By Robert Bateman
Social media app TikTok is facing a class-action lawsuit in the U.K., led by an unnamed 12-year-old girl who claims the app breached her privacy.
The High Court of England and Wales allowed the plaintiff, known only as “SMO,” permission to proceed anonymously in a hearing conducted last month.
Court documents revealed that the plaintiff was citing the General Data Protection Regulation (GDPR), an EU law adopted into U.K. law before Brexit. The law, passed in 2016, restricts how apps and other online services use children’s personal information.
Under the GDPR, if online service providers want consent to process a child’s personal information, they must request it from a parent or guardian.
Continue reading “UK Girl, 12, Sues TikTok Over Claims of Breaching Her Privacy”
Hotel Chain Hacked After Huge Attack
By Najmeh Tima
“What Happened?” is an occasional feature by Digital Privacy News that looks back on some of the tech industry’s biggest data breaches last year.
While Marriott International is awaiting a final decision from the U.K.’s Information Commissioner’s Office (ICO) over a 2018 hack at its luxury Starwood hotel chain, the company’s systems were breached nearly two years later, in January 2020.
The data that eventually was leaked involved the contact details, loyalty-account information, personal details, preferences and partnerships and affiliations of as many as 5.2 million guests in Marriott’s Bonvoy loyalty program.
In October, ICO fined Marriott $23.9 million for the 2018 breach of approximately 339 million records, including guests throughout Europe.
Continue reading “What Happened? Marriott Breach”
How Companies Use Personalization to Leverage Our Surrendering of Data
By Asa Hiken
I was elated when, last month, Spotify released “Wrapped,” its annual year-in-review feature personalized to an individual user’s listening habits.
But soon, it dawned on me: All those flashy stats on my favorite songs and hours logged are merely points of data that Spotify has collected, analyzed and gifted back to me in lustrous packaging.
Though Spotify called it “one of the most anticipated moments of the year,” privacy experts call this product something else: “seductive surveillance.”
So, what is the ultimate — or ulterior — objective behind Wrapped? And, how has Spotify seemed to convince the majority of its users that the collection of their data is not simply admissible, but exciting?
Continue reading “Spotify’s ‘Seductive Surveillance’”
By Robert Bateman
An Austrian court has ruled that Facebook can process its users’ personal information without consent, owing to clauses in its terms of service.
Plaintiff Max Schrems, cofounder of Austrian nonprofit None of Your Business: European Center for Digital Rights (NOYB), argued that Facebook’s use of tracking cookies was unlawful without user consent and alleged that Facebook had not met the standard of consent required under GDPR.
Under the EU’s General Data Protection Regulation (GDPR), data controllers like Facebook only may process personal information on one of six “legal bases,” including “consent” and “contract.”
Facebook countered that it had relied on a contract with its users and that it needed tracking cookies to meet its obligations under that contract, including providing a personalized social media platform and raising revenue to finance its business model.
Continue reading “Facebook Can ‘Bypass GDPR’ After Court Ruling, Privacy Advocate Says”
By Christopher Adams
Two cybersecurity firms reportedly have proven that software in Chinese-made drones compromise the privacy and security of drone operators.
A study last year by Synacktiv, a French information-technology security company, reached the initial conclusion on the Beijing drones, made by DJI — and its results later were validated by Grimm, a cybersecurity-infrastructure consultant based in Washington.
The Synacktiv analysis found that the software used to control the DJI drones possessed secret features, captured data from user devices and contained a forced-update feature that would allow the Beijing company to gain full control of a user’s smartphone.
The federal government basically has stopped using DJI drones out of national-security concerns — and a total ban on Chinese-manufactured drones and their software by the Trump White House seemed a possibility during the final weeks of the administration.
Continue reading “Chinese Drone Maker Accused of Privacy, Security Compromises”
Meeting Planners See Information Bounty in Virtual Events From COVID
By Joanne Cleaver
As a professional event planner and association manager, Annette Suriani is especially aware of privacy controls and exposure during online events.
As executive director of the Association of Meeting Professionals (AMP) in Fairfax, Va., the group she manages is wrestling with these issues daily, on behalf of their clients and employers.
Like the rest of the conference-going world, AMP members are getting a grip on what privacy toggles suddenly are important as they navigate the previously unfamiliar world of online event-hosting and facilitating.
One thing’s for sure, though: Like the real world, the business of conferences requires data about participants from the moment they register to long after they leave.
Continue reading “‘A Rich Seam to Mine’”
COVID Is ‘Laying the Foundation for the Future Surveillance State’
By Patrick W. Dunne
Kian Vesteinsson is a research analyst for technology and democracy at Freedom House, a research institute in Washington.
He also greatly contributes to the annual “Freedom on the Net” report produced by the nonprofit, which was established in 1941.
The report, released in October, analyzes how countries worldwide handle internet freedom.
“The public-health crisis has created an opening for the digitization, collection and analysis of people’s most intimate data without adequate protections against abuses,” reads an excerpt from the 2020 report.
Continue reading “Q&A: Kian Vesteinsson of Freedom House Research Group”
COVID and Privacy: ‘Bad Ideas About Tracking People’
By Nora Macaluso
Last of three parts.
Established in 1990, the Electronic Frontier Foundation has a history of fighting government and private efforts to monitor civilians.
In 2005, Cindy Cohn, as EFF’s legal director and general counsel, led a class-action lawsuit against Sony BMG, alleging that the entertainment giant built a flawed and invasive computer program into as many as 22 million music CDs to block copying by the public.
In a 2007 settlement with the Federal Trade Commission, Sony made available a patch that was designed to resolve the security vulnerability.
The next year, EFF began representing victims in a lawsuit challenging an illegal surveillance program run by the National Security Agency (NSA) conducted under the guise of the U.S. Patriot Act. The litigation continues.
Continue reading “Q&A: EFF’s Cindy Cohn”
By Aishwarya Jagani
India is in dire need of a data-privacy law, experts told Digital Privacy News, but they continue to raise concerns about a 2019 proposal that is being studied by a joint committee of Parliament.
“India, as of today, neither has a dedicated law on data-protection and privacy — nor has extensively adopted any international guidelines on privacy or data-protection,” said Saikiran Kannan, an open-source intelligence analyst in Singapore and a writer for India Today and Zenger News.
“There are some specific provisions on privacy listed in the Information Technology Act of 2000 (IT Act),” he added. “But these are very basic laws when compared to countries like U.S.A., Singapore and U.K.
“They can so easily be subverted — and the judicial proceedings in such cases take a long time to prosecute,” Kannan said.
Continue reading “Lack of a Digital Law Exposes India to Chinese Cyberthreats”
Authorities Are Growing More ‘Hostile to Your Ability to Lock Up Your Data’
By Nora Macaluso
Second of three parts.
Law enforcement and tech companies have been teaming up on surveillance — and privacy advocates say that could be problematic.
In today’s Digital Privacy News interview, Electronic Frontier Foundation Executive Director Cindy Cohn discussed the link between litigation and policy change and the need for a national privacy law.
This interview has been edited for length and clarity.
Continue reading “Q&A: Cindy Cohn of the EFF”
By Robert Bateman
Tech giants Oracle and Salesforce are facing class-action lawsuits in the U.K. and the Netherlands over allegations that they are “misusing the personal data” of millions of people.
The legal claims relate to how the companies contribute to “real-time bidding” (RTB), a controversial advertising practice that involves the auctioning of personal data collected via web cookies and other tracking technologies.
The U.K. suit, led by privacy advocate Rebecca Rumbul, is seeking damages of approximately $13 billion, which would amount to about $650 for every U.K. internet user.
The parallel Netherlands case, led by the nonprofit Privacy Collective, is seeking approximately $19.5 billion.
Continue reading “Oracle and Salesforce Face Huge Lawsuits in UK, Netherlands”
‘We’re Going to Die by a Death of a Thousand Cuts for Privacy’
By Nora Macaluso
First of three parts.
Cindy Cohn, executive director of the Electronic Frontier Foundation, has advocated for privacy on issues ranging from privately developed surveillance technology to government spying to human rights.
In 2005, she also led the foundation in a national class-action lawsuit against Sony BMG, arguing that the company had included a flawed and overreaching computer program in millions of music CDs sold to the public.
The entertainment behemoth ultimately settled with the Federal Trade Commission.
Cohn, 57, has helmed EFF since 2015, after serving as legal director, as well as its general counsel, for 15 years. She is a graduate of the University of Michigan Law School, the University of Iowa and the London School of Economics.
Continue reading “Q&A: EFF’s Cindy Cohn”
By Steven Crook
Taiwan’s plan to begin trials of its long-planned but heavily criticized national electronic identification (eID) cards next month has been thrown into doubt by a municipal government’s reluctance.
The pilot effort would use volunteers in Hsinchu, a city of 451,000 nearly 45 miles southwest of Taipei.
But the Hsinchu City Government said that, because it prioritized citizens’ rights and information security, if Taiwan’s central government was unable to convince it that the eID system was safe, it was “inclined to suspend the trial.”
The Hsinchu City Government’s decision was reported Saturday by United Daily News, a major Taiwanese newspaper.
Continue reading “Taiwan’s Smart ID Plan in Doubt, as Local Officials Get Cold Feet”
By Robert Bateman
France’s data-protection authority has hit Google and Amazon with fines totaling $163 million over the tech giants’ use of tracking cookies online.
Google’s $121 million fine and Amazon’s fine of $42 million were imposed Dec. 7 by France’s Commission Nationale de l’Informatique et des Libertés (CNIL).
CNIL enforces privacy laws, such as the EU General Data Protection Regulation (GDPR), France’s Data Protection Act and the ePrivacy Directive, which sets the rules on cookies use across the EU.
According to Dec. 10 statements on CNIL’s website, Google and Amazon’s websites placed cookies on user devices without proper notice and without requesting consent.
Continue reading “France Hits Google and Amazon With $163M in Cookie Fines”
Monitoring Employees by AI Raises New Class of Privacy Fears
By Victor R. Bradley
The general public is broadly aware that artificial intelligence and increasingly powerful statistical models have given companies the ability to build intrusive customer profiles based on web-surfing behavior.
Less discussed, however, is the power such technology confers upon employers.
This neglected legal and ethical area is becoming increasingly prominent. In February, U.S. House Labor and Education Committee held a hearing: “The Future of Work: Protecting Workers’ Civil Rights in the Digital Age.”
The session investigated the ways algorithms and automated surveillance technology could reproduce and exacerbate existing biases in the workplace.
The explosion in remote work since March because of COVID-19 has made such investigation increasingly necessary, as employers must increasingly rely on supervision via cyberspace.
Continue reading “Q&A: UC-Berkeley’s Daniel Aranki”
By Jason Collins
Anyone who uses Instagram or Facebook knows that moment when you realize that something you were talking about has popped up as an advertisement on your feed.
Whether you find this expedient or creepy, you now have realized that your cellphone is listening to you.
While most of the blame for breach of privacy is laid on Apple, Microsoft and other big tech companies, a major player is being overlooked: Telecom giants are directly connected to personal information, since not only do they now provide phone access, but also mobile data and WiFi as well.
Continue reading “AT&T Plan for Cheap Phones Subsidized by Ads Raises Privacy Issues”
By Jackson Chen
Despite the world being disrupted in an unprecedented manner in 2020, the privacy world still saw many significant events and developments.
Early this year, COVID-19 led to privacy concerns over rushed contact-tracing apps and data breaches at overtaxed health care operations.
Nearly halfway into 2020, the European Union evaluated the effectiveness of its General Data Protection Regulation (GDPR), while a wave of racial-justice protests in the U.S. reinvigorated concerns about facial-recognition technology.
To cap off the year, Congress held several hearings with Big Tech CEOs, while many regulatory actions took place against them by federal and state governmental agencies.
Continue reading “A Dizzying Year in Privacy: From Antitrust to a Lack of Trust”
By Jackson Chen
With the calls for the creation of a comprehensive privacy law in the U.S., politicians from both sides of the aisle have proposed solutions.
In March, Sen. Jerry Moran, R-Kan., introduced the Consumer Data Privacy and Security Act, which aimed to create a federal standard for data-privacy protection.
It also sought to give consumers control over their data and restrict how businesses collect peoples’ data.
Moran’s bill also would give the Federal Trade Commission enforcement authority for these protections while offering the agency more resources.
The proposal is awaiting a hearing by the Senate Commerce Committee.
In the summer, Democratic Sen. Sherrod Brown, Ohio, put forth his take on a comprehensive privacy bill.
Continue reading “Washington’s Busy Year for Privacy Legislation”
By Aishwarya Jagani
As India Prime Minister Narendra Modi’s government gears up for a full rollout of its National Digital Health Mission (NDHM), experts continue to raise privacy and security concerns over what could be the world’s biggest health database.
“Large databases are always risky, especially when handling sensitive data like health data,” Prasanth Sugathan, legal director of the Software Freedom Law Centre in New Delhi, told Digital Privacy News.
“Moreover, in this case, the data could be exposed to multiple entities — and the data-security practices of these entities will have a bearing on the safety of the sensitive health data” he said.
The NDHM was announced in August, with test-runs launched in six union territories — federal areas that are governed, in part or in whole, by Modi’s government.
Continue reading “Privacy Fears Voiced Over India’s National Digital Health Mission”
‘We’re Never Clear About the Data That’s Being Gathered’
By C.J. Thompson
Guarding private information is only getting tougher.
The lack of federal data-privacy legislation, combined with the ramifications of the intensifying pandemic, is increasing the entry points for compromising data.
Kristin Johnson, Asa Griggs Candler professor of law at the Emory University Law School, told Digital Privacy News that more public vigilance was needed.
She argues in a soon-to-be-published academic paper — “Regulating Digital Surveillance: Protecting Privacy in a Pandemic” — that when it comes to privacy intrusion, financial-transaction data is as critical a privacy issue as geolocation tracking.
As such, the choice to add apps to devices should not be taken lightly.
Continue reading “Q&A: Kristin Johnson of Emory University”