In this edition of AdGuard's digest: Google blocks a parent over his child's medical photo, DuckDuckGo opens up its secure email service, Telegram puzzles users with a poll, Google bans VPN apps that block ads, and the world's most popular password manager gets hit by a hack.

Google deletes man's account for 'child sex abuse' that never happened

Google has reported a man to the police for sending a photo of his son's genitals to a doctor, and refused to reinstate the father's account even after a police investigation cleared him, the New York Times reported.

A father from San Francisco, California, shared the photos that Google's AI algorithm found suspicious at the request of a pediatrician amid the Covid-19 pandemic, when in-person doctor visits were restricted. AI flagged the pictures that showed the boy's penis as CSAM (Child Sexual Abuse Material). Per standard procedure, the images were then checked by a human content moderator and forwarded to the police. And while police, upon combing through the man's entire Google account (his internet searches, his location history, his messages, documents, photos and videos), found that no crime had occurred, Google stood by its decision to lock the dad out of his account. Multiple appeals that the father had filed to Google were in vain.

As a result, the man lost access not only to his email, but also to his phone (he used Google's telecommunications service).

The story yet again shows Google's overreaching powers when it comes to surveillance. The scanning of images has been touted as necessary evil to protect children, and human moderators are supposed to weed out false positives. However, as we can see, the system is not working smoothly. In fact, if you fall out of favor with Google, there is little hope left, since suing the tech giant might be a very long shot.

"We're open!" DuckDuckGo says anyone can join its tracker-removing email service

From now on everyone can sign up to DuckDuckGo's privacy-focused email protection service. It forwards messages to a @duck.com address, strips them of trackers and sends the mail back to your regular address, clean and shiny. As an added bonus, users can see what trackers DDG has removed from their mail (if any). The service was originally available through a waitlist, and has now entered the open beta phase.

One can also set up an unlimited number of 'throwaway' addresses with the service — messages from these addresses will also be scanned for trackers and forwarded to your usual email. On top of that, DDG will be upgrading insecure HTTP links to HTTPS to protect users from phishing. It is also possible to use a DDG mail account to reply to the messages directly.

Trackers can spy on your incoming and outgoing mail, trace your location and bombard you with ads, so we welcome any solution that would help get rid of them. There seem to be a lot of pros to this privacy-first service, and we just cannot see any cons. So our advice is: go and try it.

Share shall I not? Telegram asks Germans what data it should share with police

"Your fate is in your hands," Telegram seemingly told Germans, asking them to weigh in on whether it should share user data with law enforcement and if so, then under what circumstances.

A recent Telegram survey asked Germans to choose one of the three privacy options. The first one would have affirmed the current state of things and allowed Telegram to continue turning over IP addresses and phone numbers of terrorist suspects to police, but only with a court order. The second option, which Telegram described as “totally new,” would have allowed Telegram to turn over IP addresses and phone numbers of suspects in “serious crimes,” regardless of whether there was a court order. Under the third option, Telegram would not be able to hand over any data to law enforcement under any circumstances — that option would have brought Telegram closer to privacy-focused Signal messenger.

According to preliminary results reported by German media, the majority of participants (39%) voted in favor of maintaining the status quo — for Telegram to be able to hand over data of terrorist suspects only and only if there is a court order. 37% choose the strictest non-sharing option, while 20% endorsed sharing suspects' data without a court order. Over 2.2 million Telegram users with German phone numbers took part in the poll.

Telegram has long prided itself on being a privacy-oriented messenger. And although the chats in Telegram are not end-to-end encrypted by default (users need to turn on the secret chat mode for that), the messenger has claimed to have never shared private communication or contacts with any third parties. While it's unclear whether or not Telegram introduces any policy changes after the poll, it seems to be testing the waters. For our part, we hope that Telegram will not go down a slippery slope of less privacy and more data-sharing.

US government sues firm selling precise geolocation data

The US government agency has accused data broker Kochava of failing to protect users' privacy when selling fine-grain location data collected from "hundreds of millions of mobile devices." The data is sold to third parties, potentially allowing them to identify users, including those seeking abortions or drug addiction treatment.

According to the Federal Trade Commission, Kochava made tracking easy for its clients and, in some cases, even free of charge. On its website, the company offered a large free sample of data gathered in the seven days prior to the subscription request. That sample enabled the FTC to identify a mobile device that visited an abortion clinic and pinpoit the user's likely home address. The lawsuit demands that Kochava stops selling "sensitive" geolocation data and delete the one it has already collected. The data broker, for its part, has said it is in compliance with relevant privacy laws.

There is currently no federal privacy law in the US, though several states have passed their own — this is one side of the problem. The other, however, is the data-selling business itself. Whether the data being harvested and sold is "sensitive" or not sensitive enough from the government's perspective is secondary. The issue is that this data is often collected without the user's knowledge, sold to whoever is willing to buy it, and can be used for a variety of purposes, including targeted advertising. Ironically, the US government itself has been known for buying phone location data in bulk from data brokers.

Ads shall not pass! Google revs up crackdown on ads-interfering VPN apps

Google has confirmed that VPN apps, whose core functionality is to provide virtual private network services, could not be used to "manipulate ads that can impact apps monetization." The ban on ad-interference is included in Google Play Store's updated policy for developers. The policy is set to come into effect on November 1.

The update, however, is not expected to create much of a nuisance for existing applications. DuckDuckGo, which uses Android's VPN functionality to filter network traffic and block trackers in its privacy-focused mobile browser, told The Register that it did not expect to be affected by the new policy.

In fact, Google's updated policy hardly brings anything new to the table. Google already bans ad-blocking apps from its Play Store, though it does allow in-browser ad blockers and browser plug-ins that add ad blocking. If anything, the updated policy would once again affirm the obvious: Google takes advantage of its dominant position on the market to restrict ad-blocking tools.

Password manager with 33 million users suffers a hack

LastPass, the world's most popular password manager, has been targeted in an attack. The company said that threat actors accessed "portions of the LastPass development environment" through a compromised developer account. In a blog post, LastPass claimed that while the malefactors stole chunks of source code and proprietary technical information, they did not lay hands on customers' master passwords. A user's passwords are stored in an encrypted vault, and as you need a combination to open a physical vault, you need a master password to access your password manager.

The company stressed that LastPass "can never know or gain access" to customers' master passwords due to their "zero knowledge" model.

LastPass creates and saves auto-generated passwords for accounts on users' behalf — sparing them the trouble of remembering passwords and manually logging into sites. In general, using a password manager is a great way to keep your passwords secure and easily accessible at the same time.