Facebook Begins Rollout of Data Use Checkup to Facebook Platform Developers

In an effort to further protect user privacy, and given past failures in this area, Facebook has recently simplified the company’s platform terms and developer policies in hopes that this will improve adherence to guidelines. To support these goals Facebook has announced the rollout of Data Use Checkup, an annual process for developers that validates data usage.

This new process, which is supported by a self-service tool, was first announced in April of 2020 and will require developers to use check each application they manage for adherence to company standards. Developers will have 60 days to comply with this standard before losing access to APIs.

The rollout of this program will be gradual and developers will begin to be notified over the next several months. The announcement of the rollout notes that developers will be notified “via a developer alert, an email to the registered contact, and in your Task List within the App Dashboard.” To simplify the process for developers that manage multiple apps, Facebook is allowing batch processing via an interface that facilitates this action, although developers will still be required to check each apps permissions.

Developers can check the App Dashboard to verify if they are able to enroll in the program at this time. 

Go to Source
Author: <a href="">KevinSundstrom</a>

IEEE Spectrum

CES 2020 News: Tech Executives Answer Tough Questions About Privacy

A panel of tech executives discussed privacy, encryption, and digital advertising this week at CES 2020. Apple’s senior director of global privacy Jane Horvath came out in strong favor of privacy protection, commissioner Rebecca Slaughter of the U.S. Federal Trade Commission came out even stronger. Facebook’s vice president of public policy Erin Egan maintained that Facebook does just fine in protecting consumer privacy, while Wing Venture Capital partner Rajeev Chand served as moderator and posed timely questions to the group.

(Proctor & Gamble’s global privacy officer Susan Shook occasionally got a word in, but the spotlight focused on companies that provide technology far more than those that use it.)


ProgrammableWeb’s Most Clicked, Shared and Talked About APIs of 2019: Security and Privacy

This Security and Privacy section of ProgrammableWeb‘s Most Clicked, Shared and Talked About APIs of 2019 features APIs in those two categories plus Authentication, Compliance, Validation, Safety, Recognition, Identity, Cameras, Emergency, and Verification.

API news in these sectors this past year included many topics such as securing APIs, data privacy, data security, utilizing blockchain for security, election hacking and election meddling, ad fraud, bug bounty programs, secure messaging, identity services and biometrics, securing live video, recognition tools for stopping abusive content, IoT security, online safety for kids, plus the usual round-up of vulnerabilities, data leaks, breaches, and attacks.

With all that in mind, we present the full list of the Most Clicked, Shared and Talked About APIs of 2019 in Security and Privacy, that piqued the interest of our readers, followers, and editors.

Microsoft Windows Defender platform arms enterprise networks with prevention, detection, investigation, and response to advanced threats. The Windows Defender Advanced Threat Protection (ATP) APITrack this API offers a suite of tools built for security operations teams. The API exposes data and actions that will enable users to automate workflows based on Windows Defender ATP capabilities. There are methods available for advanced hunting, alert, machine and more.

Joinesty is a security platform used to protect sensitive data in organizations. This platform supports legacy and current data, simultaneous attack protection, threat analytics, diagnostics, reporting, and hive threat intelligence. This Joinesty APITrack this API provides access so approved third-party applications can interface via C#, NodeJS and Java SDKs.

Shadowserver is a non-profit, watchdog group of security professionals that gather, track, and report on malware, botnet activity, and e-fraud. The Shadowserver APITrack this API provides a lookup mechanism to test an executable file against a list of known software applications. The details are serialized in JSON for integration with your application.

Unique Secure provides electronic point of sale (POS) digital systems with smart connectors, custom LEDs, and custom graphics. The Unique Secure platform offers several variants of their modular POS devices. This technology protects against theft and tampering. The APITrack this API and hardware require indirect access through SDKs.

CrimeoMeter provides crime data and crime maps for more than 50 cities. The CrimeoMeter Crime Data APITrack this API returns data including incident code, date, description, source, type, location, and more. The API also returns JSON data with safety quality indexes (SQI), statistics, and safety recommendations for a specific location. provides private sharing technology to enable individuals to own and control their data. The Consent Access APITrack this API and SDKs allow an application or website to request access to personal data from individuals, and to share data back to an individual. The API enables access to a secure sync engine, allowing users to connect, retrieve a copy of data, normalize data from various service providers, store it in a library using a cloud storage service of their choice and more.

Tanker provides privacy and data protection services for application builders. The Tanker APITrack this API and SDKs add in-app encryption capabilities without affecting user experience or performance. The API enables Tanker to take care of key and identity management, and all user actions are encrypted. Tanker does not store data; all users and groups use their own keys which are associated with their cryptographic identities. SDKs are available for easy front-end integration.

SafetyLocker EDI Tokenizer APITrack this API is a REST service that is designed to be used in EAI platforms to address privacy concerns over personal ID information that is transferred through electronic messages. The SafetyLocker EDI Tokenizer API allows users to tokenize electronic documents or a single given element and enables clients with access to audit logs and tokens.

Ipregistry APITrack this API allows users to get geolocation information but also threat data for a given IP address. Threat data returns knowledge about if users make use of Tor, a public proxy or is a known source of malicious activities. Ipregistry is used for content personalization, geotargeting, geofencing, ad targeting, digital rights management, form auto-completion, and more.

Ipregistry provides location data and identifies potential threats. Image: ipregistry

KYC3 provides data services for compliance, risk management, business development, and legal professionals. The KYC3 Customer Identity and Risk Screening APITrack this API can verify users with video and photo identification, ID document processing, facial and speech recognition, politically exposed person (PEP), media, and country risk screening and scoring.

SSN / EIN Formatter and Validator APITrack this API validates and formats Social Security Numbers and Employer Identification Numbers SSN/EIN. Usage is free with attribution.

Code42 prevents data loss, protects data during layoffs, mergers & acquisitions, and prevents insider threats. The Code42 APITrack this API returns reports and enables users to perform actions and integrate with other systems to protect the trade secrets of software companies.

Happi.Dev provides various APIs for developers and accepts PayPal or Bitcoin for payments. Happi Password Generator APITrack this API is a strong password generator that helps users create strong and secure passwords.

IPQualityScore (IPQS) offers anti-fraud solutions including email verification, device fingerprinting, and proxy detection. The IPQualityScore Email Validation APITrack this API validates email reputation, risk analysis, and mailbox validity. IPQS maintains detailed reports of fraudulent behavior online. It can check every email address from transactions, orders, users, lead gen info, etc. against a quick API call to determine email low quality or invalidity.

Angelcam is a cloud-based service that allows users to access their security cameras remotely and share camera views with selected people. The Angelcam APITrack this API allows developers to connect with and manage their cameras, sensors, and smart security devices programmatically using RESTful calls.

Snyk is a service to help developers automatically find and fix open source vulnerabilities. The Snyk APITrack this API provides security to developers targeting open-source platforms. With the API, developers can test packages for issues, evaluates deployed code, and reports a snapshot of the dependency versions in use.

Snyk provides container security, application security, and license compliance services

Snyk provides container security, application security, and license compliance services. Screenshot: Snyk

XposedOrNot provides over 850 million passwords collected from real-time data breaches. Passwords can be searched anonymously through the K-Anonymity model. Developers can use the XposedOrNot APITrack this API to safeguard websites or applications from poor and exposed passwords for their respective authentications.

TypingDNA provides typing biometrics services. The TypingDNA APITrack this API matches typing patterns in order to authenticate a user. Typing behavior is captured using JavaScript, and pattern matching results are returned in JSON format, letting the developer know whether or not the typing patterns belong to the same user. This API can be used for secure login, enforcing reset passwords, and online biometric authentication.

Google Cloud Private Catalog APITrack this API is a RESTful service that enables IT administrators to control and make enterprise applications discoverable. The API provides a way to create, share, and manage private catalogs, control distribution, and ensure internal compliance. Retrieve data about folders, catalogs, organizations, products, projects, versions and more with the API. Google Cloud Private Catalog Producer APITrack this API is also available to return data about catalogs, associations, products, operations and more.

Rapid7 InsightVM is a vulnerability management platform. The Rapid7 InsightVM APITrack this API allows programmatic communication with local InsightVM instances. The API provides access to users, reports, vulnerabilities, policies, remediation, and asset lists in order for security application developers to integrate the capabilities of the Rapid7 InsightVM into their own applications and scripts.

DarkOwl’s DARKINT Suite is a database of darknet, dark web, deep web, and high-risk surface net content and data. The DarkOwl DARKINT Vision APITrack this API queries DarkOwl Vision’s collection of DARKINT™ data with Booleans, filters, and fields and calculates DARKINT scores based on the quantity, quality, and freshness of exposed darknet data.

DARKINT API provides scores for how exposed a company is on the dark web

DARKINT API provides scores for how exposed a company is on the dark web. Screenshot: DarkOwl

PayPal offers eCommerce and online payment solutions for millions of customers globally. The PayPal Identity APITrack this API provides allows users to sign into a website using PayPal login credentials. This service enables PayPal credential login or linking a PayPal account to your website or app to share basic information.

Ping Identity provides intelligent identity and security services. PingOne for Customers is a cloud-based service for secure identity access management. The PingOne for Customers Management APITrack this API allows users to manage authorization, authentication, permissions, and application sign-on policies. Get data about active identities, and manage image resources, applications, environments, branding, configurations, audit reporting and more with the API.

BioID Web Services (BWS) is a webcam-based biometrics service for cloud, web, and mobile application developers. The BioID SOAP APITrack this API enables applications for liveness detection, ticketless check-in and fraud prevention with face, eye or voice recognition, and similarity search. The technology features advanced anti-spoofing mechanisms and anonymous binary data processing.

BioID API compares 2 live facial images against a photo ID, and insures the live images are from a live person

BioID API compares 2 live facial images against a photo ID, and insures the live images are from a live person. Image: BioID

Hybrid Analysis is a free malware analysis that detects unknown threats powered by CrowdStrike. The Hybrid Analysis Falcon APITrack this API returns URL file submission, data report, and query searches about malware in JSON and XML formats.

Complete Criminal Checks Offender APITrack this API provides criminal check data. It covers all USA states plus Puerto Rico for convicted sex offender crimes. The API offers both name lookups and mappable address complete with latitude/ and longitude coordinates. Users can make 25 calls per day free with upgrades available.

CatchBot Antibot APITrack this API protects a website against bots and automated form submissions. Developers can add minor JavaScript and HTML codes to a page, and through an API call, CatchBot verifies a visitor. This API is an easy alternative to Recaptcha By Google.

Duo Security provides trusted access services. The Duo Auth APITrack this API adds two-factor authentication (2FA) to websites, applications, and SaaS. With the API, developers receive pre-authentication, authentication, and authentication status. Duo is now a part of Cisco.

Splunk provides various IT services including Security Information and Event Management (SEIM), AIOps, machine learning, and compliance. The Splunk Enterprise Security APITrack this API offers REST endpoints to interact with the Splunk Enterprise Security programmatically or from a web search. It provides methods for accessing threat intelligence, notable events, and analytics.

Applied Recognition enables facial recognition in applications for companies looking to upgrade to biometrics support. Applied Recognition Ver-ID supports low-friction face registration, authentication, and face-based document signatures. The Applied Recognition APITrack this API provides indirect access to several SDKs for easy integration.

Let’s Encrypt APITrack this API allows developers to use the ACME protocol to request certificate management actions for a server. Developers will need to create an account, request a certificate, and prove control of the domains in that certificate in order for it to be signed. The Let’s Encrypt API is filed under Security.

ipTwist is an IP geolocation service. With the ipTwist APITrack this API, developers can build logic to identify website visitors, e-commerce customers, and countless other identification via IP address. Determining identity from an IP address helps reduce risk in web applications.

CloudSploit is a security and configuration scanner that supports the detection of threats to a user’s AWS account. Developers can use the CloudSpoilt APITrack this API to trigger interactions between applications and the CloudSploit platform.

StrongSalt provides an encryption as a platform service. The StrongSalt Open Privacy APITrack this API enables built in data protection and data privacy within applications. It aims to be for privacy what Stripe is for payments or Twilio is for communications.

Keesing Technologies provides ID verification solutions. The Keesing Biometric Onboarding APITrack this API utilizes OCR and facial recognition to allow application users to verify identity via a selfie.

Go to Source
Author: <a href="">joyc</a>


StrongSalt Introduces Encryption as a Service API

StrongSalt, encryption platform as a service provider, has introduced its Open Privacy API. The API makes encryption more usable, and developers can leverage the platform to bake encryption into everyday applications and workflows. The company believes it will do for encryption what Stripe has done for payments and Twilio has done for communications.

Out of the box, StrongSalt offers APIs and SDKs on top of a number of cloud storage providers (i.e. Box, AWS S3, Google Cloud, and Azure). StrongSalt will all serve as the cloud storage provider with encrypted features for those without a current cloud storage provider. Because StrongSalt handles all of the encryption, and encryption features are integrated via API, developers don’t need the security expertise historically needed for encryption development and can add it to their app like any third party feature accessible via API.

The API uses an HTTPS scheme. In addition to setting up users, admins, sharing permissions, promotions, and demotions, API methods allow users to encrypt text, decrypt cipher text, list documents a user can access, remove such access, and search accessible documents. For more information, check out the API docs.

As the US begins to explore, and some states adopt, privacy legislation similar to GDPR in Europe, data privacy has become more important than ever. Developing a homegrown encryption platform is cumbersome if not impossible for most companies. StrongSalt may be the solution for easily adding encryption to ordinary app development.

Go to Source
Author: <a href="">ecarter</a>

IEEE Spectrum

The Fight Over Encrypted DNS: Explained

Privacy and security specialists are in the middle of a very public fight over the future of Internet encryption. In September, cable companies and other telecommunications industry groups in the United States sent a letter to Congress protesting Google’s plans to encrypt domain name servers (DNS) in the browser. Mozilla sent a letter [PDF] of its own this month, asking lawmakers to reject the industry’s lobbying efforts, saying they were based on “factual inaccuracies.”

At stake is how DNS traffic—the network queries that translate people-friendly domain names into server IP addresses—should be encrypted.


Apple Puts Limits on PushKit API and Some Apps Feel the Pain

Apple has made it abundantly clear that it takes customer privacy seriously. Though the company may not always live up to its own high standards, it still often finds itself on the privacy soapbox. Now, Apple has baked a change into iOS 13 that caught several messaging apps by surprise.

Apple adjusted the capabilities of the PushKit API, which was originally created to facilitate VoIP calls. The use cases for PushKit API have evolved since its addition to iOS. The raw tools allow for data collection and, more importantly, encryption for some messaging applications.

In iOS 13, the PushKit API will no longer support data collection and encryption, and will instead be limited to VoIP calls. ​This is why the developers of encrypted messaging apps, including Signal, Threema, Wickr, and Wire, find the change so alarming. Without the API’s assistant, these apps will not be able to decrypt messages in the background. In other words, the apps are broken and need to find an alternative way to handle decryption. 

Apple’s pursuit of privacy is actually having the reverse effect, according to Threema spokesperson Jule Weiss, who said the limitations might lead to “the opposite of the privacy goals the changes were supposed to achieve.”

The change has also worried the likes of Facebook and WhatsApp, both of which rely on encryption to safeguard user privacy in their messaging apps. 

Apple, it appears, is sympathetic to the developers’ concerns. 

“We’ve heard feedback on the API changes introduced in iOS 13 to further protect user privacy and are working closely with iOS developers to help them implement their feature requests,” said Apple in a statement sent to The Information

Wickr VP, Tom Leavy, told MacRumors that reworking the app is a “significant engineering effort” for which the company did not plan. Other encrypted-messaging app developers are exploring other workarounds. 

Developers have until April 2020 to incorporate their changes. However, app writers who want their apps to work on iOS 13 will need to adjust to PushKit’s limitations beforehand.

Go to Source
Author: <a href="">EricZeman</a>


Instagram’s Weak Data Protection Causes More Privacy Problems for Facebook

Poor privacy practices have Facebook in hot water, again. This time, Facebook can thank its Instagram team for what’s sure to be a PR nightmare. Business Insider just released a scathing investigative report:

“A combination of configuration errors and lax oversight by Instagram allowed one of the social network’s vetted advertising partners to misappropriate vast amounts of public user data and create detailed records of users’ physical whereabouts, personal bios, and photos that were intended to vanish after 24 hours.”

If this sounds eerily similar to Facebook’s Cambridge Analytica scandal, it is. The partner company responsible for scraping the data is Hyp3r, a self-described “location-based marketing platform.” Hyp3r maintains a massive database, largely made up of data scraped from public Instagram posts and profiles, to offer targeted ads to consumers in certain locations. For example, if you post a selfie at the Eiffel Tower, a Hyp3r-driven ad might persuade you to check-in to a hotel in the area or visit a nearby restaurant.

The odd thing about Hyp3r’s data scraping is its unashamed public admission of its practices. Hyp3r advertises “a unique dataset of hundreds of millions of the highest value consumers in the world” most of which come from Instagram. It’s App Store listing shows Instagram screenshots showing where Hyp3r scrapes location data from Instagram posts.

Neither Instagram nor Hyp3r customers seemed to care about these practices until now. Hyp3r has been a Facebook Marketing Partner (an exclusive list of fully vetted companies that have access to various Facebook and Instagram marketing APIs). Further, big-name customers like Marriott, Pepsi, Hard Rock, and others use Hyp3r and publicly support it. Fast Company, Cannes Lions, Visa, and others have all awarded the company with innovation awards, and it just raised $17 million in new funding less than a year ago.

Only now, after Business Insider brought Hyp3r’s practices to Instagram’s attention does anyone seem to care. So what are these practices? Here are some highlights from the Business Insider report:

  • Hyp3r created a tool that could “geofence” specific locations and then harvest every public post tagged with that location on Instagram
  • If a user makes a post at one of these locations, it is, unbeknownst to them, saved to Hyp3r’s systems indefinitely
  • Hyp3r built a tool to collect Instagram stories, which are supposed to disappear in 24 hours, and the images are saved indefinitely, along with image metadata
  • The harvested Instagram data is combined with data collected elsewhere, and from previous Instagram posts to specifically target Instagram users

Do these practices violate terms of service? Instagram says “yes”. Hyp3r says “no”. Instagram is most likely right as the terms exist today. But, prior to the Cambridge Analytica scandal, Hyp3r’s practices would have been permitted. For the time being Facebook has terminated Hyp3r from its Facebook Marketing Partner program. Keep an eye out for updates as this story progresses.

Go to Source
Author: <a href="">ecarter</a>