Month: January 2021

Uncategorized

WhatsApp Reportedly Facing $60.7M EU Privacy Fine

By Robert Bateman

WhatsApp faces a fine of up to $60.7 million for breaching EU privacy rules in a penalty that could be among the largest ever issued, but some privacy experts say that the fine still is too lenient.

The EU General Data Protection Regulation (GDPR), in effect since 2018, requires companies to clearly disclose how they share personal data.

According to news reports, the draft fine relates to WhatsApp’s alleged failure to meet these requirements when explaining how its messenger app shares data with Facebook, which acquired the company in 2014.

“The current alleged proposed penalty is around 375 minutes’ worth of revenue for Facebook,” said Alexander Hanff, CEO of the Swedish consultancy Think Privacy. “It is little more than a rounding error in the grand scheme of things.”

Continue reading “WhatsApp Reportedly Facing $60.7M EU Privacy Fine”
Uncategorized

Data Privacy Day 2021

Amazon Severely Misclassifies Digital Privacy News Writer in CCPA Data

By Fiona Tang

In October, I filed a California Consumer Privacy Act (CCPA) request — seeking my data from Amazon.com.

Six days after my Oct. 11 query, the tech giant emailed me, “Your personal data is ready to download.”

Amazon’s data revealed that I had been categorized as a female, 45 to 55 years old — who was married, worked in sales-service and had children aged 7 to 9.

My annual income, according to Amazon’s data, was $100,000 to $150,000 (if only I earned that much money).

But in reality, I am a 29-year-old woman, working in civic technology — single and without children. The only attribute that Amazon had accurately predicted was my gender.

Continue reading “Data Privacy Day 2021”
Hong Kong

‘It’s Too Much’

Chinese Firm Hits New Low, Literally Placing Bugs Under Workers’ Bottoms

By Patrick McShane

A high-tech firm in the eastern Chinese city of Hangzhou recently gave free seat cushions to its office staff to help make them more comfortable.

Initially, the staff of Hebo Technology felt it was a thoughtful gesture from company management. But soon enough, employees discovered that the comfortable new seat pads were in fact “smart cushions.”

They were being used by managers at the biotech medical company to tell them exactly when their workers were sitting at their desks — and when they were not.

Earlier this month, Hebo staff began complaining about their bosses’ trickery on Chinese social media.

Continue reading “‘It’s Too Much’”
India

Experts Worried Over India’s Plan for Public WiFi Hotspots

By Aishwarya Jagani

A plan approved last month to set up a national network of public WiFi hotspots throughout India has raised widespread concerns from privacy and cybersecurity experts.

“I have no doubt that government agencies are also going to have full access (to this data), which could breach citizens’ data privacy — and this can be considered a risk to data security,” Viney Kumar, a New Delhi cybersecurity expert, told Digital Privacy News.

“While this is a great initiative, there are many risks associated with it,” he added. “If this isn’t rolled out in a planned, phased and secured manner then this may turn out to be a disaster as well.”

Eric Cole, a cybersecurity consultant and CEO at Secure Anchor Consulting in Ashburn, Va., said: “The biggest challenge with public WiFi is that it, by default, is typically unencrypted.”

Continue reading “Experts Worried Over India’s Plan for Public WiFi Hotspots”
Q&A

Q&A: Zimbabwe’s Kuda Hove

‘There Are No Safeguards to People’s Right to Privacy’

By Maureen Nkatha

With no active law on how private data that is collected should be stored or handled, human-rights activists and privacy experts in Zimbabwe are questioning just how ready the country is for facial-recognition technology. 

The country’s Freedom of Information Act was enforced starting last July, providing citizens and media the right to access information. However, the law does not clearly outline how data collection is handled.

Kuda Hove, a policy officer at Privacy International, told Digital Privacy News that surveillance in Zimbabwe went beyond investigating crimes and was now used as a political tool against those speaking against President Emmerson Mnangagwa’s ruling party.

Hove, who holds a Bachelor of Laws degree from the University of South Africa, also led the Information and Communication Technology (ICT)’s policy and legal work at the Zimbabwean chapter of the Media Institute of Southern Africa.

Continue reading “Q&A: Zimbabwe’s Kuda Hove”
COVID-19 and Privacy

COVID Fears Thwart Calif. Move to Protect DNA Information

By Matthew Scott

Last of two parts.

An effort to give consumers more protection over the use of their DNA was aborted last year when California’s Genetic Information Privacy Act (GIPA) was vetoed in September by Democratic Gov. Gavin Newsom.

In a letter to the State Senate, Newsom argued that GIPA was too broadly written and risked “unintended consequences” that could “interfere with laboratories’ mandatory requirement to report COVID-19 test outcomes to local public-health departments, who report that information to the California Department of Public Health.”

California Senate Bill 980 proposed the most comprehensive DNA privacy protections of any legislation in the country, regulating how direct-to-consumer DNA testing companies could use, sell and share genetic information.

For the time being, Newsom apparently has decided that access to information that can safeguard the public health is more urgent than safeguarding individual’s privacy from law enforcement, insurers and marketers.

Continue reading “COVID Fears Thwart Calif. Move to Protect DNA Information”
COVID-19 and Privacy

New Blow in DNA Privacy Fight

By Matthew Scott

First of two parts.

Debate over how DNA obtained by direct-to-consumer genetic-testing companies can be used likely will intensify after Blackstone, the New York private-equity firm, purchased Ancestry.com for $4.7 billion last month.

Privacy advocates told Digital Privacy News that, with the change of ownership, the 18 million people who willingly had given Ancestry.com their DNA could ultimately find that it had been used for purposes other than discovering family histories.

Those include being sold to law enforcement to help solve crimes, to pharmaceutical companies for DNA testing and to other companies for purposes that have not yet been realized.

Furthermore, the sale and resale of these companies raises concerns about who owns the rights to consumer DNA once it is submitted to a company for reasons unconnected to personal medical procedures.

Continue reading “New Blow in DNA Privacy Fight”
UK

UK Girl, 12, Sues TikTok Over Claims of Breaching Her Privacy

By Robert Bateman

Social media app TikTok is facing a class-action lawsuit in the U.K., led by an unnamed 12-year-old girl who claims the app breached her privacy.

The High Court of England and Wales allowed the plaintiff, known only as “SMO,” permission to proceed anonymously in a hearing conducted last month.

Court documents revealed that the plaintiff was citing the General Data Protection Regulation (GDPR), an EU law adopted into U.K. law before Brexit. The law, passed in 2016, restricts how apps and other online services use children’s personal information. 

Under the GDPR, if online service providers want consent to process a child’s personal information, they must request it from a parent or guardian.

Continue reading “UK Girl, 12, Sues TikTok Over Claims of Breaching Her Privacy”
Uncategorized

What Happened? Marriott Breach

Hotel Chain Hacked After Huge Attack 

By Najmeh Tima

“What Happened?” is an occasional feature by Digital Privacy News that looks back on some of the tech industry’s biggest data breaches last year.

While Marriott International is awaiting a final decision from the U.K.’s Information Commissioner’s Office (ICO) over a 2018 hack at its luxury Starwood hotel chain, the company’s systems were breached nearly two years later, in January 2020.

The data that eventually was leaked involved the contact details, loyalty-account information, personal details, preferences and partnerships and affiliations of as many as 5.2 million guests in Marriott’s Bonvoy loyalty program.

In October, ICO fined Marriott $23.9 million for the 2018 breach of approximately 339 million records, including guests throughout Europe. 

Continue reading “What Happened? Marriott Breach”
Uncategorized

Spotify’s ‘Seductive Surveillance’

How Companies Use Personalization to Leverage Our Surrendering of Data  

By Asa Hiken  

I was elated when, last month, Spotify released “Wrapped,” its annual year-in-review feature personalized to an individual user’s listening habits.  

But soon, it dawned on me: All those flashy stats on my favorite songs and hours logged are merely points of data that Spotify has collected, analyzed and gifted back to me in lustrous packaging. 

Though Spotify called it “one of the most anticipated moments of the year,” privacy experts call this product something else: “seductive surveillance.” 

So, what is the ultimate — or ulterior — objective behind Wrapped? And, how has Spotify seemed to convince the majority of its users that the collection of their data is not simply admissible, but exciting?

Continue reading “Spotify’s ‘Seductive Surveillance’”
Uncategorized

Facebook Can ‘Bypass GDPR’ After Court Ruling, Privacy Advocate Says

By Robert Bateman

An Austrian court has ruled that Facebook can process its users’ personal information without consent, owing to clauses in its terms of service.

Plaintiff Max Schrems, cofounder of Austrian nonprofit None of Your Business: European Center for Digital Rights (NOYB), argued that Facebook’s use of tracking cookies was unlawful without user consent and alleged that Facebook had not met the standard of consent required under GDPR.

Under the EU’s General Data Protection Regulation (GDPR), data controllers like Facebook only may process personal information on one of six “legal bases,” including “consent” and “contract.”

Facebook countered that it had relied on a contract with its users and that it needed tracking cookies to meet its obligations under that contract, including providing a personalized social media platform and raising revenue to finance its business model. 

Continue reading “Facebook Can ‘Bypass GDPR’ After Court Ruling, Privacy Advocate Says”
Uncategorized

Chinese Drone Maker Accused of Privacy, Security Compromises

By Christopher Adams

Two cybersecurity firms reportedly have proven that software in Chinese-made drones compromise the privacy and security of drone operators.

A study last year by Synacktiv, a French information-technology security company, reached the initial conclusion on the Beijing drones, made by DJI — and its results later were validated by Grimm, a cybersecurity-infrastructure consultant based in Washington.

The Synacktiv analysis found that the software used to control the DJI drones possessed secret features, captured data from user devices and contained a forced-update feature that would allow the Beijing company to gain full control of a user’s smartphone.

The federal government basically has stopped using DJI drones out of national-security concerns — and a total ban on Chinese-manufactured drones and their software by the Trump White House seemed a possibility during the final weeks of the administration.

Continue reading “Chinese Drone Maker Accused of Privacy, Security Compromises”
Uncategorized

‘A Rich Seam to Mine’

Meeting Planners See Information Bounty in Virtual Events From COVID

By Joanne Cleaver 

As a professional event planner and association manager, Annette Suriani is especially aware of privacy controls and exposure during online events. 

As executive director of the Association of Meeting Professionals (AMP) in Fairfax, Va., the group she manages is wrestling with these issues daily, on behalf of their clients and employers.

Like the rest of the conference-going world, AMP members are getting a grip on what privacy toggles suddenly are important as they navigate the previously unfamiliar world of online event-hosting and facilitating.

One thing’s for sure, though: Like the real world, the business of conferences requires data about participants from the moment they register to long after they leave.

Continue reading “‘A Rich Seam to Mine’”
Q&A

Q&A: Kian Vesteinsson of Freedom House Research Group

COVID Is ‘Laying the Foundation for the Future Surveillance State’

By Patrick W. Dunne

Kian Vesteinsson is a research analyst for technology and democracy at Freedom House, a research institute in Washington.

He also greatly contributes to the annual “Freedom on the Net” report produced by the nonprofit, which was established in 1941.

The report, released in October, analyzes how countries worldwide handle internet freedom.

“The public-health crisis has created an opening for the digitization, collection and analysis of people’s most intimate data without adequate protections against abuses,” reads an excerpt from the 2020 report.

Continue reading “Q&A: Kian Vesteinsson of Freedom House Research Group”
Q&A

Q&A: EFF’s Cindy Cohn

COVID and Privacy: ‘Bad Ideas About Tracking People’

By Nora Macaluso

Last of three parts.

Established in 1990, the Electronic Frontier Foundation has a history of fighting government and private efforts to monitor civilians.

In 2005, Cindy Cohn, as EFF’s legal director and general counsel, led a class-action lawsuit against Sony BMG, alleging that the entertainment giant built a flawed and invasive computer program into as many as 22 million music CDs to block copying by the public.

In a 2007 settlement with the Federal Trade Commission, Sony made available a patch that was designed to resolve the security vulnerability.

The next year, EFF began representing victims in a lawsuit challenging an illegal surveillance program run by the National Security Agency (NSA) conducted under the guise of the U.S. Patriot Act. The litigation continues.

Continue reading “Q&A: EFF’s Cindy Cohn”
India

Lack of a Digital Law Exposes India to Chinese Cyberthreats

By Aishwarya Jagani

India is in dire need of a data-privacy law, experts told Digital Privacy News, but they continue to raise concerns about a 2019 proposal that is being studied by a joint committee of Parliament.

“India, as of today, neither has a dedicated law on data-protection and privacy — nor has extensively adopted any international guidelines on privacy or data-protection,” said Saikiran Kannan, an open-source intelligence analyst in Singapore and a writer for India Today and Zenger News.

“There are some specific provisions on privacy listed in the Information Technology Act of 2000 (IT Act),” he added. “But these are very basic laws when compared to countries like U.S.A., Singapore and U.K.

“They can so easily be subverted — and the judicial proceedings in such cases take a long time to prosecute,” Kannan said.

Continue reading “Lack of a Digital Law Exposes India to Chinese Cyberthreats”
Q&A

Q&A: Cindy Cohn of the EFF

Authorities Are Growing More ‘Hostile to Your Ability to Lock Up Your Data’

By Nora Macaluso

Second of three parts.

Law enforcement and tech companies have been teaming up on surveillance — and privacy advocates say that could be problematic.

In today’s Digital Privacy News interview, Electronic Frontier Foundation Executive Director Cindy Cohn discussed the link between litigation and policy change and the need for a national privacy law.

This interview has been edited for length and clarity.

Continue reading “Q&A: Cindy Cohn of the EFF”
UK

Oracle and Salesforce Face Huge Lawsuits in UK, Netherlands

By Robert Bateman

Tech giants Oracle and Salesforce are facing class-action lawsuits in the U.K. and the Netherlands over allegations that they are “misusing the personal data” of millions of people.

The legal claims relate to how the companies contribute to “real-time bidding” (RTB), a controversial advertising practice that involves the auctioning of personal data collected via web cookies and other tracking technologies.

The U.K. suit, led by privacy advocate Rebecca Rumbul, is seeking damages of approximately $13 billion, which would amount to about $650 for every U.K. internet user.

The parallel Netherlands case, led by the nonprofit Privacy Collective, is seeking approximately $19.5 billion.

Continue reading “Oracle and Salesforce Face Huge Lawsuits in UK, Netherlands”
Q&A

Q&A: EFF’s Cindy Cohn

‘We’re Going to Die by a Death of a Thousand Cuts for Privacy’

By Nora Macaluso

First of three parts.

Cindy Cohn, executive director of the Electronic Frontier Foundation, has advocated for privacy on issues ranging from privately developed surveillance technology to government spying to human rights.

In 2005, she also led the foundation in a national class-action lawsuit against Sony BMG, arguing that the company had included a flawed and overreaching computer program in millions of music CDs sold to the public.

The entertainment behemoth ultimately settled with the Federal Trade Commission.

Cohn, 57, has helmed EFF since 2015, after serving as legal director, as well as its general counsel, for 15 years. She is a graduate of the University of Michigan Law School, the University of Iowa and the London School of Economics.

Continue reading “Q&A: EFF’s Cindy Cohn”