Daily Digest (8/10)

Capital One to Pay $80M Fine Over 2019 Data Breach; US Government Contractor Collecting Global Location Data Via Mobile Apps; Google Makes Certain Words Taboo, Trying to Stave Off Regulators; Lawmakers Ask California DMV How It Makes $50M a Year Selling Data. Click “Continue reading” below.

Capital One to Pay $80M Fine Over 2019 Data Breach

Capital One has agreed to pay an $80 million fine over a data breach last year that affected more than 100 million credit-card applications.

The U.S. Office of the Comptroller of the Currency said Friday that the fine was “based on the bank’s failure to establish effective risk assessment processes” prior to migrating part of its database to a cloud storage system and for not correcting “the deficiencies in a timely manner,” The Washington Post reports.

“In the year since the incident, we have invested significant additional resources into further strengthening our cyber defenses and have made substantial progress in addressing the requirements of these orders,” Capital One, based in McLean, Va., said in a statement.

Authorities say about 100 million credit card applications were illegally accessed in last year’s hack.

The comptroller’s office also ordered Capital One to take additional steps to show its computer system has sufficient security, according to the Post.

Sources (all sources external links):

US Government Contractor Collecting Global Location Data Via Mobile Apps

A federal government contractor embedded its software in more than 500 mobile applications to track location data from users around the world, The Wall Street Journal reported Friday.

The contractor, Anomaly Six LLC, based in Virginia, provides global location data to branches of the U.S. government and the private sector — but the company told the Journal that it only sold U.S. mobile-location data to nongovernmental organizations.

Anomaly Six, established by two U.S. military veterans with a background in intelligence, said in marketing materials cited by the Journal that it could draw location data from more than 500 mobile applications, in part through its own software development kit, or SDK, that was embedded directly in some of the apps.

An SDK, the Journal reports, allows the company to obtain a cellphone’s location if consumers have allowed the app containing the software to access the phone’s GPS coordinates.

App publishers often allow third-party companies, for a fee, to insert SDKs into their apps. The SDK maker, according to the Journal, then sells the consumer data harvested from the app — and the app publisher gets some of the revenue.

But consumers have no way of knowing whether SDKs are embedded in apps. Most privacy policies don’t disclose the information, the Journal reports.

Anomaly Six said it embedded its own SDKs in some apps, and in other cases obtained location data from other partners.

“Anomaly Six is a veteran-owned small business that processes and visualizes location data sourced from mobile devices for analytics and insights,” the company said in response to questions for this article.

“We leverage detailed location data from numerous first-party sources to provide insights into groups, behaviors, and patterns.”

The company said it acknowledged the “intense scrutiny” around government use of such data, but added that all the data it worked with was commercially available and compliant with all laws.


Google Makes Certain Words Taboo, Trying to Stave Off Regulators

Google, facing at least four major antitrust investigations on two continents, is telling employees that certain language remains off limits in all written communications, no matter how casual.

Internal documents obtained by The Markup and disclosed Friday showed that Google’s parent company, Alphabet, has been preparing for the investigations for years.

The taboo words include “market,” “barriers to entry,” and “network effects” — the latter being when social networks and other products become more valuable as more people use them.

“Words matter,” read one document cited by the Markup. “Especially in antitrust law.

The document was titled “Five Rules of Thumb for Written Communications.”

Another document read: “Alphabet gets sued a lot, and we have our fair share of regulatory investigations. Assume every document will become public.”

According to the Markup, the internal documents appear to be part of a self-guided training session for the more than 100,000 employees employed by Google, from engineers to salespeople.

Another document, titled “Global Competition Policy,” said the rules not only applied to interns and employees but also to temps, vendors, and contractors.

Alphabet is under investigation by 50 attorneys general and the Justice Department of Justice for potentially abusing its dominance to undermine competition.

Its acquisitions, along with those of other large U.S. tech giants, are under review for anticompetitive effects by the Federal Trade Commission.

The European Commission also has announced an “in-depth” investigation of Google’s acquisition of fitness-tracker Fitbit and is probing possible antitrust violations regarding Google for Jobs.

Julie Tarallo McAlister, a Google spokesperson, told the Markup in an email: “These are completely standard competition-law compliance trainings that most large companies provide to their employees.

“We instruct employees to compete fairly and build great products, rather than focus or opine on competitors,” she added. “We’ve had these trainings in place for well over a decade.”


Lawmakers Ask California DMV How It Makes $50M a Year Selling Data

Nearly a dozen lawmakers, led by Democratic Rep. Anna Eshoo, Calif., wrote the California Department of Motor Vehicles (DMV) last week asking why the agency sold drivers’ personal data of residents.

“What information is being sold, to whom it is sold, and what guardrails are associated with the sale remain unclear,” said the letter, disclosed Wednesday by Vice’s Motherboard site.

Motherboard revealed last year that the California DMV was making tens of millions of dollars a year by selling personal data.

The letter also was signed by California three Democratic U.S. Reps. Ted Lieu and Barbara Lee and Mike Thompson. Two Democrats in the California Assembly, state Reps. Kevin Mullin and Mark Stone, also endorsed the document.

Generally, the information sold by the agency included names, physical addresses and car registration information. Multiple other DMVs previously confirmed they have ended access to some clients after they abused the data, Motherboard reports.

The letter from the legislators asked what types of organizations had the disclosed DMV in the past three years.

Motherboard reported on how similar agencies around the country sold such data to private investigators, including those hired to spy on suspected cheating spouses.

In an earlier email to Motherboard, the California DMV said data requesters might include insurers, vehicle manufacturers and prospective employers.

“The DMV does not sell driver information for marketing purposes or to generate revenue outside of the cost of administering its requester program — which only provides certain driver and vehicle related information as statutorily required,” the agency told Motherboard by email.

“The DMV takes its obligation to protect personal information very seriously.

“Information is only released according to California law — and the DMV continues to review its release practices to ensure information is only released to authorized persons-entities and only for authorized purposes.”


— By DPN Staff