Archive for Privacy

India Orders VPN Providers To Retain Data…. VPN Providers Are Considering Their Options Including Leaving The Country

Posted in Commentary with tags , on May 9, 2022 by itnerd

India has ordered VPN’s to collect and store users’ data, including names, addresses, contact numbers, email and IP addresses, for up to five year. With this move, Wired reported that VPN providers have since threated to quit India:

The justification from the country’s Computer Emergency Response Team (CERT-In) is that it needs to be able to investigate potential cybercrime. But that doesn’t wash with VPN providers, some of whom have said they may ignore the demands. “This latest move by the Indian government to require VPN companies to hand over user personal data represents a worrying attempt to infringe on the digital rights of its citizens,” says Harold Li, vice president of ExpressVPN. He adds that the company would never log user information or activity and that it will adjust its “operations and infrastructure to preserve this principle if and when necessary.”

Artur Kane, CMO at GoodAccess had this to say:

“Though controversial upon inception, the so-called data retention legislation has now been with us for decades. Most technologically developed countries enforce these directives with varying retention periods, usually ranging from 6 months to 2 years. In some countries, all expenses on data retention are even covered by the government.

Until now, the data retention obligations were limited to infrastructure providers (internet service providers, telecommunications), and asking the same of VPN vendors is without precedent in democratic countries.

The use of VPNs, in the past widely adopted by companies to provide remote access to company IT resources, has rapidly spread to millions of consumers over the past decade, who use it to avoid surveillance by internet providers, bypass country-based content filtering, and other restrictions. In my opinion, cybercriminals had been using VPNs to anonymize their activities even before ordinary users jumped on the trend.

Now, forcing VPN providers to track user traffic and their private data (like source and destination IP, port, protocol, and timestamps) is going to invalidate one of the last remaining safeguards of personal privacy on the public internet while helping to expose only a handful of lawbreakers. 

The value for the price doesn’t add up, either. Privacy is a basic human need, legally protected in many free countries, and people have the right to protect it, especially now, when their sensitive data is more valuable than ever and is being collected on a shocking scale.

Law on the public internet can be enforced in other ways that do not impact user privacy, such as the use of behavioral algorithms by vendors, looking for characteristic patterns of potentially malicious behaviors, or disabling VPN services to those accounts where such events were detected.”

I have been to India a number of times and this news is very disappointing. India really needs to reconsider this as this is a massive overreach by the Indian Government. And it risks making them a very repressive country that nobody will want to visit or do business in.

Ikea Canada Had A “Internal” Data Breach…. WTF??

Posted in Commentary with tags , on May 7, 2022 by itnerd

Over the last month, my wife and I have been doing shopping at Ikea Canada. But I may be rethinking that as it has come to light this past week that Ikea Canada had what they term an “Internal” data breach that affected 95,000 Canadians. Global News has the details:

Ikea Canada told Global News it was made aware that some of its customers’ personal information appeared in the results of a generic search made by an employee between March 1 to March 3.

A spokesperson added that the information was accessed by the person using Ikea’s customer database.

“While we can’t speculate as to why the search was made, we can share that we have taken actions to remedy this situation,” Ikea Canada PR leader Kristin Newbigging said.

“We have also reviewed our internal processes and reminded our co-workers of their obligation to protect customer information.”

Okay. The fact that you have to remind your employees not to do something like this is a huge problem. And the fact that an employee did this is a massive problem. It likely shows that their internal controls weren’t on point.

Here’s the best news out of this:

kea Canada has submitted a breach report to the Office of the Privacy Commissioner of Canada (OPC).

OPC officials confirmed they are in communication with the company to get more information and determine next steps. They would not say what those steps could be.

Hopefully the OPC smacks Ikea Canada silly as this is pretty unacceptable from my perspective. In the meantime, affected customers have already been notified by email.

Google Collects Data From Google Dial And Messages Without Your Consent Or Ability To Opt Out…. WTF?

Posted in Commentary with tags , on March 23, 2022 by itnerd

People have said to me that I am such an Apple Fanboy because I tend to gravitate towards Apple products. The reality is that while I don’t trust any company completely, I trust Apple more than Google. And this story is a clear reason why I feel that way:

According to a research paper, “What Data Do The Google Dialer and Messages Apps On Android Send to Google?” [PDF], by Trinity College Dublin computer science professor Douglas Leith, Google Messages (for text messaging) and Google Dialer (for phone calls) have been sending data about user communications to the Google Play Services Clearcut logger service and to Google’s Firebase Analytics service.

“The data sent by Google Messages includes a hash of the message text, allowing linking of sender and receiver in a message exchange,” the paper says. “The data sent by Google Dialer includes the call time and duration, again allowing linking of the two handsets engaged in a phone call. Phone numbers are also sent to Google.” The timing and duration of other user interactions with these apps has also been transmitted to Google. And Google offers no way to opt-out of this data collection.

So in short, Google is unsurprisingly harvesting user data. Something that they don’t exactly confirm. But they don’t exactly deny either:

Google confirmed to The Register on Monday that the paper’s representations about its interactions with Leith are accurate. “We welcome partnerships – and feedback – from academics and researchers, including those at Trinity College,” a Google spokesperson said. “We’ve worked constructively with that team to address their comments, and will continue to do so.”

The paper raises questions about whether Google’s apps comply with GDPR but cautions that legal conclusions are out of scope for what is a technical analysis. We asked Google whether it believes its apps meet GDPR obligations but we received no reply.

Hopefully politicians in both the US and Europe are paying attention because this is something that merits an investigation. And perhaps some form of punishment.

Clearview AI Brags About Being Able To Ensure “Almost Everyone In The World Will Be Identifiable”

Posted in Commentary with tags , on February 19, 2022 by itnerd

I’ve written about Clearview AI before. And the fact that when it comes to violating your privacy, they’re right up there with Meta/Facebook. Well after reading this Washington Post story, I have to say that Meta/Facebook doesn’t seem so bad compared to these clowns:

Clearview AI is telling investors it is on track to have 100 billion facial photos in its database within a year, enough to ensure “almost everyone in the world will be identifiable,” according to a financial presentation from December obtained by The Washington Post. 

Those images — equivalent to 14 photos for each of the 7 billion people on Earth — would help power a surveillance system that has been used for arrests and criminal investigations by thousands of law enforcement and government agencies around the world. And the company wants to expand beyond scanning faces for the police, saying in the presentation that it could monitor “gig economy” workers and is researching a number of new technologies that could identify someone based on how they walk, detect their location from a photo or scan their fingerprints from afar. 

The 55-page “pitch deck,” the contents of which have not been reported previously, reveals surprising details about how the company, whose work already is controversial, is positioning itself for a major expansion, funded in large part by government contracts and the taxpayers the system would be used to monitor. The document was made for fundraising purposes, and it is unclear how realistic its goals might be. The company said that its “index of faces” has grown from 3 billion images to more than 10 billion since early 2020 and that its data collection system now ingests 1.5 billion images a month.

With $50 million from investors, the company said, it could bulk up its data collection powers to 100 billion photos, build new products, expand its international sales team and pay more toward lobbying government policymakers to “develop favorable regulation.”

Doesn’t that make you feel creeped out? It sure makes me feel creeped out. The only solution is to make sure that this company is regulated to death so that it makes their business model is made non-viable. And if I had to place bets on who might be likely to do that, I would say that the EU would be the ones that would to take the lead on that because they simply don’t tolerate violations of privacy. But It would mean a lot more if the US which is where Clearview AI is based did something as it would send a clear message that this sort of business model is unacceptable.

Mozilla And Facebook Propose New Ad Tech That Preserves Your Privacy…. Think About That For A Moment

Posted in Commentary with tags , , on February 12, 2022 by itnerd

From the “I did not see this coming” department comes news that Meta/Facebook has teamed up with Mozilla to come up with new technology that can measure “conversions” from advertising while still preserving privacy. The proposed new technology is called Interoperable Private Attribution, or IPA:

IPA has two key privacy-preserving features. First, it uses Multi-Party Computation (MPC) to avoid allowing any single entity — websites, browser makers, or advertisers — to learn about user behavior. Mozilla has some experience with MPC systems as we’ve deployed Prio for privacy-preserving telemetry. Second, it is an aggregated system, which means that it produces results that cannot be linked to individual users. Together these features mean that IPA cannot be used to track or profile users.

IPA is designed to provide a lot of flexibility for advertising businesses in terms of how they use the system. Cross-device and cross-browser attribution options in IPA enable new and more robust attribution capabilities, while maintaining privacy. The IPA proposal aims to ensure that all sites benefit from these features with the match key concept, which allows smaller players to access the greater reach of entities to cross-device attribution.

My $0.02 worth goes something like this:

  1. if Facebook is involved at all then it’s going to be all shades of wrong.
  2. Mozilla is just part of this because Facebook has cash and name brand recognition.
  3. The invasive tactics by various companies to gather more and more data about me has really made me jaded about any proposal that any company has that claims to preserve my privacy. And when one of those proposals comes from Facebook. There’s zero chance that I would believe it seeing as Facebook’s whole business model is about invading your privacy so that they can make a buck.

As far as I am concerned, this proposal is DOA. And Mozilla’s involvement really makes me think not as highly about Mozilla as I once did. If I were them, I would rethink my involvement with Facebook as that smells like a deal with the Devil.

Both Google And Facebook Run Afoul Of The GDPR

Posted in Commentary with tags , , , on February 11, 2022 by itnerd

Bad news for Google today. Hot off the heels of an Austrian website having been found to violate the GDPR because of their use of Google Analytics, France’s privacy watchdog has found something similar:

Use of Google Analytics has now been found to breach European Union privacy laws in France — after a similar decision was reached in Austria last month.

The French data protection watchdog, the CNIL, said today that an unnamed local website’s use of Google Analytics is non-compliant with the bloc’s General Data Protection Regulation (GDPR) — breaching Article 44 which covers personal data transfers outside the bloc to so-called third countries which are not considered to have essentially equivalent privacy protections.

The U.S. fails this critical equivalence test on account of having sweeping surveillance laws which do not provide non-U.S. citizens with any way to know whether their data is being acquired, how it’s being used or to seek redress for any misuse.

And Facebook isn’t immune from this:

The regulator told us the use of Facebook Connect by French site managers “has also been the subject of complaints to the CNIL, which are currently being investigated”.

Both Google and Facebook have a problem here. It’s clear that the EU isn’t going to adopt US standards as normal. Which in turn will lead to difficulties for US companies who operate in the EU unless they alter their behaviour. Which it will be interesting to see how, Google, Facebook and other US companies adapt.

Washington State Department of Licensing Pwned By Hackers…. And A Resulting Database Breach May Have Exposed The Personal Info Of Millions

Posted in Commentary with tags , on February 7, 2022 by itnerd

The Washington State Department of Licensing has reported a database breach which has potentially exposed personal information of millions of licensed professionals, ranging from real estate agents to auctioneers, after it detected suspicious activity on its online licensing system:

During the week of Jan. 24, 2022, the Department of Licensing (DOL) became aware of suspicious activity involving professional and occupational license data. We immediately began investigating with the assistance of the Washington Office of Cybersecurity. As a precaution, DOL also shut down the Professional Online Licensing and Regulatory Information System (POLARIS) to protect the personal information of professional licensees.

At this time, we have no indication that any other DOL data was affected, such as driver and vehicle licensing information. All other DOL systems are operating normally.

We are working with the Washington Office of Cybersecurity to protect the licensing data and bring POLARIS back online as soon as possible. With the support and assistance of nationally recognized cybersecurity experts, we are investigating what happened and what data and people may be affected.

This isn’t a good look for Washington State. And I’d love to know what data was exposed or stolen. And Saryu Nayyar, CEO and Founder, Gurucul agrees with me.:

“While there are few details in the report, it appears that very sensitive personal data has been stolen, including social security numbers. Detecting a massive data set stolen is rare. Often organizations are blind to data being stolen over periods of time till it becomes apparent a large set of data has been stolen. Attackers effectively hide and trickle out data in many cases because most traditional SIEM or XDR solutions have great difficulty in understanding this trickle is part of a large attack campaign. Organizations need to research solutions that are more effective at not just thwarting attacker efforts early in the kill chain before data is exfiltrated, but can correlate small bursts of activity spread across time as a long-standing data theft operation by a clever threat actor.”

Hopefully Washington State investigates this fully and presents the results to the public. That way everyone knows how bad this breach is.

Tile Owner Life360 To Stop Selling “Precise” User Data

Posted in Commentary with tags , on January 28, 2022 by itnerd

You might recall that Bluetooth tracking device Tile was bought by a company called Life360, who it was discovered had a very bad reputation for selling all the data it could to make the most amount of money possible. I was wondering this at the time:

So Tile users, this is who has purchased your location tracking service. They don’t sound like the best people, and I for one would interested to see how Life360 responds to this so that their purchase of Tile doesn’t go down the tubes.

We have a sign of how Life360 is going to respond. They’re going to stop selling “precise” user data:

The family safety app Life360 announced on Wednesday that it would stop selling precise location data, cutting off one of the multibillion-dollar location data industry’s largest sources.  The decision comes after The Markup revealed that Life360 was supplying up to a dozen data brokers with the whereabouts of millions of its users. 

In a quarterly activities report released to its investors on the Australian Securities Exchange, Life360’s founder and CEO Chris Hulls announced that Life360 will phase out all of its location data deals, except with Allstate’s Arity. Life360 is a San Francisco–based company publicly traded on the Australian exchange, but it has plans to go public in the U.S. this year. 

And:

Life360’s report described the arrangement as a “new data partnership” that “significantly advances privacy initiatives.”

“Life360 recognises that aggregated data analytics (for example, 150 people drove by the supermarket) is the wave of the future and that businesses will increasingly place a premium on data insights that do not rely on device-level or other individual user-level identifiers,” Hulls said in the announcement. 

He said that selling aggregate location data would mean “reducing business risk” for the company. Hulls did not elaborate on what those risks were. The deal with Placer.ai does not include data from the companies Tile and Jiobit, both of which Life360 announced acquisitions of last year.  

To be honest, I am not sure if this will put Tile users minds at ease. Assuming that they still use Tile as there have been reports of Tile users dumping the product when these issues came to light. But the flip side to that is that at least Life360 recognizes that they have a problem. Let’s see if that recognition pays off for them.

Guest Post: It’s Data Privacy Week from January 24th-28th: Learn How Private Your Data Really Is

Posted in Commentary with tags , on January 24, 2022 by itnerd

As the line between our offline and online lives continues to blur, Data Privacy Week  from  January 24th-28th  is the little push we need at the start of the year to make safeguarding our personal information a priority. Although we live in an increasingly digital world, most of us give little thought to data privacy until after our personal data has been compromised.

Our increased reliance on digital technologies to manage every facet of life provides the need to rethink what we share about our lives and how to protect our most vulnerable information. From phishing attacks to wide-spread data breaches, key threats exist that put our important information at risk. Lookout, the leader in delivering integrated Security, Privacy, and Identity Theft Protection solutions, can help  ensure that your devices and data remain private while enjoying the best  technology has to offer. 

To help ensure your important data stays secure and private, Lookout recommends:

  1. Guarding your personal data & sharing information only when needed: Think twice before you share your personal data. Consider why a company is requesting your email address and what they might do with it before you enter it online. If a store asks for your birth date, driver’s license or phone number, you can decline to share that information.
  2. Staying vigilant about online scams & phishing attacks‍: Online phishing attacks and scams are becoming increasingly hard to discern with the naked eye; remember that not everything you see online is real. If a text message or email is written with extreme urgency, or asks you to send money or take action regarding your account, stop and go directly to the source to validate whether it is legitimate.  
  3. Downloading a dedicated mobile security softwarelike Lookout Security, Privacy & Identity Protection – to secure against digital threats, including phishing attacks, malware and identity theft.

All consumers can also scan their email for FREE on Lookout’s website to learn about breaches that may have leaked their personal data and take immediate action to secure their information. 

Austrian Website’s Use Of Google Analytics Breaches GDPR

Posted in Commentary with tags , on January 13, 2022 by itnerd

TechCrunch reporting something that is bad news for US cloud services. An Austrian website’s use of Google Analytics has been found to breach GDPR:

A decision by Austria’s data protection watchdog upholding a complaint against a website related to its use of Google Analytics does not bode well for use of US cloud services in Europe.

The decision raises a big red flag over routine use of tools that require transferring Europeans’ personal data to the US for processing — with the watchdog finding that IP address and identifiers in cookie data are the personal data of site visitors, meaning these transfers fall under the purview of EU data protection law.

In this specific case, an IP address “anonymization” function had not been properly implemented on the website. But, regardless of that technical wrinkle, the regulator found IP address data to be personal data given the potential for it to be combined — like a “puzzle piece” — with other digital data to identify a visitor.

Consequently the Austrian DPA found that the website in question — a health focused site called netdoktor.at, which had been exporting visitors’ data to the US as a result of implementing Google Analytics — had violated Chapter V of the EU’s General Data Protection Regulation (GDPR), which deals with data transfers out of the bloc.

That’s not good and I suspect that this decision is being discussed in a lot of places as I type this. I’ve got two comments on this with the first being from Elizabeth Wharton who is the VP Operations for SCYTHE:

Legal clashes between US and foreign privacy policies have been ongoing since the Reagan era. Although we’re seeing more privacy concerns in the US, evidenced by CPRA and proposed federal legislation in 2021 among others, a consistent resolution isn’t imminent. The overlaps between security and privacy mean that more business models need to take that into consideration, especially companies who profit from user data. This is another reminder that security and privacy are not equal to compliance, and companies collecting personal information need to go beyond the bare minimum requirements.

And the second is from Chris Olson, CEO at The Media Trust:

“With the Austrian court’s ruling, we are finally seeing the concrete impact that emerging data privacy laws will have on unregulated third-party code. Under the hard interpretation of GDPR adopted in this case, a majority of organizations with online domains would be in violation, based solely on the activity of their digital partners.”

“Moving forward, CMPs, encryption-at-rest and other workarounds for data privacy laws just won’t cut it. Businesses have only one way to guarantee their visitors’ privacy and avoid costly fines: understand the code that is executing on your website, continually scan for violations, and vet your third parties for data privacy practices.”

I think that this will make a lot of companies scramble to rethink and reimplement how they handle data so that they aren’t the next headline that I’m reporting on.