The European Union is introducing some of the strictest online privacy rules in the world. The changes aim to give internet users more control.
The personal payment platform Zelle is flourishing. But so are fraudsters, who are exploiting weaknesses in the banks’ security.
The trade-off we make for free online content, social sharing and convenience is the willful relinquishing of our privacy. It’s part of the deal.
Companies often try to keep digital breaches quiet. That’s something the S.E.C. would like to end, but its guidance may not go very far in changing how companies deal with the issue.
A new generation of cameras like Google’s new Clips device can understand what they see, creating intriguing and sometimes eerie possibilities.
A big deposit from the I.R.S. unexpectedly shows up in your bank account. What should you do? First off, don’t spend it. You may be a victim of identity fraud.
Here’s what you need to know about the device.
The signature feature of the Mate 10 Pro is the processor, which has a dedicated part of its silicon specifically designed for artificial intelligence.
This allows the phone to crunch algorithms and do things like automatically recognize an object so that the camera can be adjusted to focus quickly and let in the right amount of light. Huawei also says A.I. allows the phone to maximize its performance: Periodically, it will automatically do maintenance, like clearing out old system files that might otherwise slow down the phone.
The camera is notable as well. Huawei teamed up with Leica, a popular camera maker, to develop the phone’s dual-lens setup. Like phones from Apple and Samsung, the Mate 10 Pro’s camera can create a so-called bokeh effect, where the two cameras work together to show the picture’s main subject in sharp focus while gently blurring the background.
Like other modern smartphones, the Mate 10 Pro is water and dust resistant. But it also has an extra-large battery that Huawei says will last longer than that in many other phones. That’s partly because of its A.I. processor, which examines how the battery is being used and changes resource allocation to prolong its life.
The Mate 10 Pro also ships with a screen protector applied to its display, and inside the box there is a plastic protective case. These are thoughtful additions. The case absorbs the impact of drops, and the screen protector helps prevent scratches, which weaken the structural integrity of a display.
Pros and Cons
In my tests, the two best features of the Mate 10 Pro were the camera and battery. The least impressive was the display.
But let’s start with the good stuff. In side-by-side comparisons with an iPhone X and Samsung’s Galaxy S8+, the Mate 10 Pro came in second to Apple’s offering in photo quality. All took nice photos, but the colors in the Galaxy S8+’s pictures looked oversaturated, and while the Mate 10 Pro’s photos appeared rich and clear, the shadow details looked better on the iPhone X.
As for the bokeh effect, also known as portrait mode, the Mate 10 Pro excelled at separating the subject from the background compared with the Galaxy S8+, but I still preferred the iPhone X because it did a better job at lighting up a person’s face.
There was one area where the Mate 10 Pro was the clear winner: the battery. In my tests browsing the web over a cellular connection, Huawei’s phone had roughly two hours more juice than Samsung’s Galaxy Note 8 and the iPhone X.
The display — the biggest downside of the Mate 10 Pro — had a lower resolution than the Note 8, the Galaxy S8+ and the iPhone X, meaning some graphics and text looked more pixelated. Over all, text appeared crisper and websites more vibrant on the iPhone X and Samsung Galaxy screens than they did on the Mate 10 Pro’s display.
The Mate 10 Pro is an impressive smartphone, but you probably aren’t going to buy it even if you get your hands on it. The lower-resolution display is a major negative, as is the lack of carrier support.
Huawei said that to get technical support for the Mate 10 Pro, you can call its hotline, and for repairs, you can ship your device to a center in Texas. That’s still not ideal compared with the ease of strolling into an Apple store or your carrier’s nearest location.
Privacy and trust are also important. In 2012, the House Intelligence Committee concluded that Huawei and ZTE, another Chinese telecommunications company, were a national security threat because of their attempts to extract sensitive data from American companies. And in 2016, security researchers discovered preinstalled software on some Huawei and ZTE phones that included a back door that sent all of a device’s text messages to China every 72 hours. That feature was not intended for American phones, according to the company that made the software. But American lawmakers have been wary of Huawei.
At CES, Huawei’s Mr. Yu described how the company had previously overcome trust hurdles — including at home in China, where Huawei’s smartphones were initially distrusted by Chinese carriers because the company was a newcomer.
“It was very hard,” he said. “But we won the trust of the Chinese carriers, we won the trust of the developing market and we also won the global carriers, all the European and Japanese carriers. Over the last 30 years, we’ve proven our quality.”
The physical keys are an evolution of two-factor authentication, an extra security layer to ensure that your password is being entered by you. Google was one of the first companies to start offering two-factor authentication back in 2010, not long after it learned that it had been hacked by state-sponsored Chinese hackers.
After the attack, Google’s security team came up with a motto: “Never again.” The company later rolled out two-factor authentication for Google customers’ Gmail accounts. It involved text messaging a unique code to your phone that you must type in after entering your password in order to log in.
Unfortunately, those text messages can be hijacked. Last month, security researchers at Positive Technologies, a security firm, demonstrated how they could use vulnerabilities in the cellular network to intercept text messages for a set period of time.
The idea of Google’s Advanced Protection Program is to provide people with a physical device that is much harder to steal than a text message. Google is marketing the program as a tool for a tiny set of people who are at high risk of online attacks, like victims of stalking, dissidents inside authoritarian countries or journalists who need to protect their sources.
But why should extra-tough security benefit such a small group? Everyone should be able to enjoy stronger security.
So we tested Google’s Advanced Protection Program and vetted it with security researchers to see if the program could be used by the masses. The verdict: Many people should consider signing up for the security system and buying a pair of keys. But if you are married to some non-Google apps that are not yet compatible with the keys, you should wait and see if the program matures.
Setting Up Advanced Protection
Anyone with a Google account can sign up for the security program on Google’s Advanced Protection webpage. To get started, you will have to buy two physical keys for about $20 each. Google recommends buying one from Feitian and another from Yubico.
The keys, which look like thumb drives and can fit on your key chain, contain digital signatures that prove you are you. To set one up, you plug the key into a computer USB port, tap a button and name it. (The Feitian key wirelessly communicates with your smartphone to authenticate the login.) This process takes a few minutes.
On a computer and a smartphone, you need to log in with the key only once, and Google will remember the devices for future logins. That is more convenient than traditional two-factor authentication, which requires entering a unique code each time you log in.
But there are trade-offs. Google’s Advanced Protection cuts off all third-party access by default, allowing only applications that support its security keys. For the time being, that means only Google’s Gmail mail app, Google’s Backup and Sync app, and Google’s Chrome browser.
On an iPhone, for example, you will have to use Google’s Gmail or Inbox apps for email, and on a computer, you can use only the Chrome browser when signing in with a browser. So if you rely on Apple Mail to gain access to your Gmail on an iPhone, or if you use Microsoft Outlook for getting into Gmail on a PC, you’re out of luck. Google says its goal is to eventually allow third-party apps to work with the program, but it is also up to other companies to update their apps to support the keys.
Testing the Security
Despite the drawbacks, security researchers agree that the Advanced Protection Program is a solid piece of security and relatively painless to use, even for everyday use for people outside high-security jobs.
Mr. Sabin, the former N.S.A. hacker, who is now a director of network security at GRA Quantum, a security consulting firm, said the physical keys had pros and cons. On one hand, if you lose a key, a hacker would have a hard time figuring out which account it was associated with.
On the other hand, if you lose the keys or don’t have the keys around when you need to log in to a new device, it takes longer to regain access to your account. Google has put in place more elaborate recovery steps for Advanced Protection users, including additional reviews and requests for details about why users have lost access to their account. In our test, we answered security questions to try to recover an account, and Google said it would review the recovery request and respond within a few days.
Runa Sandvik, the director of information security at The New York Times, said the keys were not much of a hassle. She said Google’s requirement of using two keys meant you essentially had a spare: If you lose one key, you can get into your account with the remaining key.
But she noted that the keys could get annoying if you used many devices and constantly needed to carry the keys around to log in to your account. That may be an issue for people who work in the technology industry, but most people probably use only one computer and one phone.
Ms. Sandvik, who has been testing Google’s program to assess whether to recommend it to the newsroom, said she had not yet discovered vulnerabilities in the security key system outside of the slim possibility that a hacker gained possession of both your password and your key.
“It’s something that is relatively easy to set up once you have both keys,” Ms. Sandvik said. “I don’t see a reason you shouldn’t turn this on.”
The Bottom Line
While the security keys are easy to set up and provide tough security, they may be disruptive to your productivity if you rely on apps that are incompatible with the keys.
It took a few minutes for us to migrate to Google’s apps from Apple’s and integrate them into our newsroom workflow, which already relies on Google’s mail, messaging and cloud storage services. But using the keys required sacrificing an important feature — Apple’s V.I.P. alerts, which notify you when people you deem important email you. Google’s iOS apps for Gmail and Inbox lack a similar feature. For people with flooded inboxes, lacking V.I.P. alerts makes sifting through emails time-consuming.
Another example of how the keys can stifle productivity: Many employers still require using the Microsoft Outlook app for email, which won’t work with the keys.
If using Google’s security program would disrupt your work, you may want to wait for more companies to update their apps to support the keys, which rely on a standard called FIDO, for Fast Identity Online. Mr. Sabin predicts that many apps will follow Google’s lead.
If you decide to wait, don’t procrastinate on turning on traditional two-factor authentication that relies on text messages. While it is hackable, it is still much safer than relying on a password alone to protect you.
The question is how long it will take security researchers to find a way to hack the physical keys as well. When asked if he had already circumvented physical multifactor authentication devices like Google’s keys, Mr. Sabin would offer only: “No comment.”
The fallout may also end up being broader. WikiLeaks, which released documents covering 2013 to 2016, has said its initial publication was just the first installment in a bigger cache of secret C.I.A. material.
So even if you aren’t worried about what WikiLeaks revealed about the C.I.A. right now for yourself, here are some tips for protecting your cellphones, televisions and internet routers.
What you can do if you’re on Android
Hundreds of millions of Android users still use devices based on older versions of the Google-made mobile operating system. The WikiLeaks document collection, which includes 7,818 web pages and 943 attachments, showed that the Android devices targeted by the hacking programs were mostly running a version of Android 4.0.
Runa Sandvik, The New York Times’s director of information security in the newsroom, and Nicole Perlroth, who writes about cybersecurity and privacy, answered reader questions about cybersecurity.
Today, about 30 percent of Android users, or at least 420 million people, are on a variant of Android 4.0, according to Google. The company said it was investigating reports of the security issues described in the WikiLeaks documents.
With the limited information we have now, the best thing people can do is to stop procrastinating on updating their software.
“The one thing that people can and should be doing is keeping their apps and phones as up-to-date as possible,” said Kurt Opsahl, deputy executive director for the Electronic Frontier Foundation, a digital rights nonprofit.
For owners of older devices, getting the latest software updates may not be easy. Many older Android handsets, like the Samsung Galaxy S3, are unable to download the latest version of the Android software. If you are in that boat, it’s a good time to purchase a new smartphone — such as the Google Pixel — which is running the latest Android software.
Other than ensuring that you have the latest operating system, Google recommends that Android users protect their devices with lock screens and PIN codes, and to enable a setting called Verify Apps, which scans apps downloaded from outside of Google’s app store for malware.
What you can do on an iPhone
Many iPhone owners are far more up-to-date with their mobile software than Android device owners. So only a minority of iPhone users have devices with the versions of the Apple iOS operating system that the WikiLeaks documents mention.
Specifically, the WikiLeaks documents referred to exploits working on versions of iOS up to 8.2. About 79 percent of Apple users are running iOS 10, the latest version of the system, and only 5 percent are running a version older than iOS 9, according to Apple.
In raw numbers, with more than one billion iOS devices sold worldwide, that amounts to at least 50 million people running the outdated software.
For those worried about their iPhone security, the advice is generally the same here as for Android owners: iPhone and iPad users should make sure to be running the latest operating system, iOS 10. Apple said on Tuesday that many of the security issues described in the WikiLeaks documents had already been patched in the latest version of its software and that it was working to address remaining vulnerabilities.
Not all Apple devices can get the latest operating system. Apple’s iOS 10 is compatible with iPhones as far back as the iPhone 5 released in 2012, and with iPads as old as the iPad Air and iPad Mini 2 released in 2013. If you are using anything older than those, it’s a good time to buy a new device for the stronger security.
What you can do with your Samsung TV
With Samsung televisions, the situation is less clear. The documents mentioned programs attacking smart TVs in Samsung’s F8000 series, which include microphones for voice controls. Samsung said it was looking into the WikiLeaks reports, and noted that software updates with the latest security enhancements are automatically downloaded on its televisions. The company did not immediately comment on whether any vulnerabilities had been patched.
The documents published by WikiLeaks disclosed that a tool called Weeping Angel puts the target TV in a “fake off” mode. Then, with the owner believing the TV is turned off, the set secretly records conversations in the room and sends them over the internet to a C.I.A. server computer.
Smart TVs are part of a proliferating category of “internet of things” devices that have raised security concerns because many of the companies that make them do not have strong backgrounds in information security. In a recent column I wrote about defending a smart home from cyberattacks, experts recommended strengthening Wi-Fi settings and regularly auditing smart home devices for software updates, among other tips.
That advice might not be sufficient for addressing privacy concerns around Samsung’s smart TVs, because the Weeping Angel hack continues to control the television even when it appears to be turned off.
Craig Spiezle, executive director of the Online Trust Alliance, a nonprofit privacy group, said the WikiLeaks revelations could spur action that he sees as lacking from makers of connected devices.
“I see this as a wake-up call for the industry to build better security and for consumers of these devices to rethink what they have and, in some cases, disconnect their connectivity,” Mr. Spiezle said.
What to do with your router
The WikiLeaks documents also described methods of injecting malware into routers offered by Asian manufacturers like Huawei, ZTE and Mercury.
In general, it is wise for everyone to regularly check routers for so-called firmware updates to make sure they get the latest security enhancements.
Depending on which router you own, downloading the latest firmware update isn’t very intuitive because it usually requires logging into the router. More modern routers like Eero and Google Wifi include mobile apps that help you download the latest updates automatically, so consider one of those if you are worried.
What to do with your computer
The WikiLeaks documents mentioned attacks on Linux, Windows and Apple computers. Personal computers have always been the most vulnerable devices we own, so this tip is fairly obvious: Make sure to install the latest operating system updates and use antivirus software. And as always, stay on guard for suspicious websites that may be serving malware.
The company is playing the long game with its business. Privacy and security have become part of its brand, especially internationally, where it reaps almost two-thirds of its almost $234 billion a year in sales. And if it cooperates with one government, the thinking goes, it will have to cooperate with all of them.
“Tim Cook is leveraging his personal brand and Apple’s to stand on the side of consumer privacy in this environment,” said Mark Bartholomew, a law professor at the University at Buffalo who studies encryption and cyberlaw. “He is taking the long view.”
Mr. Cook, who has called privacy a civic duty, said as much in a letter to Apple customers on Tuesday. He described how the United States government was asking for a special tool to break into the San Bernardino attacker’s iPhone and said, “The government suggests this tool could only be used once, on one phone. But that’s simply not true. Once created, the technique could be used over and over again, on any number of devices.”
Credit Greg Baker/Agence France-Presse — Getty Images
An Apple spokeswoman declined to comment beyond the remarks in Mr. Cook’s letter.
The business advantage Apple may get from privacy has given critics an opening to attack the company. In a court filing on Friday, the Justice Department said Apple’s opposition to helping law enforcement appeared “to be based on its concern for its business model and public brand marketing strategy.”
Apple senior executives responded that their defiance was not a business choice. They said there had not been any business fallout and that Mr. Cook had received supportive emails from customers across the country.
In fact, Apple has not made a point of advertising data security and privacy. The company has quietly built privacy features into its mobile operating system, known as iOS, over time. By late 2013, when Apple released its iOS 7 system, the company was encrypting by default all third-party data stored on customers’ phones. And iOS8, which became available in 2014, made it basically impossible for the company’s engineers to extract any data from mobile phones and tablets.
Mr. Cook has also been vocal about how Apple is pro-privacy, a message that he discussed more widely after revelations from the former intelligence contractor Edward J. Snowden about government surveillance. Mr. Cook argued that the company sold hardware — phones, tablets and laptops — and did not depend on the mass collection of consumer data as some Silicon Valley behemoths, such as Google and Facebook, do for their advertising-oriented businesses.
At a conference in October, Mr. Cook called privacy a “key value” at Apple and said, “We think that it will become increasingly important to more and more people over time as they realize that intimate parts of their lives are sort of in the open and being used for all sorts of things.”
For Apple, cooperating with the United States government now could quickly lead to murkier situations internationally.
In China, for example, Apple — like any other foreign company selling smartphones — hands over devices for import checks by Chinese regulators. Apple also maintains server computers in China, but Apple has previously said that Beijing cannot view the data and that the keys to the servers are not stored in China. In practice and according to Chinese law, Beijing typically has access to any data stored in China.
If Apple accedes to American law enforcement demands for opening the iPhone in the San Bernardino case and Beijing asks for a similar tool, it is unlikely Apple would be able to control China’s use of it. Yet if Apple were to refuse Beijing, it would potentially face a battery of penalties.
Analysts said Chinese officials were pushing for greater control over the encryption and security of computers and phones sold in the country, though Beijing last year backed off on some proposals that would have required foreign companies to provide encryption keys for devices sold in the country after facing pressure from foreign trade groups.
Credit Jeff Chiu/Associated Press
“People tend to forget the global impact of this,” said Raman Jit Singh Chima, policy director at Access Now, a nonprofit that works for Internet freedoms. “The reality is the damage done when a democratic government does something like this is massive. It’s even more negative in places where there are fewer freedoms.”
Governments in Russia, Britain and Israel also have robust surveillance operations. Some governments have tried to use technology to gather intelligence on citizens at home and abroad.
Apple’s resistance to the United States government’s demand has been polarizing. Apple supporters have held protests in cities like San Francisco in recent days to show their support of the company and have used hashtags on social media like #freeapple and #beatthecase.
“We’re fighting to maintain even the assumption that companies should protect us,” said Evan Greer, the campaign director at Fight for the Future, a civil liberties group that is organizing protests nationwide on Tuesday to support Apple. “Apple is doing what every company should be doing.”
Others, including the Republican presidential candidate Donald J. Trump, have criticized Apple, and Mr. Trump has suggested boycotting its products.
Around the world, people are aware of the impasse but many say it does not affect their decision to buy iPhones and the company’s other products. In Rome on Friday, Simone Farelli, a 34-year-old history teacher who was browsing for a new iPhone at an Apple Store, said she “didn’t see why” the company’s standoff with the Federal Bureau of Investigation “would change my mind about buying a new phone.”
In China, the iPhone continues to hold a special place as a symbol of middle-class status.
Wen Shuyue, a 35-year-old consultant, who on Friday was waiting outside the Apple Store in Beijing’s upscale Sanlitun district, is one of Apple’s millions of Chinese users. He said he liked the iPhone because it was simply better than models made by Chinese companies such as Xiaomi and Huawei.
“I’ve never used Xiaomi or Huawei, because I think their designs are rough and not all that personal,” he said.
Apple’s shareholders have so far been quiet. In the past, investors who complained that some of Apple’s socially driven initiatives were superfluous to the company’s core business were quickly subdued. At a 2014 shareholders’ meeting, Mr. Cook told investors that if they wanted him to make decisions based only on the bottom line, “then you should get out of the stock.”
But data privacy may eventually motivate investors — and ultimately more customers — to vote with their wallets because “it’s an issue that speaks directly to the business,” said Michael Cusumano, a professor at the M.I.T. Sloan School of Management. “Right now people buy phones regardless of encryption issues, but we have to wait and see how bloody this fight gets.”