Category Archives: Privacy

Google Says They Don’t Sell Your Data – That is True, They Give it Away!

Google is being sued. Again. This is not news. What is news is why they are being sued.

Google says that they don’t sell your data. While that may be accurate, they do, according to a new lawsuit, give it away to anyone who wants it.

How does that work?

Google sells ads. While some of those ads are blind, meaning that the buyer does not know who it is being presented to, those ads don’t sell for much. My kids are fully grown. Showing me a diaper ad is not terribly useful to the diaper company. I am highly unlikely to buy any diapers any time soon.

Most ads are sold using Google’s real time bidding system. This bidding happens in a blink of an eye.

It works something like this.

You visit a web page. The site owner has a deal to buy ads from Google. While the page is loading, the site owner tells Google that it has a box that is so many inches by so many inches available.

They also tell Google everything they know about you. This includes everything the browser tells them like your system information and IP address and any other information the site owner has about you. Then Google adds information it knows about you based on other data they have collected from other sites you have visited and other data that they have bought.

So far, it would appear, they are not lying.

But they also have not sold any ads.

What happens next is this. Google provides all of this information to anyone who is bidding for ads at the moment. That entire collection of data is provided, free of charge, the lawsuit says, to all of the potential buyers.

In the blink of an eye, someone wins the bid and Google charges them and gives the ad to the website to display. This could be Facebook. Or your web site if you display ads.

But what happens to all that data that was sent to the losers?

According to the lawsuit, they get to keep it.

Some people bid on ads with the intention of NOT winning. All they want is your data. They offer to pay a penny knowing that they will never win. Maybe they have to shell out a few pennies if literally no one else bids.

After the bidding period (blink) is over, they can take that data, aggregate it and sell it. Or use it in some other way.

This is the crux of the lawsuit.

If there are a hundred bidders for that ad. Or a thousand – they all get to keep the data according to the plaintiffs.

You would think Google would care, but maybe, because they collect some much data every second, they don’t.

I guess we will see how this plays out in court. Credit: Law Street Media

Is Your Company Ready for the Wave of Privacy Laws Here and to Come?

First it was California (version 1 and version 2); then it was Virginia. Now it is Colorado. IT IS NOT GOING TO STOP THERE.

California’s CCPA covered human resources data somewhat. CPRA covers it completely and will require HR departments to create programs to protect HR data.

This includes notices at the time data is collected, new data privacy practices, new rules for third parties that the company uses and procedures for when employees exercise their rights.

While Virginia and Colorado were the next two dominoes to fall, there are about two dozen bills in various state houses.

Some of these cover HR data; others do not.

The Colorado and Virginia are more likely to be the model going forward – with, of course, twists and turns. In part, this is because these laws are written more coherently. Of course that doesn’t mean that some states won’t model their laws after the California.

Unlike California, the Colorado and Virginia laws do not allow for a private right of action – a key contention in getting an agreement for a national privacy law. The Colorado law does allow local district attorneys to go after violators.

All of these laws have three different sets of responsibilities –

  1. Data controllers – the company or person responsible for the data
  2. Data processors – an organization that acts as an agent for the controller and in some way processes the data
  3. The individuals – who have new data rights

Even if the law in a particular state does not affect employee data, HR is likely going to need to be involved anyway. New policies and programs will affect employees in many ways and HR will need to help companies navigate the new path.

and, of course, companies are going to need to figure out where their customers and visitors are located because the laws effect is based on their location, not yours.

In addition, companies will need to engage legal talent, whether internal or external.

January 1, 2023 is really not that far away.

For more details, see this article at JD Supra

Colorado is the Third State to Enact A Robust Privacy Law

First it was California (of course). Then it was California version 2. In 2020, things were quiet and no states joined the club. Earlier this year Virginia joined the club and today Colorado became the third state to enact a California-style or Europe-style privacy law, with some significant differences.

Here are some of the key parts of the law.

  • Consumers have the right to get a copy of their data, get it corrected, delete it and be able to port it to a competing service
  • Allows consumers to opt out of targeted advertising, sale of data and some profiling
  • Exempts employee data, deidentified data and publicly available data
  • It also exempts data covered by HIPAA, GLBA and COPPA
  • Companies that collect data need to tell consumers how they are going to use it
  • It requires a duty of care to protect data. This is also known as the full employment act for lawyers
  • And of course, it has a number of exemptions

One new twist – while there is no private right of action, action can be taken by local DAs – many of whom are planning to run for higher office – in addition to the AG, who is pretty busy.

California’s law is based on global revenue; the Colorado law is based on the number of Colorado residents the company collects data on (100,000) or fewer residents if you also sell some data (25,000). Still, that should eliminate many smaller companies.

Business to business transactions are also exempt.

Like most of the similar laws, processing of sensitive data like racial, ethnic, mental or physical health, sexual orientation, etc. require an opt-in.

Finally, the AG is authorized to create rules to carrying out this new law.

Companies need to have a much more robust privacy disclosure, which includes a number of specific items.

Also, and this is a weakness for many companies, the law requires companies to have a WRITTEN contract with all data processors (think of cloud software providers, for example) which documents instructions for processing data, confidentiality requirements and the requirement to notify the data owner before subcontracting, among other requirements.

One important first step for companies to take, no matter whether they just operate in Colorado, also operate in Colorado or operate in multiple states, is to get a really good handle on what data you collect, where you store it and who you share it with, either for financial purposes or just to run the business. Our experience tells us that this is a real challenge for most companies.


National Law Review


JD Supra

Most Mobile Finance Apps Are Vulnerable to Breaches

Mobile finance apps are very popular, but are they safe?

A report by security company Intertrust says that 88% of the apps tested failed at least one of the cryptographic tests, meaning that the encryption can be broken, resulting in loss of privacy and possibly loss of your money.

Some of the other findings from this report are:

  • One or more security flaws were found in every app tested
  • 84% of Android apps and 70% of iOS apps have at least one critical or high severity vulnerability
  • 81% of finance apps leak data
  • 49% of payment apps are vulnerable to encryption key extraction
  • Banking apps contain more vulnerabilities than any other type of finance app
  • Nearly three-quarters of high severity threats could have been mitigated using application protection technologies such as code obfuscation, tampering detection, and white-box cryptography

What this means is that you use all of those apps at your own risk. Note that the laws have not kept up and it is likely that you use these apps at your own financial peril.

Apps that are provided by your financial institution, as long as it is a federally or state chartered bank, are PROBABLY covered under conventional banking laws, but other apps, what are called FINTECH companies, are much more risky.

This doesn’t mean that the company won’t reimburse you, but you don’t have the law on your side.

If you tell your bank you were the victim of fraud, the law requires the bank, in most cases, to give you back your money first and then, if they choose to, investigate the problem.

When it comes to non-bank finance applications, there are no such laws.

Additionally, some banks have modified their terms of service to state that if you provide your online banking credentials to a third party app, they are no longer responsible for any fraud.

I am not saying don’t use fintech apps, but rather, understand the risk you are accepting, and if that is okay with you, that use the apps.

Credit: Helpnet Security

Security News for the Week Ending June 18, 2021

Security Company Founder Charged with Hacking Georgia Hospital

An indictment unsealed this week in a Northern District of Georgia court accuses Vikas Singla, 45, with 18 separate counts of aiding and abetting a 2018 cyber attack against the Gwinnett Medical Center in Georgia. According to his LinkedIn profile, he is (or maybe now was) the COO of Atlanta based Securolytics. It is not clear what he did, but the feds say that he aided and abetted the attack. Credit: SC Magazine

Energy Secretary Says Adversaries Have Ability to Shut down US Power Grid with Cyberattacks

Maybe this story is a no-big-deal in light of the Colonial Pipeline attack, but Energy Secretary Jennifer Granholm said that US adversaries already are capable of using cyber intrusions to shut down the US power grid. This is something that security professionals have been saying for a long time and in light of the almost half dozen attacks on water, oil and support infrastructure in the last couple of months, this is not a big surprise. Credit: Fox8

China Crackdown Continues

The FCC approved a plan this week to ban approvals for Chinese telecom equipment from companies deemed a threat to US national security. This includes, potentially, revoking the approval of equipment and apps already in use. This continues the pressure on China started in the last administration. Credit: Verdict

Apple Not Happy With Proposed Requirement for Competition

Europe is trying to force some competition in the Apple app store and, given the amount of money that represents to Apple, they are not happy. They say that it would harm consumer’s privacy. Informed consumers could make a choice under those circumstances. Would a consumer be willing to trade some personal data in exchange for getting an app for free or at a reduced cost? Apple thinks it is their job to answer that question for their customers; the EU disagrees. Actually, Apple thinks it is their job to be a monopoly. Stay tuned. Credit: The Register

Google Accused of Selling Your Data – SHOCKING!

Google is facing a class action lawsuit for, the plaintiffs say, selling your data.

The law firm that filed the case knows a bit about these kind of lawsuits. The firm, Bleichmar Fonti & Auld LLP has previously won settlements in the tens and hundreds of millions of dollars. The were part of the team that separated Volkswagen from $17 billion, so if I were Google, I would be at least a little concerned.

The case centers around how Google’s real time ad bidding process works.

Apparently, Google hands potential advertisers a whole portfolio of information about you like Google ID, IP address, cookie match, user agent, location, device ID, race, identity, health, divorce and other key ad match criteria.

In exchange, in those few milliseconds, the advertiser decides if they want to bid on an ad for you.

If they don’t, they get to keep your data. For free.

They can, apparently, aggregate that information and sell it. Companies like Venntel do just that.

You don’t ever have to make a bid, never mind win one.

Government agencies like ICE and Customs buy this data too.

Google, of course, says that this isn’t selling your data.

In a sense they are right.

If you are not the winning bidder, they are giving it away for free.

This case was just filed in March, so we are a long way from a decision, but maybe this law firm could separate Google from a few of those billions of dollars.

It will be interesting to see if Google changes the way bids work. They are damned either way. If they do, they are admitting to what they are accused of. If they don’t and they lose, it probably increases their liability.

Stay tuned and get y our popcorn out.

Credit: Vice