker told TechCrunch in a message: "A vulnerable server in Guatemala related to the Mexican embassy was compromised and I downloaded all the documents and databases." He said he contacted Mexican officials but he was ignored.

More than 4,800 documents were stolen, most of which related to the inner workings of the Mexican embassy in the Guatemalan capital, including its consular activities, such as recognizing births and deaths, dealing with Mexican citizens who have been incarcerated or jailed and the issuing of travel documents. We found more than a thousand highly sensitive identity documents of primarily Mexican citizens and diplomats -- including scans of passports, visas, birth certificates and more -- but also some Guatemalan citizens. Several documents contained scans of the front and back of payment cards. The stolen data also included dozens of letters granting diplomatic rights, privileges and immunities to embassy staff.

Military voters stationed overseas will be able to cast their votes for the 2020 presidential election via a mobile app that uses a private blockchain. MIT Technology Review reports: Donald Kersey, West Virginia's elections director, tells the cryto news website LongHash that he believes the app, created by a startup called Voatz, can enhance participation by overseas voters. Turnout among this group is very low, in part because the process of receiving a ballot and securely returning it on time is often not straightforward. This is the rationale behind the decision by a number of states to allow overseas military voters to return their ballots via e-mail. West Virginia apparently is of the mind that Voatz's private blockchain will make this kind of online voting more secure. The state first piloted the program during the 2018 midterms.

Though Kersey admits there's no telling for certain whether the app can be compromised, West Virginia is undeterred, especially given the "really good response rate" officials saw during the midterms last year. "We are not saying mobile voting is the best solution to the problem, we are not saying that blockchain technology is the best solution to storage of security data," Kersey tells LongHash. "What we are saying though is that it's better than what we have."

Larry Sanger, American internet project developer and co-founder of Wikipedia, argues in a blog post that vendors must start adding physical on/off switches to webcams, smartphone cameras/mics, and other devices that spy on us. He writes: Have you ever noticed that your webcam doesn't have an "off" switch? I looked on Amazon, and I couldn't find any webcams for sale that had a simple on/off switch. When I thought I found one, but it turned out just to have a light that turns on when the camera is in use, and off when not -- not a physical switch you can press or slide. The "clever" solution is supposed to be webcam covers (something Mark Zuckerberg had a hand in popularizing); you can even get a webcam (or a laptop) with such a cover built in. How convenient! I've used tape, which works fine. But a cover doesn't cover up the microphone, which could be turned on without your knowledge.
[...]
It's almost as if the vendors of common, must-have devices want to make it possible to spy on us. An enterprising journalist should ask why they don't make such switches. They certainly have deliberately made it hard for us to stop being spied upon -- even though we're their customers. Think about that. We're their bread and butter, and we're increasingly and rightly concerned about our security. Yet they keep selling us these insecure devices. That's just weird, isn't it? What the hell is going on? [...] If your webcam, or your phone, or any other device with an Internet-connected camera or microphone (think about how many you own) has ever been hacked, these [hardware vendors like Logitech and Apple and large software vendors like Skype and Snapchat] are partly to blame if it was always-on by design. They have a duty to worry about how their products make their users less secure. They haven't been doing this duty. Sanger goes on to urge consumers to care more about our privacy and security, and demand that vendors give us an off switch. "I think we consumers should demand that webcams, smart phones, smart speakers, and laptop cameras and microphones -- and any other devices with cameras and microphones that are connected to the Internet -- be built with hardware 'off' switches that make it impossible for the camera and microphone to be operated," writes Sanger.

Do you agree?

The New York Metropolitan Transportation Authority has denied suggestions that it's putting facial recognition cameras in the subway, saying that a trick designed to scare fare-dodgers was misinterpreted. From a report: "There is no capability to recognize or identify individuals and absolutely no plan" to do so with NYC subway cameras, says MTA spokesperson Maxwell Young. Young was responding to a photo taken in the Times Square subway station by New York Times analyst Alice Fung, which shows a prominently placed monitor with the words "RECORDING IN PROGRESS" and "Please Pay Your Fare" superimposed on a video feed. "Hey @MTA, who are you sharing the recordings with?" Fung asked. The monitor featured the name Wisenet, a security company that prominently advertises facial recognition capabilities, and the video feed traced squares around subjects' faces.

[...] Young says that the recordings aren't being monitored to identify individuals in the footage, though. "There is absolutely no facial recognition component to these cameras, no facial recognition software, or anything else that could be used to automatically identify people in any way, and we have no plans to add facial recognition software to these cameras in the future," he tells The Verge. "These cameras are purely for the purpose of deterring fare evasion -- if you see yourself on a monitor, you're less likely to evade the fare."

An anonymous reader quotes a report from Ars Technica: Federal Trade Commission officials are discussing whether to hold Facebook CEO Mark Zuckerberg personally accountable for Facebook's privacy failures, according to reports by The Washington Post and NBC News. Facebook has been trying to protect Zuckerberg from that possibility in negotiations with the FTC, the Post wrote. Federal regulators investigating Facebook are "exploring his past statements on privacy and weighing whether to seek new, heightened oversight of his leadership," the Post reported, citing anonymous sources who are familiar with the FTC discussions. "The discussions about how to hold Zuckerberg accountable for Facebook's data lapses have come in the context of wide-ranging talks between the Federal Trade Commission and Facebook that could settle the government's more than year-old probe," the Post wrote.

According to NBC, FTC officials are "discussing whether and how to hold Facebook Chief Executive Mark Zuckerberg personally accountable for the company's history of mismanaging users' private data." However, NBC said its sources "wouldn't elaborate on what measures are specifically under consideration." According to the Post, one idea raised during the probe "could require [Zuckerberg] or other executives to certify the company's privacy practices periodically to the board of directors." But it's not clear how likely the FTC is to target Zuckerberg in a final settlement, and "Facebook has fought fiercely to shield Zuckerberg as part of the negotiations, one of the sources familiar with the probe said," the Post wrote.

An anonymous reader quotes a report from Forbes: In a major win for digital privacy, Utah became the first state in the nation to ban warrantless searches of electronic data. Under the Electronic Information or Data Privacy Act (HB 57), state law enforcement can only access someone's transmitted or stored digital data (including writing, images, and audio) if a court issues a search warrant based on probable cause. Simply put, the act ensures that search engines, email providers, social media, cloud storage, and any other third-party "electronic communications service" or "remote computing service" are fully protected under the Fourth Amendment (and its equivalent in the Utah Constitution).

HB 57 also contains provisions that promote government transparency and accountability. In most cases, once agencies execute a warrant, they must then notify owners within 14 days that their data has been searched. Even more critically, HB 57 will prevent the government from using illegally obtained digital data as evidence in court. In a concession to law enforcement, the act will let police obtain location-tracking information or subscriber data without a warrant if there's an "imminent risk" of death, serious physical injury, sexual abuse, livestreamed sexual exploitation, kidnapping, or human trafficking. Backed by the ACLU of Utah and the Libertas Institute, the act went through five different substitute versions before it was finally approved -- without a single vote against it -- last month. HB 57 is slated to take effect in mid-May.

Records for potentially tens of thousands of patients seeking treatment at several addiction rehabilitation centers were exposed in an unsecured online database, an independent researcher revealed Friday. From a report: The 4.91 million documents included patients' names, as well as details of the treatments they received, according to Justin Paine, the researcher. Each patient had multiple records in the database, and Paine estimates that the records may cover about 145,000 patients. Paine notified the main treatment center, as well as the website hosting company, when he discovered the database. The data has since been made unavailable to the public. Paine found the data by typing keywords into the Shodan search engine that indexes servers and other devices that connect to the internet.

"Given the stigma that surrounds addiction this is almost certainly not information the patients want easily accessible," Paine said in a blog post that he shared with CNET ahead of publication. Paine hunts for unsecured databases in his free time. His day job is head of trust and safety at web security company Cloudflare. The find is the latest example of a widespread problem: Any organization can easily store customer data on cloud-based services now, but few have the expertise to set them up securely. As a result, countless unsecured databases sit online and can be found by anyone with a few search skills. Many of those databases are full of sensitive personal data.