The IT Nerd

The newly unveiled American Privacy Rights Act (APRA) represents a significant step toward establishing a federal data privacy standard in the U.S., offering a bipartisan solution to longstanding legislative challenges.  This legislative effort underscores a unified approach to enhance online privacy protections, aiming to reconcile differences over state preemptions and legal remedies for privacy breaches.

Antonio Sanchez, principal evangelist at cybersecurity company Fortra says:

“Today, about half of the states have some sort of legislation, but it’s varied. Ideally, this legislation would be a baseline of privacy at the federal level which provides consumers with more control over their personal data.  Each state would then decide on passing something more stringent than the baseline.

This would be a great win for consumers as this would be a big step towards reducing misinformation, disinformation, and AI generated content which are used to sway the public’s mindset on a particular issue.  For big tech this would represent a big hit to their bottom line since big tech monetizes personal data by mining, using, and selling it.  The ones that use it deliver content (real and AI generated) to targeted audiences to either position a product or gain support on a social issue.

I like the idea, but we will see if this continues to move forward or if it slowly fades away and nothing happens.”

This is a piece of legislation that is long overdue. If the people on Capitol Hill are smart they would do everything possible to move this bill forward and get it passed into law. But given the tenor of politics in the US at the moment, one has to wonder if that will happen.

UPDATE: Madison Horn, Congressional Candidate (OK-5) and cybersecurity expert adds these comments regarding the American Privacy Rights Act:

The American Privacy Rights Act is a significant first-step towards setting up national consumer centric data privacy standards. While the American Privacy Rights Act aims to define the type of data that companies can collect, there is ambiguity and concern in a number of areas that will be left vague. In the typical process for introducing new regulation, there is either over or under calibration, or it is not specific enough. Regulators must define what data is considered necessary, determine how data collection needs should be managed across applications, determine whether data storage will be centralized or segmented, and establish clear limitations on the types of data companies can collect.

I have concerns that regulators will over-calibrate these new data privacy regulations and inadvertently introduce vulnerabilities in company systems, potentially making it easier for bad actors to exploit them. While giving consumers control over their data is a positive step, it’s crucial that identity and access-management are securely designed, otherwise bad-actors could easily steal personal data. Giving consumers the right to access, correct, delete, and export their personal data is a great step forward, but brings significant security concerns. There’s a technical challenge in setting up and managing identities to ensure that people can’t access or edit someone else’s data. Despite the good intentions, opening these doors will inadvertently increase security concerns. The real task lies in minimizing these incidents as much as possible. It’s all achievable, but requires careful planning and execution.

To get this crucial data privacy law right, it’s important that everyone involved – lawmakers, regulators, and the private sector – all meet at the table together. If lawmakers try to force this law through like dictators, there will be endless pushback from lobbyists – something entirely counterproductive to effective regulation – and will only hurt small businesses and innovation. With many of the few qualified individuals in Congress left retiring or being pushed out of office by partisan politics, it’s up to the American people to elect qualified leaders with experience that matches the problems of today. Leaders that understand the nuances and pitfalls of drafting, right sizing and passing acts that adequately protect Americans while not hindering innovation and economic growth. 

Following on the heels of this story, I have another story about the dark side of sex toys and the Internet. Which to be clear isn’t really about sex toys. But it is about your privacy.

404 Media is reporting on a lawsuit where a woman is suing Adam & Eve for collecting details of her searches sex toys on their site. Brace yourself for the details:

A woman just brought a class action lawsuit against one of the biggest online retailers for sex toys, Adam and Eve, claiming that the site gave Google information about her searches for 8-inch dildos and strap-on harnesses. 

The plaintiff, who isn’t named in the complaint but goes by “Jane Doe,” claims that Adam and Eve uses Google Analytics, which has an anonymization feature that obscures IP addresses of users, but that the site didn’t have that feature enabled. She’s suing PHE, the owner of Adam and Eve, as well as Google, for allegedly disclosing her “sexual preferences, sexual orientation, sexual practices, sexual fetishes, sex toy preferences, lubricant preferences, and search terms” without her consent.

“By using the Google Analytics tool without anonymized IP feature, PHE is sharing with Google Plaintiff’s online activity, along with her IP addresses, even when consumers have not shared (nor have consented to share) such information,” the complaint claims.

Specifically, the plaintiff takes issue with PHE telling Google that she was browsing the site’s categories for “lesbian toys,” women’s sex toys, and realistic dildos. The complaint describes her online shopping trips in detail, claiming that Analytics captured her looking at listings for “Kingcock Strap-on Harness With 8-Inch Dildo” and showed that she added a “Pink Jelly Slim Dildo” to her cart. It also claims that “any information submitted by consumers through the search bar on the site’s homepage is shared with Google,” which in her case was a search for “strap-on dildo.” 

“The above information, combined with the consumer’s IP address, enables Google to identify the person who has interacted with PHE’s Website or has submitted information through the site,” the complaint claims. “Website consumers did not know that the communications between them and PHE would be shared with a third party, Google. PHE did not obtain consent or authorization of Website consumers to disclose communications about their Private and Protected Sexual Information. The surreptitious disclosure of Private and Protected Sexual Information is an outrageous invasion of privacy and would be offensive to a reasonable person.”

She’s suing PHE and Google for violations of the California Invasion of Privacy Act, which prohibits services from communicating information about users to third parties without their consent. Someone doesn’t have to have suffered “actual damages” to bring legal action under CIPA, and can sue for $5,000 per violation.

Now Google is saying that it doesn’t try to identify individuals and has policies to try and stop that from happening. And it’s really up to the retailer to do the right thing. In other words, Google is using the Shaggy excuse. As in “it wasn’t me.” Adam & Eve didn’t have anything to say to 404 Media. But let’s just take a step back and take the words “sex toys” out of this discussion. What this is really about is the fact that ANY retailer can take your shopping habits, collect that up, and use it or sell it however they see fit. If you’re on Amazon, you might not have an issue with that. But if you are shopping for something more “personal” you might have a problem with that. This really isn’t new. But it highlights the fact that your data is valuable and retailers will want to make money off of it, even if you don’t buy anything from them. That’s something that you might want keep in mind if you shop online.

To be clear, I am not the least bit surprised that this could be possible. Though part of me is still a bit stunned at this story as it is an insane privacy breach if this is true. And what I am talking about is a company called Cox Media Group who claims that it can eavesdrop on your conversations, through microphones in smartphones, TVs, and smart speakers. This comes via 404 Media:

A marketing team within media giant Cox Media Group (CMG) claims it has the capability to listen to ambient conversations of consumers through embedded microphones in smartphones, smart TVs, and other devices to gather data and use it to target ads, according to a review of CMG marketing materials by 404 Media and details from a pitch given to an outside marketing professional. Called “Active Listening,” CMG claims the capability can identify potential customers “based on casual conversations in real time.”

The news signals that what a huge swath of the public has believed for years—that smartphones are listening to people in order to deliver ads—may finally be a reality in certain situations. Until now, there was no evidence that such a capability actually existed, but its myth permeated due to how sophisticated other ad tracking methods have become.

It is not immediately clear if the capability CMG is advertising and claims works is being used on devices in the market today, but the company notes it is “a marketing technique fit for the future. Available today.” 404 Media also found a representative of the company on LinkedIn explicitly asking interested parties to contact them about the product. One marketing professional pitched by CMG on the tech said a CMG representative explained the prices of the service to them. 

“What would it mean for your business if you could target potential clients who are actively discussing their need for your services in their day-to-day conversations? No, it’s not a Black Mirror episode—it’s Voice Data, and CMG has the capabilities to use it to your business advantage,” CMG’s website reads.

And:

With Active Listening, CMG claims to be able to “target your advertising to the EXACT people you are looking for,” according to its website. The goal is to target potential clients or customers based on what they say in “their day to day conversations,” the website adds.

Reading this story sent chills down my spine. Now in my case, my household is part of Team Apple. Which means the four HomePod mini’s as well as the three iPhones along with two Apple Watches that my wife and I collectively own are covered by this policy which fully lays out what data Apple collects and why along with what data they may keep and where that data goes. That made me a feel bit better. The only other device in my home that has any form of voice interface is this TCL TV which is powered by the Roku operating system. They have this privacy policy which states the following:

If you link your Roku Device to a non-Roku voice-enabled virtual assistant (e.g., Alexa and Google Assistant), you are choosing to have us disclose device data to the voice assistant provider, such as device type and name, device identifiers, its state (e.g., whether the device is powered on, whether the device is playing video), names of installed streaming service apps, and the names of your device HDMI ports. If you direct such virtual assistant to display content, we will also disclose the content to such voice provider to carry out your request.  For information about how these providers use this data, please review their privacy policies. 

I have the TV linked to Apple HomeKit. Which means that it is covered by Apple’s privacy policy. And I do have a Roku voice remote that requires me to press a button to do anything. So it’s not actively listening into anything I am doing. So I am fine there as well. Now why am I telling you all of this? Well, depending on what smart devices you have in your home, you might be fine, our you might have an issue:

CMG lists a number of other companies as its partners and publishers. These include Amazon, Microsoft, and Google. None of those companies responded to a request for comment on whether they were aware of this capability or whether it was in active use.

I would assume that if you have any Google, Amazon or Microsoft devices, then you likely have a problem. I say that because the first two are exactly the type of companies who would do anything to gather as much data on you as possible to monetize it in any way possible. The jury is still out on Microsoft. But let us assume that they are in the Google or Amazon camp for now until they prove themselves to be different.

I will be interested to see how CMG and their clients respond to this story now that this is out there. Because I think it is safe to say that this story is going to get a lot of attention. Including from regulators which I am sure that CMG and their clients do not want. Thus if they don’t respond to this with some talking points to try and defuse this, they may have bigger problems on their hands.

Internet connected cars are all the rage at the moment. And I for one will not be buying one and I will be hanging on to my Internet disconnected car for as long as I can do so. The reason being is according to a study done by Mozilla, cars collect all sorts of data about you and sends it back to the manufacturer. And the kind of data that is collected is shocking:

We reviewed 25 car brands in our research and we handed out 25 “dings” for how those companies collect and use data and personal information. That’s right: every car brand we looked at collects more personal data than necessary and uses that information for a reason other than to operate your vehicle and manage their relationship with you. For context, 63% of the mental health apps (another product category that stinks at privacy) we reviewed this year received this “ding.”

And car companies have so many more data-collecting opportunities than other products and apps we use — more than even smart devices in our homes or the cell phones we take wherever we go. They can collect personal information from how you interact with your car, the connected services you use in your car, the car’s app (which provides a gateway to information on your phone), and can gather even more information about you from third party sources like Sirius XM or Google Maps. It’s a mess. The ways that car companies collect and share your data are so vast and complicated that we wrote an entire piece on how that works. The gist is: they can collect super intimate information about you — from your medical information, your genetic information, to your “sex life” (seriously), to how fast you drive, where you drive, and what songs you play in your car — in huge quantities. They then use it to invent more data about you through “inferences” about things like your intelligence, abilities, and interests.

The car companies then sell this data, as it’s a revenue source for them. And opting out of this data collection isn’t an option for the most part. Consent is an illusion as simply stepping into a car with this sort of tech qualifies as consent. And finally, all car companies do this.

This to me is not cool and I hope that consumers file complaints with the relevant government agencies (In Canada that’s the Privacy Commissioner) so that all of these car companies are forced to explain why they do this which may make them reconsider if they should be doing this at all.