Android phones are tracking your location even if you actively turn off location services, haven't used any apps, and haven't even inserted a carrier SIM card.

The social network allowed advertisers to buy ads specifically targeting "Jew haters" and people who were "interested in" other anti-Semitic topics, according to a new report from ProPublica.

The publication found that Facebook's advertising portal contained a number of anti-Semitic categories ad-buyers could use to help target their ads on Facebook. These categories, which have since been removed, included "Jew haters," "How to burn Jews,” and “History of ‘why jews ruin the world," and "Hitler did nothing wrong."

These repugnant "categories" were apparently created automatically because a small number of Facebook users listed them on their profiles under "interests" or "fields of study." Facebook's advertising tools automatically generate ad categories based on these fields.

Advanced users with special needs can download the Signal APK directly. Most users should not do this under normal circumstances.

Hackers stole the personal data of 57 million customers and drivers from Uber Technologies Inc., a massive breach that the company concealed for more than a year. This week, the ride-hailing firm ousted its chief security officer and one of his deputies for their roles in keeping the hack under wraps, which included a $100,000 payment to the attackers.

Compromised data from the October 2016 attack included names, email addresses and phone numbers of 50 million Uber riders around the world, the company told Bloomberg on Tuesday. The personal information of about 7 million drivers was accessed as well, including some 600,000 U.S. driver’s license numbers. No Social Security numbers, credit card information, trip location details or other data were taken, Uber said.

In a recently published paper, researchers at the University of Washington demonstrate that practically anyone can spend a little cash and track, in relatively real time, the location of a human target. That's digital surveillance, made available to any and all with money on hand, brought to the masses by your friendly neighborhood Silicon Valley disrupters.

The idea is straightforward: Associate a series of ads with a specific individual as well as predetermined GPS coordinates. When those ads are served to a smartphone app, you know where that individual has been.

"The first step to enable location tracking using ads is to obtain the target’s MAID [Mobile Advertising ID] by sniffing their network traffic (see below), which allows us to specify ads to only be served to the target device," explain the study authors. "Then we create a series of ads, each targeted at that MAID, but each also targeted at a different GPS location. This creates a geographical grid-like pattern of ads. Then we can observe which of these ads gets served, and this indicates where the target actually was."

Targeted advertising is at the heart of the largest technology companies today, and is becoming increasingly precise. Simultaneously, users generate more and more personal data that is shared with advertisers as more and more of daily life becomes intertwined with networked technology. There are many studies about how users are tracked and what kinds of data are gathered. The sheer scale and precision of individual data that is collected can be concerning. However, in the broader public debate about these practices this concern is often tempered by the understanding that all this potentially sensitive data is only accessed by large corporations; these corporations are profit-motivated and could be held to account for misusing the personal data they have collected. In this work we examine the capability of a different actor -- an individual with a modest budget -- to access the data collected by the advertising ecosystem. Specifically, we find that an individual can use the targeted advertising system to conduct physical and digital surveillance on targets that use smartphone apps with ads.

When MicroG stopped working for you, Signal complained because it thought that you were still a GCM user. You can reset that by following these steps to re-register:

Tap on the Menu.
Choose Settings.
Choose Advanced.
Tap 'Signal' to slide the indicator (from blue to off).
Choose 'OK' in the 'Disable Signal Messages' pop up.
Tap 'Signal' a second time to re-register.
Enter or Edit your phone number.
Tap Register.
Complete the registration process.
Send messages on Signal.

If your device does not include Google Play Services (or microG or OpenGApps) when you re-register, the app will fall back to using WebSockets to keep a connection open to the Signal server. New information that's queued on the Signal server (such as encrypted messages or tokens that are used to set up calls) will automatically be pushed to your phone as soon as it arrives on the server. The app just needs to check at an interval to make sure that the connection hasn't died.

If you're using an Android phone that includes Google Play Services (or microG or OpenGApps), your phone will have an open GCM connection. Signal will automatically detect this when you register (or re-register) and use that existing connection in order to preserve battery life. It's worth noting here that any information that's pushed through GCM will be visible to Google. That's why Signal is designed so that no information is ever transmitted through GCM. If there's new information queued on the Signal server and your app isn't connected to the service, an empty notification is pushed to your device through GCM. The notification wakes up the app, it automatically recognizes the empty notification as meaning that it needs to connect to the Signal server, and then it fetches the queued information through a separate encrypted channel. This way, Google does not have access to metadata about who Signal users communicate with. (Other apps that use GCM may or may not have implemented this workaround.)

Moxie Marlinspike has said that both the Play Store build and the website build are reproducible, so I assume that means they are both compiled from the same branch on GitHub. In other words, it should be one and the same APK whichever way you choose to install it. Here's a blog post explaining how you can verify that.