Archive for Privacy

Google Is Now Tracking Your Every Move Online To Make Money

Posted in Commentary with tags , on September 10, 2023 by itnerd

Earlier this week, I posted this story about Google’s new Privacy Sandbox feature. But there’a dark side to this announcement that ARS Technica is highlighting:

Don’t let Chrome’s big redesign distract you from the fact that Chrome’s invasive new ad platform, ridiculously branded the “Privacy Sandbox,” is also getting a widespread rollout in Chrome today. If you haven’t been following this, this feature will track the web pages you visit and generate a list of advertising topics that it will share with web pages whenever they ask, and it’s built directly into the Chrome browser. It’s been in the news previously as “FLoC” and then the “Topics API,” and despite widespread opposition from just about every non-advertiser in the world, Google owns Chrome and is one of the world’s biggest advertising companies, so this is being railroaded into the production builds.

Google seemingly knows this won’t be popular. Unlike the glitzy front-page Google blog post that the redesign got, the big ad platform launch announcement is tucked away on the privacysandbox.com page. The blog post says the ad platform is hitting “general availability” today, meaning it has rolled out to most Chrome users. This has been a long time coming, with the APIs rolling out about a month ago and a million incremental steps in the beta and dev builds, but now the deed is finally done.

Well, I don’t use Google Chrome as my main web browser. But this is a few steps too far. And not only won’t I be using Chrome on any of my computers, but I will encourage others not to use Chrome as well. The other thing that this does is make my trust level with Google as a company drop to zero.

If you’re looking for alternatives, Firefox and Safari on the Mac would be my choices. Neither of those browsers have shown blatant disregard for their user base that Google Chrome has.

Wyze Seems To Have A Privacy Issue Related To Their Cameras

Posted in Commentary with tags , on September 9, 2023 by itnerd

A reader tipped me off to this Reddit thread where Wyze has had some sort of issue has broadcasted private camera streams randomly to others. That’s one hell of a privacy issue. But not the company’s first one. I wrote about another privacy issue with Wyze back in 2019. Thus I am not shocked by this. The Verge confirms that this was happening on Friday along with additional Reddit threads illustrating that this issue was widely seen by uses, and they also report the following:

After we published this story, Wyze spokesperson Dave Crosby shared a statement explaining what happened. Although Crosby says the issue is resolved and that view.wyze.com is “back up and running,” the status page still says view.wyze.com is under maintenance as of Saturday morning. (Crosby says the company will update the status page “shortly.”)

Here is Crosby’s statement:

This was a web caching issue and is now resolved. For about 30 minutes this afternoon, a small number of users who used a web browser to log in to their camera on view.wyze.com may have seen cameras of other users who also may have logged in through view.wyze.com during that time frame. The issue DID NOT affect the Wyze app or users that did not log in to view.wyze.com during that time period.

Once we identified the issue we shut down view.wyze.com for about an hour to investigate and fix the issue.

This experience does not reflect our commitment to users or the investments we’ve made over the last few years to enhance security. We are continuing to investigate this issue and will make efforts to ensure it doesn’t happen again. We’re also working to identify affected users.

That’s nice. But again, I’ll point out that this is not the first time that Wyze has run into a privacy issue. Besides what I mentioned above, there was this:

In March 2022, Wyze revealed that it had been aware of a security vulnerability for three years that could have let bad actors access WyzeCam v1 cameras, but quietly discontinued the camera rather than telling customers about it.

My take home message is that nobody should buy Wyze cameras. They may be cheap on Amazon. But they’re clearly insecure and the company cannot be trusted.

Cars Are Rolling Privacy Nightmares Says Mozilla As They Collect All Your Data… Including Data About Your Sex Life

Posted in Commentary with tags on September 7, 2023 by itnerd

Internet connected cars are all the rage at the moment. And I for one will not be buying one and I will be hanging on to my Internet disconnected car for as long as I can do so. The reason being is according to a study done by Mozilla, cars collect all sorts of data about you and sends it back to the manufacturer. And the kind of data that is collected is shocking:

We reviewed 25 car brands in our research and we handed out 25 “dings” for how those companies collect and use data and personal information. That’s right: every car brand we looked at collects more personal data than necessary and uses that information for a reason other than to operate your vehicle and manage their relationship with you. For context, 63% of the mental health apps (another product category that stinks at privacy) we reviewed this year received this “ding.”

And car companies have so many more data-collecting opportunities than other products and apps we use — more than even smart devices in our homes or the cell phones we take wherever we go. They can collect personal information from how you interact with your car, the connected services you use in your car, the car’s app (which provides a gateway to information on your phone), and can gather even more information about you from third party sources like Sirius XM or Google Maps. It’s a mess. The ways that car companies collect and share your data are so vast and complicated that we wrote an entire piece on how that works. The gist is: they can collect super intimate information about you — from your medical information, your genetic information, to your “sex life” (seriously), to how fast you drive, where you drive, and what songs you play in your car — in huge quantities. They then use it to invent more data about you through “inferences” about things like your intelligence, abilities, and interests.

The car companies then sell this data, as it’s a revenue source for them. And opting out of this data collection isn’t an option for the most part. Consent is an illusion as simply stepping into a car with this sort of tech qualifies as consent. And finally, all car companies do this.

This to me is not cool and I hope that consumers file complaints with the relevant government agencies (In Canada that’s the Privacy Commissioner) so that all of these car companies are forced to explain why they do this which may make them reconsider if they should be doing this at all.

Teamsters Accuse CN Rail Of Secretly Tracking Their Employees Movements Via Company Issued Tablets

Posted in Commentary with tags , on August 24, 2023 by itnerd

This is one of those topics that I always thought would come up more often. CTV News is reporting that the Teamsters union is accusing CN Rail of tracking employees movements, even after hours via the tablets that CN Rail issues their employees and not disclosing that they were doing so:

The Teamsters Canada Rail Conference, which is the union that represents 5,500 Canadian National railway employees, alleges CN has been monitoring the whereabouts of a train operator outside of work hours through a company-issued tablet.

“It’s spying, it’s wrong and it’s illegal in our view” according to Teamsters Canada’s director of public affairs Christopher Monette, who adds “on top of it being creepy, it’s downright dystopian. It’s something that shouldn’t be happening.” 

The union says they have reason to be concerned that a large number of CN Rail employees may have also had their location tracked by the company during their own personal time after work.Speaking to CTV National News, Monette says that CN “didn’t tell us this was going on and they didn’t seek consent from workers to use geolocation data” from their company issued devices and believes CN was trying to keep their tracking methods secret.

“We only found out about this by accident, through a disclosure process where the company was forced to disclose why they were disciplining a worker,” according to Monette.

Now CN Rail doesn’t want to comment on this. But frankly I am not surprised. Tablets and phones issued by companies are often what are called “managed” devices. Meaning that the devices are put into a type of software called Mobile Device Management software or MDM for short. This software allows a company to do a number of things. Get the status of the device, push out software updates, remote control the device for troubleshooting purposes, and most relevant to this story, track the device. Now a company may only decide to use this software to track a device if it is stolen. But I can see a scenario where a company may use this software to track a device at all times. Which if they disclose that up front, I guess that’s fine. But if they didn’t you get this situation.

Now if you have a company issued device and are afraid of being tracked, there are very low tech solutions to this:

Cyber security analyst and lawyer Ritesh Kotak believes employees who have a work phone, tablet or laptop should try and purchase their own personal devices to use off work hours.

“These high-tech problems have really low-tech solutions,” Kotak says.

He also says that he uses a tab to cover the camera on his work computer when he’s not on a video call. Kotak adds that, if possible, employees should turn their work devices onto airplane mode off work hours.

“It’s important to understand that information (from your devices) is being collected on a continuous basis by the employer, it’s probably being stored and there maybe third parties who have access to it.”

One thing to consider is that if you go this route, your company may complain at some point because the device isn’t on all the time. Another thing to consider is if you “BYOD” or bring your own device, and the company puts their MDM software on it, you could be in the same situation. So you may want to keep that in mind as well.

The bottom line is that if you use company property, or simply have their software installed on your own smartphone or computer, you should have no expectation of privacy. Ever. Unfortunate, but true.

The Police Service of Northern Ireland Data Leak Just Got Worse Than It Already Is

Posted in Commentary with tags on August 14, 2023 by itnerd

Last week I told you about a data leak involving The Police Service of Northern Ireland where they accidentally published the data on all their staff creating a critical incident in the process. As bad as that is, it just got worse. Here’s the details from Sky News:

The Police Service of Northern Ireland (PSNI) says it fears its officers could be targeted and intimidated after saying it believes that dissident republicans have data on staff that was accidently leaked by the force last week.

“We are now confident that the workforce dataset is in the hands of dissident republicans,” Chief Constable Simon Byrne said.

“It is therefore a planning assumption that they will use this list to generate fear and uncertainty as well as intimidating or targeting officers and staff.”

And:

Earlier, a redacted version of the leaked document that listed the names of police officers in Northern Ireland was posted on a wall facing a Sinn Fein office in Belfast.

Keep in mind that the peace in Northern Ireland is a recent thing because of the Good Friday accords. Thus this data leak doesn’t exactly help this situation which has not been in a good place for a couple of years now. This this situation illustrates that data breaches don’t just have a financial and repetitional impact, they also have a life threatening impact as is illustrated here.

The Police Service of Northern Ireland REALLY Screws Up And Publishes The Data Of ALL ITS STAFF

Posted in Commentary with tags on August 9, 2023 by itnerd

The good news is that The Police Service Of Northern Ireland didn’t get pwned by hackers. But the bad news is they might as well have been. I say that because they really screwed up and accidentally published the data on all their staff creating a critical incident in the process:

The Police Service of Northern Ireland (PSNI) earlier apologised for the self-inflicted security breach after it inadvertently published the information in response to a Freedom of Information (FOI) request on Tuesday.

The breach involved the surname, initials, the rank or grade, the work location and departments of all PSNI staff, but did not involve the officers’ and civilians’ private addresses.

Alliance Party leader Naomi Long said it was a concern that a member of staff, who she understands to be “relatively junior”, had access to the sensitive data.

PSNI said its chief constable Simon Byrne is cutting his family holiday short to deal with the crisis and is expected to answer questions from politicians.

This is bad. This is very bad. Why is this bad? Here’s why:

The information, which was available online for up to three hours, revealed members of the organised crime unit, intelligence officers stationed at ports and airports, officers in the surveillance unit and almost 40 PSNI staff based at MI5’s headquarters in Holywood, the Belfast Telegraph reported.

Clearly there was no process in place to limit who has access to this data. Nor were there any checks to make sure that the data was safe to release. This is another one of those cases where heads need to roll over this because I cannot imagine what the members of this police service are going through knowing that some of their personal information is out there right now.

#EpicFail

Guest Post: Online Identity & Privacy Protection Tips For Children

Posted in Commentary with tags on August 9, 2023 by itnerd

By Ani Chaudhuri, CEO, Dasera

Beyond the usual guidelines, there are several innovative and layered approaches that parents might not have considered:

  • Digital Footprint Starts at Birth: Avoid sharing identifiable information about your child on public platforms. This includes full names, birth dates, and locations. A harmless birth announcement can offer malicious actors a starting point.
  • Rethink “Smart” Toys: Before purchasing, scrutinize the data handling practices of internet-connected toys. Many collect vast amounts of information, and not all have stringent security measures.
  • Understand School Data Handling: Engage with your child’s school to understand how they store, use, and protect student data. Often, educational platforms have data vulnerabilities or share information with third parties.
  • Voice-Activated Devices: Devices like Siri or Alexa constantly listen for activation cues. Ensure they aren’t inadvertently recording your child’s conversations or information.
  • Online Gaming: Even games designed for younger children can have chat features. Ensure these are disabled or monitored. Personal information can be unintentionally shared during seemingly innocent in-game conversations.

From the moment they are born. It may sound extreme, but children have a digital identity almost from birth in our current digital era. Whether it’s hospital records, pediatrician visits, or the first photo shared on social media, their digital footprint begins immediately. Each of these instances carries data – a golden ticket for identity thieves. Protecting a child’s ID isn’t just about preventing financial fraud; it’s about safeguarding their entire digital existence and future reputation.

Child ID and privacy isn’t just about what parents should do; it’s equally about the don’ts and nevers:

  • Never Use Their Name for Passwords: Using a child’s name or birthdate as a password for any online service is a glaring risk. It’s often the first thing hackers will try.
  • Don’t Overlook Data Breaches: Not all data breaches make headlines. Watch for breaches involving services your child uses and act accordingly.
  • Never Assume a Platform is Safe: Just because a platform is designed for children doesn’t mean it’s secure. Constantly scrutinize its data practices.
  • Don’t Underestimate Word of Mouth: Children learn much from their peers. Educate them about the basics of data privacy so they can be advocates among their friends.

Protecting a child’s ID and privacy in today’s world requires vigilance, continuous education, and proactive measures. It’s not just about today’s threats but also about preventing potential risks in the future. Parents must be the first line of defense, even if it means challenging the status quo of digital interaction.

India’s Digital Personal Data Protection Bill Moves Through Parliament

Posted in Commentary with tags , on August 8, 2023 by itnerd

India’s Digital Personal Data Protection Bill of 2023 passed in the lower house of Parliament and will now face the higher house before it becomes law. Highlights of the bill include:

  • The Bill will apply to the processing of digital personal data within India where such data is collected online, or collected offline and is digitised.  It will also apply to such processing outside India, if it is for offering goods or services in India.
  • Personal data may be processed only for a lawful purpose upon consent of an individual.  Consent may not be required for specified legitimate uses such as voluntary sharing of data by the individual or processing by the State for permits, licenses, benefits, and services.
  • Data fiduciaries will be obligated to maintain the accuracy of data, keep data secure, and delete data once its purpose has been met.
  • The Bill grants certain rights to individuals including the right to obtain information, seek correction and erasure, and grievance redressal.
  • The central government may exempt government agencies from the application of provisions of the Bill in the interest of specified grounds such as security of the state, public order, and prevention of offences.
  • The central government will establish the Data Protection Board of India to adjudicate on non-compliance with the provisions of the Bill.

But all of this does concern me:

  • Exemptions to data processing by the State on groundssuch as national security may lead to data collection, processing, and retention beyond what is necessary.  This may violate the fundamental right to privacy.
  • The Bill does not regulate risks of harms arising from processing of personal data.  
  • The Bill does not grant the right to data portability and the right to be forgotten to the data principal.
  • The Bill allows transfer of personal data outside India, except to countries notified by the central government.  This mechanism may not ensure adequate evaluation of data protection standards in the countries where transfer of personal data is allowed.

Ani Chaudhuri, CEO, Dasera had this comment:

In today’s hyper-connected world, data is businesses, governments, and individuals lifeblood. The Digital Personal Data Protection Bill, 2023, tabled by the Indian Parliament, promises to reshape India’s digital ecosystem fundamentally. However, some provisions raise eyebrows, and some sigh relief. As the CEO of a leading data security and governance firm, here’s my perspective:

1. Applicability and Scope: The Bill’s clarity on what constitutes digital and non-digital data is commendable. This distinction is pertinent in our digital transformation era, where data can easily traverse between these forms. However, the territorial applicability might leave room for data misuse if foreign entities do not offer goods or services but still process Indian data.

2. Consent: The Bill strengthens the individual’s position as the custodian of their data. The stipulation around explicit affirmative action for consent is a commendable step forward. However, the reliance on “consent managers” might introduce new business complexities.

3. Grounds of Processing: The shift from ‘deemed consent’ to ‘legitimate uses’ presents challenges and opportunities. While it offers clarity, it significantly burdens businesses to rethink their data collection and processing strategies.

4. Data Fiduciaries: The onus on data fiduciaries to ensure compliance even when they outsource the processing is a welcome move. This will ensure a chain of responsibility and enforce better data practices.

5. Cross-border Transfers: A “negative list” approach, while seemingly liberal, might lead to complications if the principles on which countries are barred aren’t transparently laid out.

6. Blocking Power: A potentially controversial move. Any power to block public access must be exercised with utmost caution, ensuring it does not stifle freedom of expression or business continuity.

7. Exemptions: A double-edged sword. While exemptions might be necessary for state functionality, they shouldn’t become a backdoor to bypass the very essence of the bill.

8. Penalties: Reducing the maximum penalty suggests a softer stance on non-compliance. Whether this is conducive to robust data protection or simply a concession to businesses is up for debate.

Overall, the 2023 Bill is a thoughtful attempt to balance protecting individual rights and fostering business growth. However, the concerns around compliance costs, especially for startups, are genuine. Without ‘deemed consent’ will undoubtedly introduce more rigidity into the system. While data protection is of utmost importance, we must ensure that we do not inadvertently stifle innovation and business growth.

Although lacking specific timelines, the phased approach to implementation gives businesses a window to adapt. However, startups may bear the brunt, given the high compliance costs. The bill in its current form appears to swing the pendulum more towards protection and less towards ease of doing business.”

While the Bill addresses several data protection concerns, it remains to be seen how its implementation will affect the digital landscape in India. What’s imperative is a continuous dialogue between stakeholders to ensure the Bill serves its purpose without stifling the Indian digital ecosystem.

I am very suspicious of this bill personally because of the privacy related concerns that I highlighted earlier, among other concerns. But there are things that could be considered “good” in this bill that I will see how it is implemented and what the effects of that implementation are before passing judgement on it.

VirusTotal Leaks Data…. A Lot Of It

Posted in Commentary with tags on July 23, 2023 by itnerd

I use Google owned VirusTotal to examine suspicious files as part of investigations that I do for my corporate and sometimes home clients. It’s a very useful tool for me and others. But I suspect that some are rethinking that after it found to have leaked the data of 5600 customers:

VirusTotal apologized on Friday for leaking the information of over 5,600 customers after an employee mistakenly uploaded a CSV file containing their info to the platform last month.

The data leak impacted only Premium account customers, with the uploaded file containing their names and corporate email addresses.

Emiliano Martines, the online malware scanning service’s head of product management, also assured impacted customers that the incident was caused by human error and was not the result of a cyber-attack or any vulnerability with VirusTotal.

Furthermore, the leaked file was only accessible to VirusTotal partners and cybersecurity analysts with a Premium account with the platform.

Those using anonymous or free accounts cannot access the Premium platform and, consequently, cannot reach the leaked file.”On June 29, an employee accidentally uploaded a CSV file to the VirusTotal platform. This CSV file contained limited information of our Premium account customers, specifically the names of companies, the associated VirusTotal group names, and the email addresses of group administrators,” Martines said on Friday.

“We removed the file, which was only accessible to partners and corporate clients, from our platform within one hour of its posting.”

Well, that’s one hell of a screw up. Especially because of this:

German news outlets Der Spiegel and Der Standard were the first to report the incident on Monday.As they reported, the 313KB leaked file contained details concerning accounts associated with official U.S. entities, including the Cyber Command, Department of Justice, Federal Bureau of Investigation (FBI), and the National Security Agency (NSA). Additionally, the file included accounts linked to government agencies in Germany, the Netherlands, Taiwan, and the United Kingdom.”It is a list of 5600 names, including employees of the US intelligence service NSA and German intelligence services,” Der Spiegel said.

That’s pretty bad. And this makes it worse:

Information on dozens of employees at Bundesbank, Deutsche Bahn, Allianz, BMW, Mercedes-Benz, and Deutsche Telekom was also found in the leaked file.

I suspect that there’s going to be a lot of explaining that VirusTotal will have to do over the next few days to reassure those customers.

EU-US Data Privacy Framework Announced

Posted in Commentary with tags on July 11, 2023 by itnerd

The USA has reached a deal with the European Union on how to better protect the privacy of data belonging to EU residents when their information flows to the U.S. This is important because Meta, Google and other tech companies have been in a legal limbo for several years:

The decision adopted by the European Commission is the final step in a yearslong process and resolves — at least for now — a dispute about American intelligence agencies’ ability to gain access to data about European Union residents. The debate pitted U.S. national security concerns against European privacy rights.

The accord, known as the E.U.-U.S. Data Privacy Framework, gives Europeans the ability to object when they believe their personal information has been collected improperly by American intelligence agencies. An independent review body made up of American judges, called the Data Protection Review Court, will be created to hear such appeals.

Didier Reynders, the European commissioner who helped negotiate the agreement with the U.S. attorney general, Merrick B. Garland, and Commerce Secretary Gina Raimondo, called it a “robust solution.” The deal sets out more clearly when intelligence agencies are able to retrieve personal information about people in the European Union and outlines how Europeans can appeal such collection, he said.

“It’s a real change,” Mr. Reynders said in an interview. “Protection is traveling with the data.”

Ani Chaudhuri, CEO, Dasera had this to say:

This EU-US Data Privacy Framework, the product of years of negotiation, attempts to balance national security and personal privacy. This feat is as complex as it is critical.

On the surface, it’s a commendable step. It provides a mechanism for EU residents to challenge perceived infringements on their data by US intelligence agencies and aims to ensure that protections are ‘traveling with the data.’ Yet, Max Schrems, a leading privacy activist, is already planning to sue, questioning the legality and practicality of the Framework. The situation underscores a fundamental question – is it possible to simultaneously maintain privacy and security in a data-driven world?

Firstly, let’s agree on this: data is the backbone of the modern economy. The absence of this agreement would have created a tumultuous environment for multinational businesses that rely heavily on data flows. However, this pact is a band-aid on a festering wound. It replaces the invalidated Privacy Shield but maintains many of its predecessor’s shortcomings.

Why? Because, at its core, the Framework assumes trust between EU citizens and American intelligence agencies. It assumes a complaint-based system backed by an independent review body would provide adequate redress. But let’s be real: how many Europeans would feel comfortable voicing their concerns, let alone feel confident that their complaint would be handled fairly and impartially? The primary question, as Schrems rightfully posits, is whether changes in US surveillance law can genuinely ensure Europeans’ privacy rights. I would argue that the answer is, as it stands, “no.”

The issues run deeper than policy alone. The EU-US Data Privacy Framework marks a step forward but doesn’t necessarily solve the problem. The elephant in the room remains the balance between privacy rights and national security concerns.

The current paradigm involves mass data collection, necessitating uncomfortable compromises on personal privacy for security. But should we not aspire for a system that allows us to achieve both? Technology, after all, is a great enabler.

I’m pretty sure that this isn’t going to make everybody happy. And by everybody I mean Meta. But this is a start to ensuring the privacy of users while using online services and products from tech companies.