WebProNews

Tag: Privacy

  • Samsung Max VPN Collects Your Private Data and Sells It

    Samsung Max VPN Collects Your Private Data and Sells It

    Users relying on Samsung’s Max VPN should look for other options to keep their data private and safe.

    Samsung includes and/or promotes its Max VPN service on its phones. As sharp-eyed Reddit user soboi12345 has pointed out, however, users’ data is not at all private when using Samsung’s VPN. In fact, the company collects unique identifying data and sells it to third parties.

    The company describes its practices in its Max Service Description and Privacy Policy:

    The Max Service app may log how you use your device, including unique identifiers, information about the software you’ve installed, device characteristics, information about your location and mobile carrier, the type of network you use to access web content, how much data you use, and the URLs you visit. We use this data to debug the Max Service app and to improve the user experience. We anonymize and/or aggregate this data and may allow our business partners access to it.

    To be clear, Samsung’s VPN is collecting unique identifiers, location data, the apps users have installed, and the websites they visit — and then selling that data rather than protecting users’ privacy.

    This is an appalling breach of trust for any VPN provider, especially since many VPN users are specifically looking to avoid exactly the kind of data collection Samsung is engaging in.

    Samsung’s behavior is even more egregious when considering that the company called out people’s data being used as a commodity when it launched Max VPN:

    “All over the world, data has become a commodity, but many plans are simply still too expensive for consumers that want to get the most out of the latest technology built into their devices,” said Seounghoon Oh, Vice President Samsung R&D Institute India, at the time. “With Samsung Max, our users in every corner of the globe now have increased autonomy and control over their data usage and privacy in an era of rising security threats, fraudulent apps and user profiling.”

    With such a strong statement, Samsung’s users could be forgiven for thinking the company would actually protect their privacy and not use their data as “a commodity.”

    As we have stated on WPN, and as The New York Times Wirecutter has recommended, Mullvad is the best VPN for users that truly care about their privacy. The company has a zero-logs policy and doesn’t save identifying information. In fact, users are given a random numeric account number for login purposes rather than using an email address or username.

    The company has also had extensive third-party security audits, is transparent about its ownership, has a clear privacy policy, good performance, and is reasonably priced.

  • Windows 11 Sends Massive Amounts of Data to Ad Companies

    Windows 11 Sends Massive Amounts of Data to Ad Companies

    The PC Security Channel (TPSC) analyzed Windows 11 and found it sends massive amounts of user data to Microsoft, as well as third-party ad companies.

    TPSC is a YouTube channel dedicated to cybersecurity and privacy. The channel took a brand-new laptop that had never been used and used Wireshark to monitor the computer’s traffic, starting from the moment it was booted up.

    Unsurprisingly, the computer immediately connected to a number of Microsoft services, including Bing, MSN, and the Windows Update service. While it’s not surprising a Windows machine would connect to Microsoft, it is surprising that the Bing traffic was happening without the web browser ever being opened or used.

    Even more surprising, Windows 11 also connected to McAfee, Steam, and Comscore’s ScorecardResearch.com, to name just a few. The last one is particularly alarming, as it is an ad-tech company. In fact, when TPSC first tried going to the website to see what ScorecardResearch.com was, the channel’s browser adblocker would not even load the page since it is a known ad and tracking domain.

    To make matters worse, Microsoft connects and sends data to these servers without expressly asking the user’s permission. Instead, the company relies on a vague clause in the Microsoft License Terms to constitute permission.

    Privacy; Consent to Use of Data. Your privacy is important to us. Some of the software features send or receive information when using those features. Many of these features can be switched off in the user interface, or you can choose not to use them. By accepting this agreement and using the software you agree that Microsoft may collect, use, and disclose the information as described in the Microsoft Privacy Statement (aka.ms/privacy), and as may be described in the user interface associated with the software features.

    Tom’s Hardware reached out to Microsoft and was given the following statement:

    “As with any modern operating system, users can expect to see data flowing to help them remain secure, up to date, and keep the system working as anticipated,” a Microsoft spokesperson said. “We are committed to transparency and regularly publish information about the data we collect to empower customers to be more informed about their privacy.”

    A legitimate case can be made for Windows 11 connecting to Microsoft services, but there is absolutely no valid justification for connecting to and sending telemetry to an ad-tech company.

    Interestingly, TPSC ran the same test with Windows XP and found that it only connected to Microsoft update servers, greatly undermining Microsoft’s claim that Windows 11’s connections to third parties were necessary to “remain secure, up to date, and keep the system working as anticipated.”

    As we have stated at WPN many times, there is NO EXCUSE for a company that charges handsomely for a product to then turn around and try to monetize its customers’ data, let alone try to do so without express and explicit permission. And no, a couple of sentences buried in a long, legalese licensing document that few people will ever read does not count as express and explicit permission.

    Microsoft should be ashamed of itself for this behavior, and one can only hope this revelation will put the companies in the crosshairs of the EU’s GDPR.

    In the meantime, TPSC’s question, “Has Windows become spyware?” is one that deserves an answer.

  • Privacy and Cybersecurity Challenges in 2023 – Part One

    Privacy and Cybersecurity Challenges in 2023 – Part One

    With a new year comes new privacy and cybersecurity challenges for companies large and small, not the least of which is new regulation. The tech industry is facing new regulations in 2023, some of which will have profound impacts on day-to-day business and carry heft penalties for non-compliance.

    Here’s some of the top regulatory issues companies need to be aware of:

    Voluntary Cooperation Is Out; Regulation Is In

    One of the major changes moving forward in 2023 is an expected change in the US government’s approach to cybersecurity. In the past, the government was largely willing to allow companies to handle cybersecurity issues on a voluntary basis, but those days appear to be over.

    The White House Office of the National Cyber Director is expected to unveil major new initiatives in the first half of 2023, and many of them will be mandatory.

    “We’ve been working for about 23 years on a largely voluntary approach,” said Mark Montgomery, the senior director of the Center on Cyber and Technology Innovation at the Foundation for Defense of Democracies. “The way forward is going to require thinking about regulation.”

    California Consumer Privacy Act of 2018

    One of the biggest regulatory challenges businesses will face is the California Consumer Privacy Act of 2018 (CCPA), including the Proposition 24 amendments that were passed in 2020 and expanded the scope of the CCPA.

    Per the California Attorney General’s office, the CCPA guarantees the following rights:

    • The right to know about the personal information a business collects about them and how it is used and shared;
    • The right to delete personal information collected from them (with some exceptions);
    • The right to opt-out of the sale or sharing of their personal information; and
    • The right to non-discrimination for exercising their CCPA rights.

    In addition, the Proposition 24 amendments add the following:

    • The right to correct inaccurate personal information that a business has about them; and
    • The right to limit the use and disclosure of sensitive personal information collected about them.

    The latter two rights, in particular, are of special note since they went into effect on January 1, 2023.

    Most important, however, is a provision that allows customers to take legal action against companies that fail to properly protect their data and expose such data as a result of a breach. This places a tremendous responsibility on companies to ensure all possible measures are being taken to reduce their possible liability.

    Increased GDPR Enforcement

    Another major hurdle many businesses will face is increased enforcement of the European Union’s GDPR. While the GDPR has been in effect for years, companies on both sides of the Atlantic have largely ignored some of its provisions.

    The EU sent a clear message in 2022, however, that companies will continue to ignore the GDPR at their own peril. For example, in January 2022, the Austrian Data Protection Authority ruled that Google Analytics violated the GDPR and was therefore illegal, impacting countless EU-based companies and websites.

    At the heart of the issue is the protection of EU citizens’ data when it is in the hands of US-based companies. The EU is especially concerned that US intelligence agencies could have unwarranted access to such data. While the US and EU are working to establish a new data-sharing deal that would address such concerns, such a deal is still a ways off, leaving companies to navigate the complicated situation on their own.

    In the meantime, the EU has made it clear it will continue to go after companies that ignore its privacy and cybersecurity regulations.

    “Instead of actually adapting services to be GDPR compliant, US companies have tried to simply add some text to their privacy policies and ignore the Court of Justice,” says Max Schrems, honorary chair of The European Center for Digital Rights. “Many EU companies have followed the lead instead of switching to legal options.”

    General Issues

    In addition to the above specific concerns, there are a number of general concerns companies face. Ransomware attacks have been a growing threat in recent years, especially attacks that target vital infrastructure.

    As a result of the growing threat, cybersecurity has been a major focus of the Biden administration, with multiple executive orders, memorandums, and fact sheets addressing the issue. Some of these include unprecedented requirements, including mandatory measures to improve the overall cybersecurity of US businesses and agencies.

    Dealing With the Challenges

    Understanding the challenges is just the first step in properly preparing for and dealing with them. In Part Two of this series, we’ll look at some specific steps companies and organizations can take.

  • Home Depot Canada Caught Giving Customer Data to Meta

    Home Depot Canada Caught Giving Customer Data to Meta

    Home Depot is in hot water, with its Canadian division sharing customer data with Meta without the proper consent.

    The Office of the Privacy Commissioner of Canada (OPC) found that Home Depot of Canada had been sharing customers’ e-receipt information with Meta. The information included email and in-store purchases.

    “As businesses increasingly look to deliver services electronically, they must carefully consider any consequential uses of personal information, which may require additional consent,” Commissioner Philippe Dufresne said.

    “In this case, it is unlikely that Home Depot customers would have expected that their personal information would be shared with a third party social media platform simply because they opted for an electronic receipt. As Canada marks Data Privacy Week, it is the perfect time to remind companies that they must obtain valid consent at the point of sale to engage in this type of business activity.”

    The OPC’s investigation showed the behavior had been going on since at least 2018. Meta evidently used the info to compare users’ purchases with the Home Depot ads showing in their Facebook feeds, providing information regarding the effectiveness of ad campaigns.

    Home Depot defended its action by saying it relied on “implied consent” and that its privacy policy was available for all to read. That policy says the company may use “de-identified information for internal business purposes, such as marketing, customer service, and business analytics” and that it “may share information for business purposes,” such as “with third parties.”

    Thankfully, the OPC didn’t buy the Home Depot’s defense.

    “The explanations provided in its policies were ultimately insufficient to support meaningful consent,” Commissioner Dufresne said.

    “When customers were prompted to provide their email address, they were never informed that their information would be shared with Meta by Home Depot, or how it could be used by either company. This information would have been material to a customer’s decision about whether or not to obtain an e-receipt.”

    The OPC also did not buy Home Depot’s explanation that it didn’t expressly ask for consent in an effort to avoid causing “consent fatigue” among consumers.

    “Consumers need clear information at key transaction points, empowering them to make decisions about how their personal information should be used,” Commissioner Dufresne said. “Consent fatigue is not a valid reason for failing to obtain meaningful consent. Many customers would be surprised, as the complainant was in this case, to learn that their personal information had been shared with a third party like Facebook without their knowledge and consent.”

    As we have stated at WPN many times before, it’s completely understandable when free services use consumer information as a way to offset the cost of offering those free services. When consumers are paying for a product or service, however, there is absolutely no excuse for then collecting and monetizing the consumer’s information.

    In this case, the only thing more insulting than Home Depot’s actions was its lame justification of those actions. Thankfully, the OPC saw right through Home Depot’s arguments.

  • Appliance Makers Can’t Understand Why Consumers Don’t Connect Them

    Appliance Makers Can’t Understand Why Consumers Don’t Connect Them

    Appliance makers are befuddled, wondering why consumers are choosing not to connect their appliances to the internet.

    Many mid and high-end appliances come with a host of connectivity options. Appliance makers are, unfortunately, getting on the subscription bandwagon, using the data they collect from smart appliances to sell their customers additional features, subscriptions, and replacement parts — the latter being arguably the only valuable option of the bunch.

    Companies just have one big problem, according to The Wall Street Journal: customers are not embracing the tech. In fact, LG says less than half of its customers have connected their smart appliances. Whirlpool places the number at more than half of their customers, but they don’t provide any specifics.

    “We want to continue to leverage the technology in the product,” said Whirlpool CIO Dani Brown.

    Henry Kim, US director of LG’s ThinQ, was more pointed in his take:

    “We do believe that connectivity will solve a lot of problems that we encounter in terms of really understanding customer insights and consumer behavior,” said Mr. Kim, “And without the connectivity it is going to be very difficult for us to do that.”

    Appliance makers face two major challenges to getting consumers on board. The first challenge involves keeping consumers connected through router changes since the devices have to be reconnected whenever the home network equipment is replaced.

    The bigger challenge, however, may be simply convincing customers their data won’t be misused and abused. Smart TVs and appliances have been around long enough for many consumers to have heard the warnings about how such appliances are glorified surveillance devices and are choosing privacy over convenience.

    Unfortunately, it seems the appliance makers have yet to get the memo.

    “The challenge is that a consumer doesn’t see the true value that manufacturers see in terms of how that data can help them in the long run. So they don’t really care for spending time to just connect it,” added Mr. Kim.

    Perhaps, Mr. Kim, it’s not that consumers don’t see the value to manufacturers. Perhaps, just perhaps, consumers simply value their own privacy more than what manufacturers want.

  • France Fines Apple $8.5M for Collecting iPhone User Data Without Consent

    France Fines Apple $8.5M for Collecting iPhone User Data Without Consent

    France’s CNIL has fined Apple $8.5 million for collecting iPhone user data without obtaining prior consent.

    Apple has tried to position itself as a privacy-first company, often highlighting the difference between it and Google or Meta. A major part of that marketing is making the case that Apple doesn’t want, need, or care about user data. Unfortunately, the reality isn’t quite matching up to the hype.

    The CNIL has fined Apple for collecting data from iPhone users that it then used for targeted ads, all without obtaining prior consent from the users. According to the regulatory agency, the Cupertino company did not get “the consent of French iPhone users (iOS version 14.6) before depositing and/or writing identifiers used for advertising purposes on their terminals.”

    What’s more, the CNIL says Apple make it unnecessarily difficult for individuals to deactivate the data collection, especially since the option was not available during initial setup.

    The fine is unusual for Apple, given the company’s well-cultivated reputation, but it does illustrate a growing disparity between Apple’s image and reality. Apple has previously been accused of being the primary beneficiary of its privacy crackdown, while other companies have been significantly harmed.

    Similarly, Apple has been accused of turning a blind eye to companies that have used loopholes to bypass the iOS App Tracking Transparency feature, continuing to track users against their wishes.

    If Apple wants to continue to maintain its reputation as a privacy-first company, it clearly has work to do in order to live up to its own marketing hype.

  • Apple Abandons Plans to Scan Devices for CSAM

    Apple Abandons Plans to Scan Devices for CSAM

    Apple has completely abandoned one of its most controversial initiatives that would have involved scanning all devices for CSAM.

    Tech companies are always looking for ways to identify and root out Child Sexual Abuse Material (CSAM) from their platforms. Google, Microsoft, Meta, and others routinely scan content on their cloud platforms against a centralized database of CSAM content maintained by the National Center for Missing & Exploited Children (NCMEC).

    Apple’s proposed solution was much different. Apple created a two-step process that involved scanning a consumer’s device. Apple planned to install a database of hashes representing the files in NCMEC’s database on each and every iPhone, iPad, Mac, and Apple TV.

    To be clear, Apple was not going to place CSAM material on devices, only mathematical hashes that represent them. Any device with iCloud enabled would then run the same mathematical hash on local photos and videos and compare them to the database of NCMEC hashes. Once a threshold of matches was reached, the case would undergo human review before being forwarded to the authorities if the matches were accurate. Until that happened, all results would remain completely anonymous.

    Read More: The Biggest Beneficiary of Apple’s Privacy Crackdown: Apple

    After pushback from the industry and security and privacy experts, Apple originally delayed rollout and has now abandoned its plans in favor of other, less dangerous methods.

    “After extensive consultation with experts to gather feedback on child protection initiatives we proposed last year, we are deepening our investment in the Communication Safety feature that we first made available in December 2021,” the company told WIRED in a statement. “We have further decided to not move forward with our previously proposed CSAM detection tool for iCloud Photos. Children can be protected without companies combing through personal data, and we will continue working with governments, child advocates, and other companies to help protect young people, preserve their right to privacy, and make the internet a safer place for children and for us all.”

    The company will instead focus on its opt-in Communication Safety features that parents can activate to flag inappropriate texts, pictures, and videos sent to their children via iMessage.

    “Potential child exploitation can be interrupted before it happens by providing opt-in tools for parents to help protect their children from unsafe communications,” the company continued in its statement. “Apple is dedicated to developing innovative privacy-preserving solutions to combat Child Sexual Abuse Material and protect children, while addressing the unique privacy needs of personal communications and data storage.”

    See Also: Apple’s Privacy Hypocrisy: The $15 Billion Google Deal

    The new approach is a far more balanced one to the responsibilities Apple is trying to wield while preserving individual privacy. While Apple’s original scanning approach seemed promising in terms of privacy, it also posed a host of problems. Security and privacy experts immediately pointed out the danger of Apple being forced by governments to use its matching algorithm for other purposes, such as political, religious, or human rights surveillance. There are also documented instances of non-CSAM images being placed in the NCMEC database, opening the possibility of false positives.

    Not surprisingly, the EU recently proposed new rules that sound eerily similar to Apple’s method, while simultaneously acknowledging “the detection process would be the most intrusive one for users.”

    Interestingly, Princeton researchers developed a similar system shortly before Apple and ultimately tabled it, and wrote a paper on why it should never be used.

    “Our system could be easily repurposed for surveillance and censorship,” the researchers wrote. “The design wasn’t restricted to a specific category of content; a service could simply swap in any content-matching database, and the person using that service would be none the wiser.”

    Overall, Apple’s announcement is a welcome one. To be fair, however, more time will need to pass to ensure Apple lives up to its promise and has not been forced to implement its scanning technology covertly.

  • Half of Small Computer Repair Shops Access Private Data

    Half of Small Computer Repair Shops Access Private Data

    In a report that surprises no one, half of of small computer shops access customers’ private data, with some copying and saving it.

    Small computer repair shops may be a common site, but a new report indicates customers should be wary before taking their computers to them. Researchers at University of Guelph in Ontario, Canada took laptops to 12 repair shops. The laptops were fully functional, except for a disabled audio driver. The researchers specifically chose that issue, since it is easy to diagnose and repair, and does not require access to personal files.

    The researchers populated the computers with what appeared to be personal information, online accounts, a crypto wallet, and a variety of sexual and non-sexual pictures. The researchers also made it appear that half the computers belonged to men and half to women.

    In 50% of cases, the researchers found that personal files were accessed by the repair shop, although unsurprisingly the computers that seemed to be belong to women were much more likely to have their data accessed. In at least two cases, one for a male customer and one for a female, data was copied and saved onto personal devices.

    “We were blown away by the results,” Hassan Khan, one of the researchers, said in an interview with Ars Technica. The researchers were especially concerned with the data copying.

    “We thought they would just look at [the data] at most,” Khan added.

    With few if any real privacy safeguards in place, most customers would do well to take their computers to reputable large companies, at least until small shops get with the program, in terms of privacy.

  • Apple Faces Class Action Suit Over Data Collection Despite Settings

    Apple Faces Class Action Suit Over Data Collection Despite Settings

    Apple is in the hot seat following reports it ignores its own privacy settings and collects a massive amount of user data.

    Google and Meta are usually the ones in the news for collecting large quantities of user data without permission. Apple is the latest company facing those allegations following a Gizmodo report citing researchers’ claims that Apple’s own apps collect user data, even when the iPhone Analytics setting is turned off.

    According to the report, when iPhone Analytics is turned off, Apple promises it will “disable the sharing of Device Analytics altogether.” Unfortunately, Apple appears to do the exact opposite, collecting data from the App Store, Apple Music, Apple TV, Books, and Stocks. What’s more, there is simply no privacy setting that turns off the mass collection of data.

    Read more: Apple’s Privacy Hypocrisy: The $15 Billion Google Deal

    “The level of detail is shocking for a company like Apple,” researcher Tommy Mysk told Gizmodo.

    Gizmodo outlines exactly what information the App Store is collecting:

    The App Store appeared to harvest information about every single thing you did in real time, including what you tapped on, which apps you search for, what ads you saw, and how long you looked at a given app and how you found it. The app sent details about you and your device as well, including ID numbers, what kind of phone you’re using, your screen resolution, your keyboard languages, how you’re connected to the internet—notably, the kind of information commonly used for device fingerprinting.

    Again, it’s important to note that absolutely no setting or preference inhibits Apple’s data collection.

    See also: Apple is the Biggest Beneficiary of Its Privacy Crackdown

    The response has been — understandably — swift and severe, with Apple facing a class action lawsuit. The lawsuit was filed in California, citing a violation of the California Invasion of Privacy Act. Not surprisingly, the lawsuit points out Apple’s claims to respect user privacy, a point it has built much of its marketing around.

    “Privacy is one of the main issues that Apple uses to set its products apart from competitors,” said plaintiff Elliot Libman, available on Bloomberg Law. “But Apple’s privacy guarantees are completely illusory.”

    Cracks have been showing in Apple’s facade of respecting user privacy, but this may be the most damning evidence yet that the company may not be as different from its rivals as it likes to claim.

  • Google Agrees to Record-Breaking Privacy Settlement With 40 States

    Google Agrees to Record-Breaking Privacy Settlement With 40 States

    Google has agreed to a record-breaking settlement in a privacy suit brought by 40 states over how the company tracks users.

    The attorneys general of 40 states sued the company for misleading its customers. Google was accused of tracking users even when they had expressly disabled tracking. According to The New York Times, the company has agreed to a $391.5 million settlement, the largest privacy settlement in history.

    “For years, Google prioritized profit over the privacy of people who use Google products and services,” said Ellen Rosenblum, the Oregon attorney general, who led the case along with Nebraska. “Consumers thought they had turned ‘off’ their location tracking features on Google, but the company continued to secretly record their movements and use that information for advertisers.”

    For its part, Google claims the behavior in question had been addressed years earlier.

    “Consistent with improvements we’ve made in recent years, we have settled this investigation, which was based on outdated product policies that we changed years ago,” said company spokesman José Castañeda.

    While this lawsuit may be settled, it doesn’t end Google’s privacy troubles. The company also faces lawsuits by Indiana, Texas, and Washington DC. The company also recently settled another location tracking lawsuit with Arizona to the tune of $85 million.

  • TikTok Accused of Planning to Surveil Americans, Denies Accusations

    TikTok Accused of Planning to Surveil Americans, Denies Accusations

    Another month, another TikTok scandal as the company is facing some of its most damning privacy allegations yet.

    TikTok has a long history of privacy scandals. The company has been accused of potential keyloggingsending job applicant personal data to China, refusing to keep American user data out of China, violating child privacy, and much more.

    The latest report from Forbes, however, may contain some of the most damaging accusations yet, with the outlet saying that TikTok’s parent company, ByteDance, planned to use the social media app to surveil specific Americans. The effort was led by ByteDance’s Internal Audit and Risk Control department.

    The material reviewed by Forbes indicates that ByteDance’s Internal Audit team was planning to use this location information to surveil individual American citizens, not to target ads or any of these other purposes. Forbes is not disclosing the nature and purpose of the planned surveillance referenced in the materials in order to protect sources. TikTok and ByteDance did not answer questions about whether Internal Audit has specifically targeted any members of the U.S. government, activists, public figures or journalists.

    For its part, TikTok took to Twitter to deny the allegations.

    Interestingly, Forbes article never mentions GPS tracking, making this a likely attempt by TikTok to throw readers off the real issue.

    While TikTok may be denying Forbes’ report, the company has all but destroyed what little credibility it had left. This is the same company that testified to Congress that it had a dedicated US security team to handle American user data, only to be caught sending that data to China and then refusng to commit to keeping said data out of China.

    For our part, we tend to believe Forbes over TikTok. By now, it should surprise absolutely no one that this is a company that will seemingly push the boundaries as much as it can, get away with everything it can, and only acknowledge any issue in the face of overwhelming evidence. Anyone who believes their data is safe with TikTok is deluding themselves at their own peril.

  • Report: 1 in 2 Android Apps Share User Data With Third Parties

    Report: 1 in 2 Android Apps Share User Data With Third Parties

    Android apps continue to be a privacy nightmare, with 1 in 2 apps on the Google Play Store sharing user data with third parties.

    Google has been under increasing pressure to improve Android apps’ privacy, primarily in response to Apple’s App Track Transparency. Google introduced its own “Data safety” feature in October 2021, requiring developers to use it as of late July 2022. Data safety lets people know how developers use the data they collect.

    Now that developers are required to disclose their data practices, Incogni looked at 1,000 apps on the Play Store to see how data was being used. The findings were disturbing, with 55.2% sharing user data with third parties. Some of the big-name apps were the biggest perpetrators, despite claiming to collect the least amount of data.

    See also: App Permissions Info Is Coming Back to the Google Play Store

    Incogni also found a major disparity between free and paid apps, with free apps sharing seven times as much data as their paid counterparts. The same was true for popular apps, which shared 6.15 times more data than less popular ones.

    To absolutely no one’s surprise, social media apps collected the most data or 19.18 data points. Shopping apps were the worst for data sharing, coming in at 5.72 data points.

    Perhaps most concerning is the fact that 13.4% of apps share user location data, easily one of the most sensitive data points, with third parties.

    Incogni also pointed out a major flaw in Google’s system, namely that it runs on the “honor system.” In other words, developers are trusted to be honest and transparent about what their apps are and are not collecting and sharing.

    Incogni highlighted some of the biggest dangers related to their findings:

    Many apps share and even sell your data to third parties such as marketing agencies, data brokers, and other businesses. Worse yet is that more than half of these apps might not be encrypting your data in transit, making the data highly susceptible to attackers if communications are intercepted.

    Even transferring anonymous data – which is not considered “sharing” – can be ultimately harmful as it can be easily re-identified.

    The risks involved in the proliferation of your personal information can be quite serious. Data sharing exposes users to dangers such as data breaches, identity theft, stalking, and online harassment. Many internet users can also find themselves victims of digital redlining, a phenomenon that is similar to profiling and discrimination in the real world.

  • TikTok Refuses to Commit to Keeping US User Data Out of China

    TikTok Refuses to Commit to Keeping US User Data Out of China

    US lawmakers are finally getting the real picture from TikTok, as the company refuses to commit to keeping US data out of China.

    TikTok has stumbled from one privacy scandal to another, earning an attempted ban by the Trump administration. Although those efforts did not come to fruition, the company’s latest scandal involves how US user data is handled and whether Beijing has access to it. In testimony to US lawmakers Wednesday, a TikTok executive repeatedly refused to commit to keeping US data out of China, according to CNN.

    The latest issue stems from TikTok’s previous assurances that it had a US team in place to handle US user data, even testifying to Congress to that effect. Those assurances were blown away when leaked meeting recordings showed the company’s US team had neither the authority or the ability to handle many matters and had to rely on colleagues in China to handle the data.

    Read more: What Not to Do: TikTok Censors ‘Ugly,’ ‘Poor’ and ‘Disabled’

    In the aftermath of the revelations, lawmakers and at least one FCC commissioner demanded investigations and consequences for TikTok’s misleading statements.

    When testifying before Congress Wednesday, the company’s executives were finally more open about US data handling, refusing to make any commitments about keeping it out of China.

    “Will TikTok commit to cutting off all data and data flows to China, China-based TikTok employees, ByteDance employees, or any other party in China that might have the capability to access information on US users?” Sen. Rob Portman asked.

    See also: Multiple States Investigate TikTok’s Impact on Children

    “Again, we take this incredibly seriously in terms of upholding trust with US citizens and ensuring the safety of US user data,” TikTok Chief Operating Officer Vanessa Pappas said. “As it relates to access and controls, we are going to be going above and beyond in leading initiative efforts with our partner, Oracle, and also to the satisfaction of the US government through our work with [the Committee on Foreign Investment in the United States], which we do hope to share more information on.”

    When Portman again pressed Pappas to commit to “cutting off all data and metadata flows to China,” Pappas simply said that “our final agreement with the US government will satisfy all national security concerns.”

    Given the company’s long history of privacy and data abuses, this latest scandal may finally lead to significant action being taken against the company.

  • Websites Are Shunning the Facebook Button Over Privacy

    Websites Are Shunning the Facebook Button Over Privacy

    Once almost ubiquitous across the internet, websites are increasingly shunning the Facebook button over privacy concerns.

    Facebook’s button used to appear on websites large and small, providing a fast and easy way for people to log in to a site using their Facebook credentials. As consumers have grown more concerned with protecting their privacy, social media login buttons are a growing casualty.

    “We really just looked at how many people were choosing to use their social media identity to sign in, and that just has shifted over time,” Jen Felch, Dell’s chief digital and chief information officer, told CNBC. “One thing that we see across the industry is more and more security risks or account takeovers, whether that’s Instagram or Facebook or whatever it might be, and I just think we’re observing people making a decision to isolate that social media account versus having other connections to it.”

    Dell isn’t alone in removing the Facebook button. Best Buy, Ford, Match, Nike, Patagonia, Pottery Barn, and Twitch have all removed the option from their websites.

    The disappearing Facebook button is just the latest evidence that consumers are finally valuing their privacy and interested in taking greater control over it.

  • Privacy Advocates Want Stronger Data Rules For Mobile Providers

    Privacy Advocates Want Stronger Data Rules For Mobile Providers

    Privacy advocates are pushing for stricter rules about how mobile carriers handle users’ wireless data.

    While social media companies are often targeted for their handling of user data, wireless carriers have a treasure trove of information on their customers, including location data, internet usage, call history, texting history, and more. An FCC inquiry regarding the habits of the top 15 carriers in the US showed that data retention practices are “all over the map.”

    That was the assessment of Harold Feld, senior vice president at digital privacy group Public Knowledge, according to The Seattle Times.

    “The only ‘industry standard’ appears to be that there is no standard at all for how long carriers retain data, how they protect it, or how hard they make it for their customers to invoke their rights,” Feld added.

    According to the Times, T-Mobile stores information on its customers, including their location data, for up to two years, while AT&T and its Cricket Wireless business store data for 13 months. Meanwhile, Verizon stores data for one year, and Mint Mobile stores data for 18 months.

    The lack of standardization and accountability, not to mention the stakes involved, prompted strong words from FCC Chairwoman Jessica Rosenworcel:

    “Our mobile phones know a lot about us. That means carriers know who we are, who we call, and where we are at any given moment,” said Rosenworcel. “This information and geolocation data is really sensitive. It’s a record of where we’ve been and who we are. That’s why the FCC is taking steps to ensure this data is protected.

    “Today, I’m publishing the responses I received from mobile carriers on how they handle geolocation data to help shed light on this issue for consumers. Additionally, I have asked the Enforcement Bureau to launch a new investigation into mobile carriers’ compliance with FCC rules that require carriers to fully disclose to consumers how they are using and sharing geolocation data,” continued Rosenworcel. “Finally, if you, as a consumer, have concerns or complaints about how your provider is handling your private data, the FCC is making it easier for you to file complaints and make your concerns known—so we can take action under the law.”

  • Google Tops Big Tech Data Tracking With 39 Types of Private Data

    Google Tops Big Tech Data Tracking With 39 Types of Private Data

    Google is the most invasive of Big Tech companies, tracking 39 different private user data points, more than any of its peers.

    StockApps.com conducted an analysis of what data Google, Twitter, Apple, Amazon, and Facebook collect. Of the companies analyzed, Google was the most invasive, tracking 39 different points of private user data. Apple was the least invasive, only tracking 12 data points “necessary to maintain users’ accounts.”

    Twitter collected the second-highest number of data points at 24, while Amazon came in at 23. Surprisingly, Facebook only tracked 14 data points.

    “Twitter and Facebook both save more information than they need to,” writes Edith Reads for StockApps.com. “However, with Facebook, most of the data they store is information users enter.”

    One of the biggest challenges for users interested in limiting Big Tech’s data tracking is the difficulty in understanding the long and complicated privacy policies most companies utilize.

    “Most people do not have the time or patience to read privacy policies that can be several pages long for each website they visit,” says Reads. “Also, it is quite unlikely that all users have a background in law to properly grasp the privacy policy. Besides, users lack time, patience, or energy to try to figure out what information websites are storing and how they are using it to their advantage. As a result, users end up allowing Google to harvest all the data they need by agreeing to the privacy policy terms. “

  • Oracle Faces Class Action Suit Over Its ‘Mass Surveillance’

    Oracle Faces Class Action Suit Over Its ‘Mass Surveillance’

    Oracle is facing a class action lawsuit over what is being described as its “mass surveillance” of the general public.

    Oracle is the world’s leading database provider and a popular cloud provider. The company is accused (PDF) of using its position and platforms to collect real-time data on hundreds of millions of users and selling it. The lawsuit alleges the data is being collected on the general public, including individuals who have no direct relationship with Oracle nor any ability to consent or object to the data collection.

    This complaint sets forth how the regularly conducted business practices of defendant Oracle America, Inc. (“Oracle”) amount to a deliberate and purposeful surveillance of the general population via their digital and online existence. In the course of functioning as a worldwide data broker, Oracle has created a network that tracks in real-time and records indefinitely the personal information of hundreds of millions of people. Oracle sells this detailed personal information to third parties, either directly, or through its “ID Graph” and other related products and services derived from this data. The proposed Classes herein lack a direct relationship with Oracle and have no reasonable or practical basis upon which they could legally consent to Oracle’s surveillance.

    The plaintiffs consist of Dr. Johnny Ryan, a Senior Fellow at the Irish Council for Civil Liberties, and a Senior Fellow at the Open Markets Institute; Dr. Jennifer Golbeck, an associate professor at the University of Maryland in College Park and Director of the Social Intelligence Lab; and Michael Katz-Lacabe, a privacy rights activist.

    The plaintiffs make the case that company founder Larry Ellison set out to establish Oracle as a surveillance powerhouse.

    According to Ellison, the purpose of Oracle ID Graph is to predict and influence the future behavior of billions of people. He explained Oracle could achieve this goal by looking at social activity and locations in real time, including “micro location[s].” For example, Ellison has represented that companies will be able to know how much time someone spends in a specific aisle of a specific store and what is in the aisle of the store. “By collecting this data and marrying it to things like micro location information, Internet users’ search histories, websites visits and product comparisons along with their demographic data, and past purchase data, Oracle will be able to predict purchase intent better than anyone.”

    It’s unclear how successful the lawsuit will be. The US notoriously has no comprehensive privacy legislation, making any such lawsuit an uphill battle. At the same time, the lawsuit was filed in California, one of the few states in the US that does have privacy legislation.

    If the plaintiffs are successful, it could have profound repercussions for the US data broker industry, an industry that is already under scrutiny from privacy-minded lawmakers.

  • FTC Targets ‘Corporate Surveillance’ and ‘Data Security’

    FTC Targets ‘Corporate Surveillance’ and ‘Data Security’

    The Federal Trade Commission (FTC) is targeting “corporate surveillance,” wherein companies profit from the data they collect on consumers.

    Corporate surveillance has become a growing problem, with companies collecting vast quantities of consumer data — often without the individual knowing — and then sharing or selling the data to data brokers and other entities. Obviously, the more data is collected, the more vulnerable individuals become to online threats, identify theft, and more, as the FTC makes clear.

    Commercial surveillance is the business of collecting, analyzing, and profiting from information about people. Technologies essential to everyday life also enable near constant surveillance of people’s private lives. The volume of data collected exposes people to identity thieves and hackers. Mass surveillance has heightened the risks and stakes of errors, deception, manipulation, and other abuses.

    In response, the FTC is investigating whether new rules are needed and soliciting public feedback on the matter.

    The Federal Trade Commission is asking the public to weigh in on whether new rules are needed to protect people’s privacy and information in the commercial surveillance economy.

    Consumer and privacy rights groups have long called for the US to crack down on data brokers and other shady data collection practices. Even corporate executives have called for the US to take action and roll out comprehensive privacy laws.

    The FTC’s public inquiry may be the first step toward US consumers finally being protected from predatory corporate surveillance.

  • DuckDuckGo Adds More Microsoft Tracking Protection, Now Better Than Ever

    DuckDuckGo Adds More Microsoft Tracking Protection, Now Better Than Ever

    DuckDuckGo has added additional protection against Microsoft tracking, addressing concerns that were raised in May.

    DuckDuckGo is one of the leading privacy-oriented companies, providing a suite of apps and services that help users protect their privacy online. Despite blocking the vast majority of Microsoft trackers, researchers discovered in May that a very small percentage of Microsoft’s trackers were not blocked under some circumstances.

    DuckDuckGo has been working hard to address the issue and will be rolling out additional protections over the next week to block even more Microsoft trackers, specifically those loaded by third-party websites.

    CEO Gabriel Weinberg outlined the steps the company is taking:

    Over the next week, we will expand the third-party tracking scripts we block from loading on websites to include scripts from Microsoft in our browsing apps (iOS and Android) and our browser extensions (Chrome, Firefox, Safari, Edge and Opera), with beta apps to follow in the coming month. This expands our 3rd-Party Tracker Loading Protection, which blocks identified tracking scripts from Facebook, Google, and other companies from loading on third-party websites, to now include third-party Microsoft tracking scripts. This web tracking protection is not offered by most other popular browsers by default and sits on top of many other DuckDuckGo protections.

    Interestingly, because of the method used to load Microsoft trackers, the number of additional ads being blocked is very small.

    “Prior to this update, we were already blocking most MSFT scripts from loading and further restricting Microsoft tracking through our other web tracking protections, like blocking Microsoft’s third-party cookies in our browsers,” a company spokesperson told WPN. “Often websites use tag managers to load multiple other scripts, the most popular one is Google Tag manager. Since most Microsoft scripts load through tag managers, those requests were already being blocked by 3rd Party Tracker Loading Protection before this update. In fact, we ran a test to see how much more blocking is happening as a result of this new update and based on the top 1,000 websites we found the increase was only 0.25%.”

    The company’s findings illustrate how effectively it was already blocking Microsoft’s trackers and how overblown the initial concerns were.

    Even so, with these latest rounds of improvements, DuckDuckGo has cemented its reputation, offering better out-of-the-box privacy than Chrome, Firefox, Safari, and others.

  • Amazon’s Ring and Google Nest Give Footage to Police Without Warrants

    Amazon’s Ring and Google Nest Give Footage to Police Without Warrants

    Amazon’s Ring and Google Nest devices are popular home security options, but users may want to look elsewhere if privacy is a concern.

    Ring and Nest devices are used in homes and businesses alike, but a new report says Amazon and Google are giving police access to footage from the devices without a warrant and without the owner’s permission.

    The revelation occurred as a result of Senator Edward Markey’s inquiries regarding Amazon’s practices. The Senator has become increasingly concerned over the role private companies play in mass surveillance.

    “As my ongoing investigation into Amazon illustrates, it has become increasingly difficult for the public to move, assemble, and converse in public without being tracked and recorded,” said Senator Markey. “We cannot accept this as inevitable in our country.”

    In response to Senator Markey’s inquiry, Amazon acknowledged that it does provide law enforcement with access to user footage without permission or a warrant.

    “So far this year, Ring has provided videos to law enforcement in response to an emergency request only 11 times,” the company wrote in response. “In each instance, Ring made a good-faith determination that there was an imminent danger of death or serious physical injury to a person requiring disclosure of information without delay.”

    Read more: Ring Is a Case Study in Bad Privacy Policy

    Amazon is not alone in this practice. Google’s Terms of Service make it clear the company has similar policies.

    “If we reasonably believe that we can prevent someone from dying or from suffering serious physical harm, we may provide information to a government agency — for example, in the case of bomb threats, school shootings, kidnappings, suicide prevention, and missing persons cases. We still consider these requests in light of applicable laws and our policies.”

    Not everyone is convinced by Amazon’s response and it’s unlikely Google’s will score many points either.

    “The ’emergency’ exception to this process allows police to request video directly from Amazon, and without a warrant,” writes Jason Kelley and Matthew Guariglia for the EFF, specifically about Amazon. “But there are insufficient safeguards to protect civil liberties in this process. For example, there is no process for a judge or the device owner to determine whether there actually was an emergency. This could easily lead to police abuse: there will always be temptation for police to use it for increasingly less urgent situations.”

    Additional Privacy Issues

    Sharing information with the police is not the only concern. Senator Markey, as well as the EFF, also raise concerns about the distance at which Ring devices can record audio.

    “Earlier this year, Consumer Reports revealed that Ring’s audio capabilities are more powerful than anyone anticipated, collecting conversation-level audio from up to 25-feet away,” Kelley and Guariglia add. “This has disturbing implications for people who walk, bike, or even drive by dozens of these devices every day, not knowing that their conversations may have been captured and recorded. The company also refused to commit to eliminating the default setting of automatically recording audio.”

    Ring has a longstanding history of privacy issues, and Google is no stranger to privacy controversies. The fact that both companies are sharing data without authorization, not to mention one of them broadly recording mass amounts of indiscriminate audio, should be a major concern for everyone involved.

  • FCC Chairwoman Rosenworcel Wants More Info on Mobile Carrier Data Practices

    FCC Chairwoman Rosenworcel Wants More Info on Mobile Carrier Data Practices

    FCC Chairwoman Jessica Rosenworcel wants more information from mobile carriers on their data practices.

    While many consumers are beginning to pay attention to the privacy offered by their web browsers, email accounts, and the apps installed on their phones, few think about the risk their wireless carrier poses. Wireless carriers have access to customers’ geolocation data and can link that data to specific users.

    Rosenworcel wants to know exactly how carries are using that data, as well as their safeguards and retention policies.

    “Accordingly, given the highly sensitive nature of this data—especially when location data is combined with other types of data, the ways in which this data is stored and shared with third parties is of utmost importance to consumer safety and privacy,” wrote Rosenworcel to T-Mobile CEO Mike Sievert. “I kindly ask that T-Mobile respond to the following questions regarding T-Mobile and Metro by T-Mobile’s consumer data retention policies for geolocation data and its policies regarding sharing of that data with third parties. Accordingly, given the highly sensitive nature of this data—especially when location data is combined with other types of data, the ways in which this data is stored and shared with third parties is of utmost importance to consumer safety and privacy. I kindly ask that T-Mobile respond to the following questions regarding T-Mobile and Metro by T-Mobile’s consumer data retention policies for geolocation data and its policies regarding sharing of that data with third parties.”

    Rosenworcel sent similar letters to AT&T, Best Buy Health, Charter, Comcast, Consumer Cellular, C-Spire, Dish Network, Google, H20 Wireless, Lycaobile, Mint Mobile, Red Pocket, U.S. Cellular, and Verizon.