Data Digest № 025
Welcome to the 25th edition of the Data Digest, where I summarize the most important events in the data industry. This is a 2 in 1 edition since we skipped a week due to our increasing workload here at Datawallet. This time in the Digest: Zuckerberg endures a beating from Washington while a $35 billion lawsuit against Facebook advances, Israeli surveillance firm sued by Whatsapp, the perils of Fingerprinting, the CCPA poses a significant impact on the automotive industry, lawmakers investigate TikTok as a national security threat, Microsoft contracts raise concern in the EU and more. Enjoy!
Zuckerberg Endures A Washington Beating From Lawmakers Against Libra
Mark Zuckerberg faced many cold shoulders from Washington in the congressional hearing on Wednesday 10/23, when he sought to testify about Facebook’s Libra cryptocurrency project to the House Financial Services Committee. The range of topics covered extended far beyond the headline topic and ended in a five-hour interrogation on Facebook’s issues related to disinformation, child pornography, and political ads. Representative Maxine Waters, Democratic chairwoman of the committee said, “As I have examined Facebook’s various problems, I have come to the conclusion that it would be beneficial for all if Facebook concentrates on addressing its many existing deficiencies and failures before proceeding any further on the Libra project,” Zuckerberg argued, that while Facebook certainly “have work to do to build trust”, China could easily overtake the U.S. on cryptocurrencies if the Libra currency gets wrapped up in red tape.
Zuckerberg stated that Libra wouldn’t launch without the approval of all US regulators, which didn’t seem to provide much comfort to the committee. Congresswoman Nydia Velázquez went as far as saying that “we’re going to need to make sure that [. . .] you learned that you should not lie” which is in reference to a previous hearing where Zuckerberg stated he would not merge data from Whatsapp with Facebook, which of course ended up happening shortly after the acquisition. It may, however, be the case that Zuckerberg doesn’t need to go as far as breaking his word this time around. As he pointed out on numerous occasions, Libra is an independent association. Facebook is a part of this association, however, according to its own statements, it does not have a controlling majority. This means that Libra could proceed with a launch without needing to involve Facebook in its decision making. Facebook, in the meantime, is building its own wallet called Calibra, which is effectively the platform that will make Libra useful. Without a user-friendly interface, where users can easily send, receive, and store their cryptocurrency, Libra would be defunct. A major drawback to the adoption of crypto for most people has been ease of use. Operating a crypto wallet, using mnemonic seed phrases, offloading assets into cold storage, etc. is a pain to most users that have grown accustomed to the intuitive UI of platforms such as Venmo. Calibra’s role in the Libra ecosystem is therefore pivotal, and getting the wallet into the hands of all Facebook users is paramount. What Facebook could decide to do in the case of Libra launching without the approval of US regulators, is simply disable Libra as a means of payment within Calibra. It could nonetheless issue Calibra wallets to all US Facebook users and get them to operate this new wallet in a “light” version that would have much resemblance to Paypal. While this does not constitute the end game for Libra and Calibra, it would allow Facebook to supplant the cash component within the wallet for Libra as soon as regulatory hurdles are cleared. This would ensure that Libra has maximum adoption with Facebook users once it does clear the regulatory hurdles. And needless to say, Facebook can already immediately deploy Libra and Calibra in all markets where crypto is not explicitly illegal, which seems to encompass a large portion of the countries that Facebook wants to specifically target with Libra, namely emerging markets with poor economic fundamentals or systems of governance and alternative payment methods such as M-Pesa.
This simply goes to show that Facebook can make massive progress with the development, deployment, and market capture of Libra without needing any US lawmaker’s approval. “Frankly, I’m not sure we learned anything new here as policymakers,” the ranking Republican on the committee, Rep. Patrick McHenry, said in a closing statement. If anything, we learned that the opinion of the likes of Rep. McHenry likely doesn’t matter at this point, as it probably doesn’t impact the go-to-market and success of Libra in the short-term.
Facebook’s Zuckerberg, Accused of Lying, Withstands a Washington ‘Beating’ (Published 2019)
Facebook Faces $35 Billion Lawsuit
On top of the congressional hearings, Facebook’s request for an en banc hearing was denied, failing to halt a $35 billion class-action lawsuit regarding the alleged malpractice of facial recognition data in Illinois, based on the Biometric Information Privacy Act. The suit alleges that Facebook did not obtain consent, when mapping started in 2011, from Illinois citizens to have their uploaded photos scanned with facial recognition, and weren’t warned that the information would be saved for considerable lengths of time. Under the class action suit, Facebook could see fines of $1,000 to $5,000 in penalties per user. In the case of 7 million people, this could sum up to a maximum of $35 billion.
$35B face data lawsuit against Facebook will proceed – TechCrunch
Israeli Surveillance Firm Sued For Spying On Citizens In Whatsapp
NSO Group, an Israeli cyber surveillance firm who sells its surveillance technology to governments globally was sued by Facebook-owned Whatsapp. The lawsuit claims that an NSO Group program has been using Whatsapp to spy on over 1,400 individuals — ranging from top human-rights activists and journalists to people targeted in assassination attempts. The firm promptly disputed the claims, stating they “will vigorously fight them.” Will Cathcart, the head of Whatsapp, wrote in an opinion piece for the Washington Post, “This should serve as a wake-up call for technology companies, governments, and all Internet users. Tools that enable surveillance into our private lives are being abused, and the proliferation of this technology into the hands of irresponsible companies and governments puts us all at risk.” Whatsapp plans to hold NSO accountable for violating the U.S. Computer Fraud and Abuse Act, and several other U.S. state and federal laws. NSO is just one of the dozens of digital spyware companies that provide governments with the tools to track the digital activities of potential threats and targets. Cathcart has called on technology firms to join the United Nations for an immediate moratorium to stop the illegal use, transfer and sale of digital spyware.
WhatsApp Says Israeli Firm Used Its App in Spy Program (Published 2019)
Anonymity Online Is Dead With Fingerprinting
The Washington Post led a privacy experiment that revealed over a third of the 500 of the most popular American sites run identity checks with hidden code. The technique, called “fingerprinting” is a process whereby a site forces a browser to hand over technical data about your device, i.a. the operating system, screen resolution, or installed fonts. With just a few of these details, companies can create a unique picture of your device. They gather this information to build up a profile about you, which can be used for a variety of use cases. On the positive end of the spectrum, Fingerprinting can be leveraged to identify fraud and block harmful bots. On the negative end, Fingerprinting is used as a sophisticated mechanism to target customers with ads, which cannot be circumvented through software such adblockers. In fact, Fingerprinting companies will sometimes use the fact that you are browsing in “do not track” mode as a further method of fingerprinting a device. Geoffrey A. Fowler, who led the experiment remarked, “Privacy is an arms race — and we are falling behind.” The biggest concern with fingerprinting is that companies are gathering data irrespective of the users’ privacy choices, even sometimes intentionally going against them using “do not track” as a signal to track. Fortunately, data privacy regulations such as the California Consumer Privacy Act (CCPA) are written with very broad definitions of personally identifiable information, such that an opt-out of Fingerprints will likely be possible for California residents. Fingerprinting, however, is a testament to how the absence of a federal data privacy regulation is creating second class data citizens, namely anyone not covered by the CCPA. It also highlights how clueless many companies are, since they were not aware that Fingerprinting could be used to target customers, and that they were at the merit of the companies providing the technology to not use the data collected for any other use case other than providing the service to the company which had installed the software (i.e. companies like the Times which seeks to block bots with Fingerprinting).
Perspective | Think you’re anonymous online? A third of popular websites are ‘fingerprinting’ you.
The CCPA’s Impact On The Automotive Industry
Companies across the US are gearing up for compliance with California’s landmark privacy law, the California Consumer Privacy Act (CCPA). While it’s obvious how the CCPA constitutes a steep hurdle for industries that collect large amounts of data without having any consumer touch points, such as adtech, there are many other industries that have the required consumer touch points but still stand to face severe issues with the privacy regulation if not properly handled. A notable one is the automotive industry. The newer generations of cars collect a treasure trove of information, such as a vehicle’s functionality, performance, operation, location or environmental impact. Today, even at lower levels of functionality, connected cars generate around 25 Gigabytes of data per hour. This is exacerbated for cars with self-driving functionality, which constantly measure their environment with sophisticated sensors and cameras. According to Tuxera, autonomous cars are expected to collect anywhere from 380 TB to 5,100 TB of data per year. While the main purpose is for manufacturers and service providers to ensure vehicle operation and efficient repairs and services, there are a plethora of other use cases that this data is leveraged for, i.a. training the car’s self-driving algorithms. For the data that is collected by a vehicle and is classified as personal information, there are a number of rights that must be granted to California residents, including notice, access, opt-out (or possibly opt-in as laid out in the draft regulation put forward by the CA AG), deletion, and equal services and prices regardless of choices made. However, there are some notable exemptions for the automotive industry that the CCPA provides, including personal information that is collected under the Driver’s Privacy Protection Act of 1994, and personal information collected or otherwise disclosed under the Gramm-Leach Bliley Act or the California Financial Information Privacy Act. Data that is gathered can sometimes fall into one of the exceptions and outside of others. Requirements for these circumstances are still up for debate, and the data inventory and understanding of their use-cases will likely dictate the analysis. The bottom line is that car manufacturers who have heavily relied on data collection and built a competitive advantage around usage of this data must now build a robust framework around these data practices that put the consumer at the center of it all. Without such an infrastructure, car manufacturers stand to quickly run afoul of one or more regulations at the same time.
CCPA's potential impact in the automotive space
U.S. Lawmakers Investigate TikTok As A National Security Threat
Lawmakers are calling on U.S. intelligence to investigate whether the Chinese owned video-sharing app could pose “national security risks”. Senators Charles Schumer and Tom Cotton questioned, in a letter addressed to the director of national intelligence Joseph Maguire, whether the App makers might be compelled to hand over Americans’ data to the Chinese authorities. With over 110 million downloads, Tiktok has amassed a significant user base, specifically among teens who are attracted by its ability to share short viral videos across social media networks. However, because TikTok is owned by Beijing-based company Bytedance, lawmakers are suspicious that the company could be interested in turning over user data to the Chinese government, such as location data, cookies, metadata and more — even if it’s stored on US servers. The letter sent on Wednesday, said “without an independent judiciary to review requests made by the Chinese government for data or other actions, there is no legal mechanism for Chinese companies to appeal if they disagree with a request.” TikTok spokesperson Josh Gartner said they were “carefully reviewing” the letter. “We will not be offering any further comment on it at this time other than to reaffirm that TikTok is committed to being a trusted and responsible corporate citizen in the U.S., which includes working with Congress and all relevant regulatory agencies.”
Lawmakers ask US intelligence to assess if TikTok is a security threat – TechCrunch
Microsoft Contracts Raise Concerns For EU Watchdog
Last Monday, the European Data Protection Supervisor (EDPS) uncovered in their initial findings that Microsoft contracts with EU institutions appear to not fully protect data in line with Europe’s data privacy regulation, the GDPR. The investigation was opened in April to assess whether contracts fully complied with the bloc’s data protection laws. A statement from the EDPS said, “Though the investigation is still ongoing, preliminary results reveal serious concerns over compliance of the relevant contractual terms with data protection rules and the role of Microsoft as a processor for EU institutions using its products and services.” A Microsoft spokesperson said, “We are in discussions with our customers in the EU institutions and will soon announce contractual changes that will address concerns such as those raised by the EDPS.”
EU data watchdog raises concerns over Microsoft contracts
Genetic Data Leak Of Over 1 Million Could Lead To Biological Countermeasures
Computer scientists at the University of Washington revealed that using GEDmatch services could pose a serious security risk. In an estimate by MIT Technology Review back in February, it was revealed that over 26 million people had their DNA analyzed by genetic testing companies such as MyHeritage, 23andMe, AncestryDNA, and others. Over a million of them simultaneously uploaded their genetic information to a third-party website called GEDmatch to find DNA that matched up with theirs in the database. The researchers at the University of Washington posted a paper this week revealing the possibility to identify individuals and their genetic information. In the wrong hands, the data could pose a national security threat and could lead to the extortion or blackmailing of victims. Though the federal Genetic Information Nondiscrimination Act protects individuals in the United States from genetic discrimination in health insurance and employment, it doesn’t apply to life insurance, disability insurance, long-term care insurance, or businesses that have fewer than 15 employees. Edward You, a supervisory special agent in biological countermeasures at the FBI, has speculated that genetic databases could be hacked by nation-states to discriminate against certain groups of people, make targeted bioweapons, or get a head start on scientific and medical advancements. The problem with GEDMatch, as with many other large organizations, is that extremely sensitive personal data is stored by these companies in centralized databases without any clearly established security guidelines, representing a major honeypot for hackers who, if successful, are able to get their hands on hundreds of thousands of DNA data sets. It is exactly this level of access with one hack, that make the unit economics of hacking worthwhile. If the system was decentralized, and the data was stored on i.e. a user’s own device, each person would need to be hacked individually, making the unit economics prohibitive.
A Huge Database Containing Data from At-Home DNA Kits Is Open to Attacks
7.5 Million Adobe Accounts Exposed To The Public In Data Breach
The private details of nearly 7.5 million Adobe Creative Cloud accounts were exposed to the public in a database that could be accessed by anyone without passwords or security protocols. Originally reported by Comparitech on Oct 25th, the security researchers estimated that the breach was exposed for about a week before they fixed it. To date, it’s unknown if the data was accessed during its exposure. Details included email addresses, creation dates, products used, subscription status’, country and region information, Adobe Employee or Member ID status, last login info, and payment status. Luckily, sensitive payment information and passwords were not stored in the database. Unfortunately, users’ personal data if exposed could be targeted for phishing scams. Users who were affected in the data breach have been asked to report any unusual activity to Adobe’s official support accounts.
Adobe Data Breach Exposes Nearly 7.5 Million Creative Cloud Accounts To Public
What I'm Reading:
40 Major Music Festivals Have Pledged Not to Use Facial Recognition Technology
NordVPN confirms it was hacked – TechCrunch
Why the Facebook News tab shouldn’t be trusted – TechCrunch
Facebook Wants to Offer You Advice on Preventive Health Care
Australia Proposes Face Scans for Watching Online Pornography (Published 2019)
Opinion | Pierre Delecto, QAnon and the Paradox of Anonymity (Published 2019)
SerafinData Digest Consumer PrivacyData Misuse Data Breaches CCPA Industry Trends