Data Digest № 020

Data Digest ¦ September 22nd, 2019, 11:00 pm

Welcome to the 20th edition of the Data Digest, where I sum up the most important happenings in the data industry. This week’s two week overview includes: VICE uncovers DMVs dirty data dealings, Facebook reveals 2 million apps require privacy investigations, businesses scramble to comply with the CCPA, secret F.B.I. subpoenas scoop up personal data, millions of American’s health data is found available on the internet, Facebook mingles with your love life, sneaky Bluetooth location tracking, and more. Enjoy!

American Drivers’ Personal Data Commercialized By DMVs

VICE revealed that several Department of Motor Vehicles (DMVs) are selling American drivers’ data for tens of millions of dollars without their consent. The investigation, based on hundreds of DMV documents, uncovered that “Wisconsin DMV had data selling agreements with over 3100 different entities, including around two dozen private investigation firms”. Similar arrangements were also found in the Virginia DMV. Senator Bernie Sanders stated, “Nobody — from agencies like the DMV to large corporations like Facebook and Google — should be profiting from sharing or selling personal information without meaningful consent. Congress must get serious about ending practices that violate the privacy of ordinary Americans.”

Senator Mark Warner said,“this is just another example of how unwitting consumers are to the ways in which their data is collected, sold or shared, and commercialized. The standard talking point that consumers ‘don’t care about privacy’ has been increasingly disproven, as we learn that consumers and policymakers have been kept in the dark for years about data collection and commercialization practices.” Reckless ways of selling data have been legitimized, and in some cases encouraged, by inadequate federal privacy laws. All worrying signs that the current legal system to protect user privacy and user agency of personal information will not suffice, and that a federal data privacy regulation framework, like the California Consumer Privacy Act (CCPA), is more urgent than ever before.

Bernie Sanders Says DMVs Should Stop Profiting From Drivers’ Personal Data

The comments follow Motherboard’s investigation into how DMVs are selling drivers’ data.

Facebook Reveals That Two Million Apps Could Have Misused Personal Data

Facebook revealed the privacy issues and scale of suspensions associated with the Cambridge Analytica scandal in 2018 were much larger than they previously disclosed. The court documents exposed that Facebook identified approximately two million apps that needed to be investigated, in order to confirm whether they’d misused people’s personal data. Maura Healey, the attorney general for Massachusetts stated, “For nearly a year, Facebook has fought to shield information about improper data-sharing with app developers…If only Facebook cared this much about privacy when it was giving away the personal data of everyone you know online.” Because the investigation would undergo such a large capacity of resources, it was narrowed to a focus group of 10,000 apps. Of those, Facebook commenced a “detailed background check” of the developers behind 2,000 apps in order to determine whether they flagged signs of fraud or if they had significant connections to “entities of interest”. The sheer hypocrisy that the company has been fighting to keep these documents hidden away from the public eye for almost a year, and simultaneously conjuring up a rampant privacy PR front, is frankly unfathomable.

Facebook’s Suspension of ‘Tens of Thousands’ of Apps Reveals Wider Privacy Issues (Published 2019)

The scale of suspensions, following the Cambridge Analytica scandal, was far larger than the social network had previously revealed.

The California Data Privacy Law Is Approaching

California’s landmark data privacy regulation will go into effect on Jan 1st, 2020. It’s estimated that over 500,000 U.S. businesses will fit the criteria to comply. The law applies to any for-profit business that conducts business in California and

  • generates a revenue of more than $25 million

  • holds personal information of at least 50,000 consumers

  • generates at least 50% of its revenue from selling data.

This is a tall order for companies who haven’t previously been on top of their data collection practices, as it requires them to keep all their customer data in one place and match up individuals’ data across disparate systems. “You have to find a way to capture all that information and track it so you know what’s happening with that information,” said Dan Koslofsky, associate general counsel for privacy and data security at Gap. “And that’s a pretty significant undertaking for most companies. Unless you’ve been in a regulated space like health care or financial services, you probably haven’t done that previously.” Rena Mears, a principal with the law firm DLA Piper commented that “99% of the businesses that we’re dealing with are choosing to make the law apply to all their U.S. customers.” Rapidly changing data regulations can heavily drain a business’s resources. As legislation across the U.S. aims to enhance the privacy rights of consumers, businesses will continue to scramble for compliance. Businesses that take a proactive rather than reactive approach to data privacy, instead of simply complying with new legislation, will come out on top. Innovative and preventive data governance solutions like Datawallet enable companies to establish, and more importantly, maintain the trust of their consumers.

Businesses Across the Board Scramble to Comply With California Data-Privacy Law

The California Consumer Privacy Act was designed to make tech giants more transparent about how they handle consumer data—and now companies from Starbucks to the Gap also are racing to comply.

Secret F.B.I. Subpoenas Scoop Up Personal Data From Scores of Companies

Documents that were obtained by the Electronic Frontier Foundation by way of a lawsuit and subsequently shared with The New York Times, have revealed that the F.B.I. has been using secret subpoenas to obtain personal data from more than 120 companies, including credit agencies, major cellular providers, financial institutions and universities. The NYT reported that “the demands can scoop up a variety of information, including usernames, locations, IP addresses and records of purchases. They don’t require a judge’s approval and usually come with a gag order, leaving them shrouded in secrecy.” They included information on 750 subpoenas, of which there are expected to be approximately half a million since 2001 following the expansion of rights under the Patriot Act. The highest number of the so-called “National Security Letters” were received by Equifax, Experian and AT&T, who received more than 50 each. Transunion, T-Mobile and Verizon came second with more than 40. Yahoo, Google and Microsoft got more than 20 each, and over 60 companies only received one. Albert Gidari, privacy director at Stanford’s Center for Internet and Society, noted that “Telecoms and financial institutions get little attention” compared to Silicon Valley firms, mostly because these firms are less likely to fight the gag orders relative to big tech.

Secret F.B.I. Subpoenas Scoop Up Personal Data From Scores of Companies (Published 2019)

The practice, which the bureau says is vital to counterterrorism efforts, casts a much wider net than previously disclosed, newly released documents show.

Millions of Americans’ Medical Images and Data Are Leaked on the Internet.

Confidential patient records of over 5 million U.S. citizens and over 16 million scans worldwide were uncovered online by ProPublica and the German broadcaster Bayerischer Rundfunk. Anyone with basic computer skills can access the images and sensitive health data. During the investigation, they found 187 servers that were used to store and retrieve medical data left almost completely unprotected without basic security protocols, such as passwords. Jackie Singh, a cybersecurity researcher accurately stated, “It’s not even hacking. It’s walking into an open door.” Data included patients’ names, birthdates, Social Security Numbers and sometimes even their echocardiograms. Several security experts noted the exposure of such sensitive medical data could violate the Health Insurance Portability and Accountability Act (HIPAA).

Millions of Americans’ Medical Images and Data Are Available on the Internet. Anyone Can Take a Peek.

Hundreds of computer servers worldwide that store patient X-rays and MRIs are so insecure that anyone with a web browser or a few lines of computer code can view patient records. One expert warned about it for years.

Facebook’s Mingling With Your Love Life

Charlie Warzel wrote an opinion piece for the New York Times on why not to trust Facebook with your love life. Though it seems obvious, the feature will probably remain a top attraction for many, after all, they’re “just connecting people” right? “No ads, no revenue, just love.” Charlie notes that the new Dating feature might not be as charitable as it seems. With Facebook doing some “mingling of its own”, by merging Instagram and Facebook contacts, stories and photos. Furthermore, he goes on to list Facebook’s incredible track history of data abuse, surely, one you shouldn’t entrust your most intimate details with. Nevertheless, other dating apps haven’t shown much more promise. Tinder is another prime data offender hoarding troves of information people choose to disclose. Including locations, interests, pictures, career history, tastes and personal preferences. The problem with these ‘new features’ is that the only goal for the company selling them, is to collect more data on their customers in order to increase their ad serving efficacy― maybe not within the feature itself, but certainly outside of it. The fact that this is not clearly communicated and hidden behind an apparently humanistic motivation, is troublesome.

Opinion | Don’t Trust Facebook With Your Love Life (Published 2019)

Happiness, brought to you by the company that gave you the Cambridge Analytica Scandal™!

The Not So Secret Plan For Boris Johnson To Gather Personal Data

In the run-up to Brexit, Boris Johnson has requested that the Cabinet Office obtain access to all GOV.UK data in order to “accelerate his ambitions for a digital revolution in public services”. Privacy advocates and opposition leaders have questioned the legal and ethical implications of pooling user data across government. The potential for this to take place without user consent and with poor protection over the data rights of the public is a huge concern for privacy campaigners and policy experts. GOV.UK provides information and provides services from passports to pensions. It’s the government’s public platform for some of the UK population’s most personal information. As of this month, it has become the hub for the government’s publicity campaign to prepare voters and businesses for a no-deal Brexit. Government funded advertising on Facebook and other social media platforms is urging people to “Get Ready for Brexit”, directing them to GOV.UK for more information. Using public data from GOV.UK to drive political campaigns without consent could lead to significant distrust, and make the public hesitant to share data with the government in the future.

Revealed: The Secret Plan To Track User Data That Dominic Cummings Says Is The Government's "TOP PRIORITY"

Leaked documents show the prime minister’s chief adviser emailed senior officials instructing them: “We must get this stuff finalised ASAP.”

Hong Kong Protesters Personal Data Leaked by Russian Website

A Russian domain was found to uncover the detailed personal information of Hong Kong protesters and journalists. This has been looked on as a politically motivated event that classifies yet another serious limitation to the city’s dwindling civil liberties. “Doxing can be done for several reasons, but in this case, it seems the goal is to harass and to encourage self-censorship,” said Tsui, a journalism professor at the University of Hong Kong. “It is also aimed at discouraging people from protesting or speaking the truth.” The Chinese state media were reportedly also promoting the site according to Tsui, who also believes this was a reflection of Beijing’s fear towards the Hong Kong protests.

Hong Kong protesters personal data leaked by Russian website | DW | 20.09.2019

A website registered on a Russian domain has shared detailed personal information of dozens of Hong Kong protesters and journalists. Observers view it as another serious blow to the city's dwindling civil liberties.

Bluetooth Enables Companies To Sneakily Track Your Location

Apple’s iOS 13 update integrated a new privacy measure that requires apps to ask for your consent in order to use your device’s Bluetooth, to stop companies sneakily tracking your location by using beacons in stores. Chris Welch, a reporter for Wired, was shocked to find out just how many apps have subsequently asked him for Bluetooth permissions. Apple also increased transparency on location tracking by alerting users how many times an app, such as Google Maps, tracked their location in the background― visualized on a map. This is a good move forward from Apple. Data tracking transparency will hopefully encourage people to adjust their privacy settings running in the background. However, many users will likely misunderstand the prompts for consent and grant location access regardless.

Here’s why so many apps are asking to use Bluetooth on iOS 13

You’ll be astonished at how many apps want Bluetooth access.

Data on almost every Ecuadorian citizen leaked

The personal data of 17 million Ecuadorian citizens, including 6.7 million children, was found to be publically available on an unsecured cloud server by security company vpnMentor. This was an incredibly serious data breach that involved a huge amount of sensitive and personally identifiable information. The exposed files included basic identity data as well as financial information, phone numbers, family records, marriage dates, education histories and work records. The security researchers who uncovered the breach said, “This data breach is particularly serious simply because of how much information was revealed about each individual”. A quick search of the data could reveal home addresses, information about children, models and registration plates of the cars they drove and financial information. Such negligence of deeply personal information is a huge security lapse and extremely dangerous when in the hands of criminal gangs. Ecuador’s computer emergency security team thankfully managed to respond quickly and cut off open access.

Data on almost every Ecuadorean citizen leaked

The massive database of personal information was found on an unsecured cloud computer, researchers say.

What I'm Reading:

13 Ways the Government Went After Google, Facebook and Other Tech Giants This Year

Lawsuits and investigations could eventually lead to the breakup of some companies and to new laws that alter the balance of corporate power.

Facebook’s Suspension of ‘Tens of Thousands’ of Apps Reveals Wider Privacy Issues (Published 2019)

The scale of suspensions, following the Cambridge Analytica scandal, was far larger than the social network had previously revealed.

A Password-Exposing Bug Was Purged From LastPass

Google Project Zero found and reported a flaw in the widely used password manager.

Google Will Listen to Your Conversations Again, But Ask First

Google workers will listen to audio snippets of people speaking to its digital voice assistant to help improve the product’s quality -- if users give the company permission to do so.



Get the Data Digest in your inbox