Archive for Privacy

Mozilla And Facebook Propose New Ad Tech That Preserves Your Privacy…. Think About That For A Moment

Posted in Commentary with tags , , on February 12, 2022 by itnerd

From the “I did not see this coming” department comes news that Meta/Facebook has teamed up with Mozilla to come up with new technology that can measure “conversions” from advertising while still preserving privacy. The proposed new technology is called Interoperable Private Attribution, or IPA:

IPA has two key privacy-preserving features. First, it uses Multi-Party Computation (MPC) to avoid allowing any single entity — websites, browser makers, or advertisers — to learn about user behavior. Mozilla has some experience with MPC systems as we’ve deployed Prio for privacy-preserving telemetry. Second, it is an aggregated system, which means that it produces results that cannot be linked to individual users. Together these features mean that IPA cannot be used to track or profile users.

IPA is designed to provide a lot of flexibility for advertising businesses in terms of how they use the system. Cross-device and cross-browser attribution options in IPA enable new and more robust attribution capabilities, while maintaining privacy. The IPA proposal aims to ensure that all sites benefit from these features with the match key concept, which allows smaller players to access the greater reach of entities to cross-device attribution.

My $0.02 worth goes something like this:

  1. if Facebook is involved at all then it’s going to be all shades of wrong.
  2. Mozilla is just part of this because Facebook has cash and name brand recognition.
  3. The invasive tactics by various companies to gather more and more data about me has really made me jaded about any proposal that any company has that claims to preserve my privacy. And when one of those proposals comes from Facebook. There’s zero chance that I would believe it seeing as Facebook’s whole business model is about invading your privacy so that they can make a buck.

As far as I am concerned, this proposal is DOA. And Mozilla’s involvement really makes me think not as highly about Mozilla as I once did. If I were them, I would rethink my involvement with Facebook as that smells like a deal with the Devil.

Both Google And Facebook Run Afoul Of The GDPR

Posted in Commentary with tags , , , on February 11, 2022 by itnerd

Bad news for Google today. Hot off the heels of an Austrian website having been found to violate the GDPR because of their use of Google Analytics, France’s privacy watchdog has found something similar:

Use of Google Analytics has now been found to breach European Union privacy laws in France — after a similar decision was reached in Austria last month.

The French data protection watchdog, the CNIL, said today that an unnamed local website’s use of Google Analytics is non-compliant with the bloc’s General Data Protection Regulation (GDPR) — breaching Article 44 which covers personal data transfers outside the bloc to so-called third countries which are not considered to have essentially equivalent privacy protections.

The U.S. fails this critical equivalence test on account of having sweeping surveillance laws which do not provide non-U.S. citizens with any way to know whether their data is being acquired, how it’s being used or to seek redress for any misuse.

And Facebook isn’t immune from this:

The regulator told us the use of Facebook Connect by French site managers “has also been the subject of complaints to the CNIL, which are currently being investigated”.

Both Google and Facebook have a problem here. It’s clear that the EU isn’t going to adopt US standards as normal. Which in turn will lead to difficulties for US companies who operate in the EU unless they alter their behaviour. Which it will be interesting to see how, Google, Facebook and other US companies adapt.

Washington State Department of Licensing Pwned By Hackers…. And A Resulting Database Breach May Have Exposed The Personal Info Of Millions

Posted in Commentary with tags , on February 7, 2022 by itnerd

The Washington State Department of Licensing has reported a database breach which has potentially exposed personal information of millions of licensed professionals, ranging from real estate agents to auctioneers, after it detected suspicious activity on its online licensing system:

During the week of Jan. 24, 2022, the Department of Licensing (DOL) became aware of suspicious activity involving professional and occupational license data. We immediately began investigating with the assistance of the Washington Office of Cybersecurity. As a precaution, DOL also shut down the Professional Online Licensing and Regulatory Information System (POLARIS) to protect the personal information of professional licensees.

At this time, we have no indication that any other DOL data was affected, such as driver and vehicle licensing information. All other DOL systems are operating normally.

We are working with the Washington Office of Cybersecurity to protect the licensing data and bring POLARIS back online as soon as possible. With the support and assistance of nationally recognized cybersecurity experts, we are investigating what happened and what data and people may be affected.

This isn’t a good look for Washington State. And I’d love to know what data was exposed or stolen. And Saryu Nayyar, CEO and Founder, Gurucul agrees with me.:

“While there are few details in the report, it appears that very sensitive personal data has been stolen, including social security numbers. Detecting a massive data set stolen is rare. Often organizations are blind to data being stolen over periods of time till it becomes apparent a large set of data has been stolen. Attackers effectively hide and trickle out data in many cases because most traditional SIEM or XDR solutions have great difficulty in understanding this trickle is part of a large attack campaign. Organizations need to research solutions that are more effective at not just thwarting attacker efforts early in the kill chain before data is exfiltrated, but can correlate small bursts of activity spread across time as a long-standing data theft operation by a clever threat actor.”

Hopefully Washington State investigates this fully and presents the results to the public. That way everyone knows how bad this breach is.

Tile Owner Life360 To Stop Selling “Precise” User Data

Posted in Commentary with tags , on January 28, 2022 by itnerd

You might recall that Bluetooth tracking device Tile was bought by a company called Life360, who it was discovered had a very bad reputation for selling all the data it could to make the most amount of money possible. I was wondering this at the time:

So Tile users, this is who has purchased your location tracking service. They don’t sound like the best people, and I for one would interested to see how Life360 responds to this so that their purchase of Tile doesn’t go down the tubes.

We have a sign of how Life360 is going to respond. They’re going to stop selling “precise” user data:

The family safety app Life360 announced on Wednesday that it would stop selling precise location data, cutting off one of the multibillion-dollar location data industry’s largest sources.  The decision comes after The Markup revealed that Life360 was supplying up to a dozen data brokers with the whereabouts of millions of its users. 

In a quarterly activities report released to its investors on the Australian Securities Exchange, Life360’s founder and CEO Chris Hulls announced that Life360 will phase out all of its location data deals, except with Allstate’s Arity. Life360 is a San Francisco–based company publicly traded on the Australian exchange, but it has plans to go public in the U.S. this year. 

And:

Life360’s report described the arrangement as a “new data partnership” that “significantly advances privacy initiatives.”

“Life360 recognises that aggregated data analytics (for example, 150 people drove by the supermarket) is the wave of the future and that businesses will increasingly place a premium on data insights that do not rely on device-level or other individual user-level identifiers,” Hulls said in the announcement. 

He said that selling aggregate location data would mean “reducing business risk” for the company. Hulls did not elaborate on what those risks were. The deal with Placer.ai does not include data from the companies Tile and Jiobit, both of which Life360 announced acquisitions of last year.  

To be honest, I am not sure if this will put Tile users minds at ease. Assuming that they still use Tile as there have been reports of Tile users dumping the product when these issues came to light. But the flip side to that is that at least Life360 recognizes that they have a problem. Let’s see if that recognition pays off for them.

Guest Post: It’s Data Privacy Week from January 24th-28th: Learn How Private Your Data Really Is

Posted in Commentary with tags , on January 24, 2022 by itnerd

As the line between our offline and online lives continues to blur, Data Privacy Week  from  January 24th-28th  is the little push we need at the start of the year to make safeguarding our personal information a priority. Although we live in an increasingly digital world, most of us give little thought to data privacy until after our personal data has been compromised.

Our increased reliance on digital technologies to manage every facet of life provides the need to rethink what we share about our lives and how to protect our most vulnerable information. From phishing attacks to wide-spread data breaches, key threats exist that put our important information at risk. Lookout, the leader in delivering integrated Security, Privacy, and Identity Theft Protection solutions, can help  ensure that your devices and data remain private while enjoying the best  technology has to offer. 

To help ensure your important data stays secure and private, Lookout recommends:

  1. Guarding your personal data & sharing information only when needed: Think twice before you share your personal data. Consider why a company is requesting your email address and what they might do with it before you enter it online. If a store asks for your birth date, driver’s license or phone number, you can decline to share that information.
  2. Staying vigilant about online scams & phishing attacks‍: Online phishing attacks and scams are becoming increasingly hard to discern with the naked eye; remember that not everything you see online is real. If a text message or email is written with extreme urgency, or asks you to send money or take action regarding your account, stop and go directly to the source to validate whether it is legitimate.  
  3. Downloading a dedicated mobile security softwarelike Lookout Security, Privacy & Identity Protection – to secure against digital threats, including phishing attacks, malware and identity theft.

All consumers can also scan their email for FREE on Lookout’s website to learn about breaches that may have leaked their personal data and take immediate action to secure their information. 

Austrian Website’s Use Of Google Analytics Breaches GDPR

Posted in Commentary with tags , on January 13, 2022 by itnerd

TechCrunch reporting something that is bad news for US cloud services. An Austrian website’s use of Google Analytics has been found to breach GDPR:

A decision by Austria’s data protection watchdog upholding a complaint against a website related to its use of Google Analytics does not bode well for use of US cloud services in Europe.

The decision raises a big red flag over routine use of tools that require transferring Europeans’ personal data to the US for processing — with the watchdog finding that IP address and identifiers in cookie data are the personal data of site visitors, meaning these transfers fall under the purview of EU data protection law.

In this specific case, an IP address “anonymization” function had not been properly implemented on the website. But, regardless of that technical wrinkle, the regulator found IP address data to be personal data given the potential for it to be combined — like a “puzzle piece” — with other digital data to identify a visitor.

Consequently the Austrian DPA found that the website in question — a health focused site called netdoktor.at, which had been exporting visitors’ data to the US as a result of implementing Google Analytics — had violated Chapter V of the EU’s General Data Protection Regulation (GDPR), which deals with data transfers out of the bloc.

That’s not good and I suspect that this decision is being discussed in a lot of places as I type this. I’ve got two comments on this with the first being from Elizabeth Wharton who is the VP Operations for SCYTHE:

Legal clashes between US and foreign privacy policies have been ongoing since the Reagan era. Although we’re seeing more privacy concerns in the US, evidenced by CPRA and proposed federal legislation in 2021 among others, a consistent resolution isn’t imminent. The overlaps between security and privacy mean that more business models need to take that into consideration, especially companies who profit from user data. This is another reminder that security and privacy are not equal to compliance, and companies collecting personal information need to go beyond the bare minimum requirements.

And the second is from Chris Olson, CEO at The Media Trust:

“With the Austrian court’s ruling, we are finally seeing the concrete impact that emerging data privacy laws will have on unregulated third-party code. Under the hard interpretation of GDPR adopted in this case, a majority of organizations with online domains would be in violation, based solely on the activity of their digital partners.”

“Moving forward, CMPs, encryption-at-rest and other workarounds for data privacy laws just won’t cut it. Businesses have only one way to guarantee their visitors’ privacy and avoid costly fines: understand the code that is executing on your website, continually scan for violations, and vet your third parties for data privacy practices.”

I think that this will make a lot of companies scramble to rethink and reimplement how they handle data so that they aren’t the next headline that I’m reporting on.

Dutch Olympic Committee To Dutch Athletes: Don’t Take Your Phones And Laptops To The Winter Olympics In China

Posted in Commentary with tags , on January 12, 2022 by itnerd

Right now, China doesn’t exactly have the best public perception when it comes to being trustworthy. That’s on display via this Reuters article where Dutch Athletes are being told by the Dutch Olympic Committee to leave their phones and laptops at home when they go to the Winter Olympics that are being held in China:

Dutch athletes competing in next month’s Beijing Winter Olympics will need to leave their phones and laptops at home in an unprecedented move to avoid Chinese espionage, Dutch newspaper De Volkskrant reported on Tuesday. The urgent advice to athletes and supporting staff to not bring any personal devices to China was part of a set of measures proposed by the Dutch Olympic Committee (NOCNSF) to deal with any possible interference by Chinese state agents, the paper said citing sources close to the matter. NOCNSF spokesman Geert Slot said cybersecurity was part of the risk assessment made for the trip to China, but declined to comment on any specific measure. “The importance of cybersecurity of course has grown over the years”, Slot said. “But China has completely closed off its internet, which makes it a specific case.”

It will be interesting to see how China reacts to this. If they say nothing, you have to wonder why as that it implies that China is actually doing something. But if they react in an angry manner, then you might say exactly the same thing. And I can see a scenario where if other countries copy the Dutch, then the Chinese might really freak out as a result.

Get the popcorn ready.

Desjardins Settles Class Action Lawsuit To Make Data Breach Issues Go Away

Posted in Commentary with tags , on December 27, 2021 by itnerd

A few years back I wrote about a far from trivial data breach involving Canadian Bank Desjardins. The source of the leak was a bad actor that was inside the company. Or put another way, a Desjardins employee. That’s pretty bad and illustrates that the bank was asleep at the switch. Now that lapse is going to cost the bank a couple of hundred million dollars:

The agreement, which is subject to approval by the Quebec Superior Court, would allow eligible individuals who were affected by the privacy breach that came to light in June 2019 to receive a payment.

The settlement applies to members and former members as well as clients and former clients of the financial co-operative who have held Desjardins credit cards or financing products.

Desjardins says there’s no need for people to contact them before the agreement is approved and a claims process begins.

Plaintiff law firms Siskinds Desmeules and Kugler Kandestin say the agreement provides compensation for loss of time related to the personal information breach, as well as compensation for identity theft.

It also provides members Equifax credit monitoring service coverage for five years, and an extension by at least five years of the other protective measures implemented by Desjardins following the breach.

Details of the settlement are available at www.desjardinssettlement.com or by calling 1-888-886-7164.

This should serve as a lesson to companies who handle personal identifiable information. You need to make sure that it is under tight controls or it will cost you a lot. Both in terms of your reputation and in dollars and cents.

Analytics Suggest 96% Of U.S. Based iOS Users Leave App Tracking Disabled in iOS 14.5

Posted in Commentary with tags , on May 7, 2021 by itnerd

Apple’s App Tracking Transparency feature has been available to iPhone users for a couple of weeks now. And early metrics suggest that an overwhelming 96% of users in the U.S. leave app tracking disabled. In other words, 96% of iPhone users do not want to be tracked at all. This comes from analytics firm Flurry who looked at 2.5 million users in the U.S.

In short, only 4% of users opted into app tracking in the U.S. When looking at users worldwide who allow app tracking, the figure rises to 12% of users in a 5.3 million user sample size. Flurry’s figures also show a stable rate of app-tracking opt-outs. The U.S. figure hovers between 11-13%, and 2-5% worldwide.

Flurry themselves point out what is at stake here:

With opt-in rates expected to be low, this change is expected to create challenges for personalized advertising and attribution, impacting the $189 billion mobile advertising industry worldwide. 

In other words, if you’re Facebook, and your revenue model relies on being able to track users all over the Internet, you have a serious problem. And it highlights that users on the iOS platform overwhelmingly value their privacy above all else.

If you want to learn more about App Tracking Transparency and how you can disable it or enable it on an app by app basis, I wrote an article about it here.

App Privacy Study Looks At Most ‘Invasive’ Apps Collecting User Data… Guess Who Is Number One And Number Two?

Posted in Commentary with tags on March 17, 2021 by itnerd

Yesterday, I came across a company called pCloud who earlier this month took a look at the most “invasive” apps that collect the most data from users and shares it with third parties. You can guess who was the most invasive:

Every time you search for a video on YouTube, 42% of your personal data is sent elsewhere. This data goes on to inform the types of adverts you’ll see before and during videos, as well as being sold to brands who’ll target you on other social media platforms. Instagram shares 79% of your data including browsing history and personal information with others online.

YouTube isn’t the worst when it comes to selling your information on. That award goes to Instagram, which shares a staggering 79% of your data with other companies. Including everything from purchasing information, personal data, and browsing history. No wonder there’s so much promoted content on your feed.

With over 1 billion monthly active users it’s worrying that Instagram is a hub for sharing such a high amount of its unknowing users’ data.

Remember, Instagram is owned by Facebook. And Facebook was number two on this list as noted below. So read into that what you will:

  • Instagram collects 79 percent of personal data
  • Facebook collects 57 percent
  • LinkedIn and Uber Eats both were caught collecting 50 percent of data.
  • YouTube and YouTube Music were found to be collecting 43 percent of personal data to share with third parties.

So if you have any of these apps on your phone, you now know your data is being vacuumed up like a maid using a Hoover. On the other end of the spectrum, apps that don’t collect much data include Signal, Clubhouse, Netflix, Shazam, Etsy, Skype, and Telegram. But this will change for iOS users shortly when iOS 14.5 is released where Apple will begin requiring apps that access a user’s advertising identifier for cross-app and website tracking to get express permission before using it, which may help cut down on some of the third-party data sharing. But this report alone may get some of the companies on this list to alter their behavior. By some, I mean any company not named Facebook who simply doesn’t care about your privacy.