Data Digest № 026

Data Digest ¦ November 26th, 2019, 11:00 pm

Welcome to Datawallet’s Data Digest, where I summarize and sometimes analyze the latest news in the data industry. Or in this case, the news over the last three weeks.

Microsoft expands coverage of the CCPA across the U.S.

Microsoft has vowed to ‘honor’ the ‘core rights’ of the California Consumer Privacy Act (CCPA) and expanded its coverage across the entire United States. Announced in a statement on Monday, Julie Brill, Microsoft’s chief privacy officer, said that the company will apply the principles of the CCPA across the whole of the U.S., similarly to the companies’ approach last year to Europe’s General Data Protection Act (GDPR). Brill wrote, “CCPA marks an important step toward providing people with more robust control over their data in the United States. It also shows that we can make progress to strengthen privacy protections in this country at the state level even when Congress can’t or won’t act.” Microsoft’s decision to roll out CCPA style rights across their entire customer base in the U.S. marks an important precedent in how large tech companies choose to meet the new privacy challenges posed by state privacy laws. Instead of creating what Marc Benioff has previously called “second class data citizens” Microsoft’s decision to treat all customers equally in terms of their data is, if anything, an acknowledgment of the importance of corporate data custodianship in consumers’ buying decision. With 87% of consumers stating that they will take their business elsewhere if they don’t trust how a company handles their data, Microsoft is smart to brand itself as a good data custodian by rolling out CCPA data rights to their entire customer base and therefore incentivizing customer retention as well as new customer acquisition. Smart move, Microsoft!

Microsoft vows to ‘honor’ California’s sweeping privacy law across entire US

80% of Americans feel like they have very little or no control over the data being collected about them

According to a recent survey by Pew Research, over 80% of Americans feel like they have little to no control over the data being collected about them. Over 70% believe that almost everything they do online is being tracked with almost as many believing the same to be true offline, and 79% say they don’t trust companies to own up to mistakes when they mishandle data.

Considering recent history, such as the Cambridge Analytica scandal or the Equifax breach in 2017, it’s no surprise that Americans feel a lack of control over their data. Americans are more aware than ever of the unfair value exchange involving the trading of data for technology and convenience. As the Pew survey revealed most Americans have arrived at the conclusion that the potential risks of data collection by companies and governments significantly outweigh the benefits. It is precisely this evolution in public sentiment which helps understand the emergence of strict data privacy regulation intended to address the growing demand for control over data among voters with California enacting the most groundbreaking privacy bill in the U.S. on January 1st, the CCPA.

Americans and Privacy: Concerned, Confused and Feeling Lack of Control Over Their Personal Information

Majorities of U.S. adults believe their personal data is less secure now, that data collection poses more risks than benefits, and that it is not possible to go through daily life without being tracked.

The might of CCPA fines and how Facebook is using your camera to spy on you

Two weeks ago, it came to light that Facebook’s app may have been opening iPhone cameras in the background without their users’ knowledge. The bug was detected on iOS 13.2.2 but not on iOS 12. Video and potentially sound recordings, which could easily be linked to individuals and therefore constitute personal information/data under the CCPA and the GDPR, were collected without the knowledge of the app-users, violating GDPR, CCPA, and potentially SB-220. Facebook commented, “we inadvertently introduced a bug that caused the app to partially navigate to the camera screen adjacent to News Feed when users tapped on photos.”

When the California Consumer Privacy Act (“CCPA”) takes effect on January 1st, 2020, California will be the first state to give residents the right to seek statutory damages of up to $7500 per incident, if their personal information is exposed in a data breach, with or without any actual harm. To succeed, the defense of the breached business must demonstrate that it had sufficient security procedures in place. A “wait and see” strategy is not an option with the CCPA.

After being flagged by the Attorney General for a violation, businesses are granted a mere 30-day timeframe to cure the violation and ensure that no further violations of the same type can occur. A broad interpretation of the term “cure” would mean overhauling entire processes and IT-systems. Failing to do this within the short timeframe might lead to the violation being categorized as intentional, which could lead to fines being tripled. Businesses that are more prepared to respond to data breaches will inevitably maintain a better defense in a breach lawsuit. But CCPA fines don’t stop there. There are many other costs associated with data breaches for businesses to consider including; reputation, business continuity, competitive disadvantages, investigation, legal, contractual, regulatory, notification, and litigation costs.

For a more in-depth look at the potential risks of CCPA fines, you can read our blog post.

CCPA fines blow GDPR's out of the water

The fines of the CCPA, SB-220, and the GDPR compared based on Facebook’s latest privacy violation.

Google to let sites block personalized ads under CCPA

Google has announced that the launch of a new feature that allows websites subject to the California Consumer Privacy Act (CCPA) to block personalized ads for consumers in California. In spite of Big Tech’s efforts to exempt personalized ads from California’s landmark privacy bill, Google will need to allow customers to opt-out of the sale of their personal data, of which personalized ads are a major use case. Since collecting and processing information on consumers helps companies like Google more accurately target the latter with ads, premiums for this type of inventory often have a 10x premium compared to regular ads. Not being able to offer this type of premium inventory will likely result in a major revenue loss for Google and other ad tech players, as advertising dollars will be diverted to other advertising channels. Google said that when the “restricted data processing” is triggered, ads will only be based on general data such as the user’s city-level location or the subject of the page where the ad is appearing. Choosing whether or not to enable restricted processing is left to the operator of a website, meaning the compliance burden and potential legal ramifications are on website owners.

Google to let sites block personalized ads under California privacy law

Websites and apps using Google's advertising tools will be able to block personalized ads to internet users in California and elsewhere as part of the Alphabet Inc unit's effort to help them comply with the state's new privacy law, it told clients this week.

Google’s secret “Project Nightingale” collects sensitive health information of millions of Americans, and simultaneously, they’ve acquired Fitbit

The announcement of Google’s new partnership with Ascension, the second-largest health care system in the U.S., and their recent acquisition of Fitbit have raised serious concerns around the collection and usage of personal data. The secret project, named “Project Nightingale” was reported by the WSJ last week and has since caused a stir.

Sounding increasingly like an episode of Black Mirror, the data collection is part of Google’s bigger plan to introduce new software using AI that will analyze patient information for Ascension and provide recommendations for people to improve their health. The move has also come just as the company has acquired a fitness watchmaker, Fitbit, for $2.1 billion, also infamous for its bad data collection practices.

Over 150 employees at Google’s parent company, Alphabet, have already been given access to the health data of tens of millions of Americans. And while the information they are collecting is not technically illegal under the Health Insurance Portability and Accountability Act of 1996 (giving hospitals permission to share some data with businesses as long as it’s used to “help the covered entity carry out its health care functions”), the increased dominance that Google will consolidate from these two business deals is clearly a violation of people’s rights to health data privacy. Google is currently hiring healthcare executives, showcasing their plans to move forward regardless. In response to widespread outrage among privacy advocates, Google stated that no Fitbit data would be used for advertising purposes. Google exec, Rick Osterloh, promises that “Fitbit health and wellness data will not be used for Google ads.” This sounds awfully similar to claims made by Zuckerberg to not merge Whatsapp data with Facebook data, which were to no avail. Furthermore, there is no law currently in place to prevent Google from doing so.

WSJ News Exclusive | Google’s ‘Project Nightingale’ Gathers Personal Health Data on Millions of Americans

Google is teaming with one of the country’s largest health-care systems on an ambitious project named “Project Nightingale” to collect and crunch detailed health information of millions of Americans across 21 states.

One Of The Biggest Data Leaks Ever Exposes Data On 1.2 Billion People

A data leak discovered by Bob Disaschenko and Vinny Troia unveiled over 4 terabytes of data from 1.2 billion unique people on an unsecured Elasticsearch server, making it the largest single source data breach of all times. So far, it looks like the data has originated from two different data enrichment companies, People Data Labs (PDL), and who pride themselves on having “unparalleled coverage across over 150 data points” and “in-depth data on people and companies”. Enriching of data is the process of taking a data set and augmenting the existing data with third-party data that is matched around a certain identifier, be it emails, names, IP addresses, or similar. The data assets maintained by People Data Labs and OxyData for enrichment and now breached contained information including names, email addresses, phone numbers, LinkedIn and Facebook profile information. When the researchers contacted the companies, both denied ownership of the server leaking the data. Troia noted that they may never find the culprit who combined the companies data into a single database and left it exposed.

1.2 Billion Records Found Exposed Online in a Single Server

Here's the next jumbo data leak, complete with Facebook, Twitter, and LinkedIn profiles.

A new online privacy act is cooking in Silicon Valley

Anna Eshoo and Zoe Lofgren, lawmakers who represent Silicon Valley have announced an ambitious but all-encompassing online privacy act. Requirements of the bill include the limiting of use, collection, and sharing of personal information for specific business needs. It would also require users to opt into specified data collection and give them the ability to delete and correct data about themselves, as well as limiting the duration period companies could hold their information. The lawmakers claim that the current enforcement, the Federal Trade Commission, are lacking in resources, are “toothless” and have issued “the equivalence of parking tickets” to reprimand privacy violations. The two, therefore, suggest the enforcement of a Digital Privacy Agency of up to 1,600 employees. In representing the districts of some of the largest technology companies in the world, Lofgren stated that she and Eshoo wanted to make a point, “if the representatives from Silicon Valley took a strong stand for privacy rights, it would be meaningful to the rest of Congress, that’s why it’s as bold as it is.”

For a more in-depth analysis of the proposed Online Privacy Act (OPA), you can read our latest blogpost.

Proposed Federal Online Privacy Act Goes After Big Tech and puts Consumers in the Driver’s Seat

The emanating patchwork of differentiating state-wide privacy regulations, such as the CCPA, Nevada SB 220, Maine LD 946 and coming soon, Illinois HB 3358 and Washington SB 5376, is a thorn in the eye of many American businesses. Keeping up with so many differentiating laws comes at a great continuous cost. The fear of a future of fragmented privacy laws has even managed to garner the interest of Big Tech in a Federal Privacy Regulation, in an effort to stomp out these threatening state-wide regulations that are growing like weeds.

What I'm Reading:

Breach affecting 1 million was caught only after hacker maxed out target’s storage

Hacker's data archive file grew so big that the target's hard drive ran out of space.

Senate Democrats unveil priorities for federal privacy bill

A group of top Democratic senators from four key committees on Monday unveiled their priorities for the nation's first comprehensive privac

T-Mobile confirms customers' personal data accessed in hack | Engadget

It's been a rough month for customers who care about their privacy, with data breaches affecting businesses as diverse as high-end department stores, camgirl websites and online domain registrars. Yet another cybersecurity issue has allowed hackers to access data about prepaid customers of popular US and European telecom brand T-Mobile, as revealed by blog TmoNews.

Thousands of hacked Disney+ accounts are already for sale on hacking forums | ZDNet

Hackers began hijacking accounts hours after Disney+ launched earlier this week.

Google to let sites block personalized ads under California privacy law

Websites and apps using Google's advertising tools will be able to block personalized ads to internet users in California and elsewhere as part of the Alphabet Inc unit's effort to help them comply with the state's new privacy law, it told clients this week.

New York Expands Definition of Private Information and Imposes Groundbreaking Cybersecurity Requirements

The Stop Hacks and Improve Electronic Data Security Handling Act (SHIELD Act) recently enacted by the New York Senate brings New York in line with many states that have expanded their breach notificat

Facebook Viewpoints pays users for well-being surveys & tasks – TechCrunch

Facebook is launching a new market research, task, and product testing program that lets users earn money. Starting today, people in the US who are over 18 can download Viewpoints and participate in a well-being survey so Facebook can learn to “limit the negative impacts of social media and e…



Get the Data Digest in your inbox