Computer Security: an update on your privacy – or lack of it
While we have reported on our privacy concerns when using smartphones or cloud services in past issues of the Bulletin (e.g. “Enter the Cloud, pay with your password”, “… and thank you for your mobile data!”, and “Prison or 'Prism'? Your data in custody”), recent news has once again given us a reason to rant: even after the Snowden revelations, things are not getting better!
Let me start with Microsoft and its initiative to bring the “Outlook” mail client onto Android and iOS smartphones. This app can act as an email inbox for Exchange, Outlook, iCloud, Google and Yahoo mail accounts, just like, for example, the iOS mail client. However, instead of aggregating and storing all emails locally on the smartphone, the user’s email and/or calendar data is aggregated on servers operated by Microsoft. For this, the credentials (i.e. passwords) for the corresponding Exchange/iCloud/Gmail/etc. accounts are uploaded to the same Microsoft servers that subsequently fetch all relevant data, emails and calendar entries. Thus, if you use this app to read your CERN emails, your CERN password will already have been transferred to Microsoft. The European Parliament considered this dangerous enough to warrant banning this app from all its devices and forced all its users at that time to change their passwords. Time for you to reconsider using that Outlook app and to change your CERN password…
In this respect, Microsoft is significantly different from Apple’s iCloud or Gmail if you synchronise your CERN mailbox with them. Apple iCloud holds an encrypted copy of your CERN password through your iOS back-up, but not a clear text one. Gmail doesn’t hold it at all if you just forward the emails sent to your CERN email address to it (but if you are CERN staff, please refrain from doing this as it has implications for CERN’s privileges and immunities as an intergovernmental organisation; see “Don’t let your mail leak”).
From a different angle, however, Apple has also failed to provide proper privacy (if you believe that this even exists): the Apple mail client provides the capability to block the tracking of emails explicitly, i.e. prevent senders from learning when you’ve read or looked at their emails. Technically, such tracking is done via a unique token (e.g. an image embedded in your email) being downloaded from the sender’s side. Once you look at that email, this download is sufficient to indicate to the sender that you’ve seen it. But you’re not the only one who could be looking at it: the Apple Spotlight search indexes your emails, and, thus, needs to “look” at them, too. This is were Apple failed: Spotlight triggers the download even if it should be blocked, so the sender at least knows that you’ve properly received the email...
In short, watch out: protect your privacy and your CERN password. Some apps and programs might gather more information than you expect. Also, keep your emails with the CERN email service and do not forward them to a third-party email provider.
For further information, questions or help, check our website or contact us at Computer.Security@cern.ch.
Do you want to learn more about computer security incidents and issues at CERN? Follow our Monthly Report.
Access the entire collection of Computer Security articles here.
by Stefan Lueders, Computer Security Team