Category Archives: Privacy

Do You Care If Someone Is Reading Your Email?

For some people, they don’t really care.  For other people, it is a complete invasion of privacy.

For both groups, it is happening every day.

Apps sometimes ask for permission to read your mail.  It could be to get rid of junk mail or clean your mailbox or many other reasons, but in all cases, you MUST give the app permission in order for it to read your mail.

What is sometimes not clear is that while YOU think that means that the app is reading your email, what the developer thinks is that HE/SHE can read your email.

When the app was installed eons ago, Google popped up a dialog box something like this:

You then clicked on the Allow box and the app started working its magic.

The Wall Street Journal reported earlier this week that, for example, employees of Edison Software read the mail of hundreds of users to build a new feature.   Return Path reportedly read the emails of thousands of users.

The developers say, its in the license agreement that I am sure that you read.  NOT!

Google says Not Our Fault!  You gave the app permission.

To see who you gave those permissions to and take them away, follow these steps from Motherboard:

To see which apps you’ve given email permissions to, you can use Google’s Security Checkup for Gmail. To remove these permissions, go to your Google account settings, select “sign-in and security,” navigate to “apps with account access,” click “manage apps,” and then click on your linked apps and hit “remove access.” (Go to the bottom of the post linked at the end of this blog for step-by-step screenshots illustrating how to do this.)

But this really begs a larger question.

Think about all the apps that you have installed on your iPhone or Android phone (or the two people on the planet that are still running Windows phones).

Did you even think about the permissions that the app asked for when you installed it.  Or if it asked for permissions when you ran it.

Absent doing that, there is no telling what your apps are doing.  Reading your texts, tracking your location or who knows what else.

Of course, if you don’t care, then its not a problem.  Otherwise, you should look at the permissions that you have given the various apps that are installed.  And when you install a new app, consider whether you REALLY want that app or its developers to be reading your mail or tracking your location.

 

Information for this post came from Motherboard.

Facebooktwitterredditlinkedinmailby feather

News Bites for Friday June 29, 2018

The Supremes Say Warrant Required For Cell Data

In a 5-4 decision last week, the Supremes said that the police should have gotten a search warrant before they asked for months worth of location data of a suspect.  The suspect in a robbery case was tracked by the police – over 12,000 locations, over 127 days, to correlate robbery locations to the suspect’s location.   Chief Justice John Roberts wrote the opinion, basically saying this this is a search within the bounds of the 4th Amendment.  This is good news for privacy advocates saying the the power of the government is not unbounded.  Source: CNet.

GDPR: One Month In

Not surprisingly, one month in and we have already seen the results of GDPR.

The UK Information Commissioner’s office says they have seen a sharp rise in both complaints and notifications.  In France, they have have seen a 50% rise in complaints compared to last year.

Austria says that they have received 128 complaints and 500 questions, along with 59 breach notifications.  Compare that 59 number to the entire eight months prior to the law going into effect – effectively an 8x increase.

Still numbers in the hundreds and not in the millions means that people are not going crazy.  What we don’t have data on, yet, is how many people requested copies of their information or requested that their information be deleted. Source:  WARC

Exactis Exposes More Than 340 Million Records

And the record for most breached records goes to Exactis.  Well, no, actually that record will hopefully always stay with Yahoo, but still, 340 million records (230 million consumers and 110 million businesses)  is not a drop in the bucket.

Exactis is one of those data aggregation firms that know everything from your name and address to how many kids you have and your income, among literally thousands of data points.

Now it appears that data was exposed because of a lack of controls placed on an Amazon Elastic Search setup.

Given new privacy laws in place and coming in place, this type of breach MAY need to be disclosed.  So far, the company is being quiet about it.  Older privacy laws did not consider things like your kid’s names, ages and genders private.  Newer ones are starting to, hence the requirement for disclosure, possibly.  Source: Wired)

8 States Settle With Equifax Over Breach

8 states – Alabama, California, Georgia, Maine, Massachusetts, New York, North Carolina and Texas – have come to an agreement with Equifax on security practices.  This is only one of MANY legal actions that Equifax will have to deal with.

The requirements are pretty mild and Equifax is likely doing most of these as a response to the breach: conduct annual security audits, develop written data protection policies and guides, monitor its outside vendors, and improve patch management.  It is actually surprising that a company of their size was not already doing all of these items and more.

The agreement does allow these states to take legal action if Equifax does not implement these controls.  Source; The New York Times

Facebooktwitterredditlinkedinmailby feather

CA AB 375 – A Law That Will Change The Internet As We Know It

For those of you who do not have a life and hence follow the shenanigans of the legislative process in various states, today is a day that you will remember.

The California legislature was held hostage by real estate mogul Alastair Mactaggert.  Mactaggert spent $3 million of his own money (for him seat cushion money) to get the California Consumer Privacy Act on the ballot.

Here is the hostage part.

The ballot initiative would have built into the California Constitution consumer privacy protections similar to what just went into effect in Europe with the General Data Protection Initiative or GDPR.  Businesses were geared up to fight the intiative, planning to spend $100 million on it.  Mactaggert could have raised that much from his close friends, so there was going to be a battle.

Of course, no one knows if the ballot initiative would have passed, but if it did, if would have been impossible to change without another ballot initiative.

The alternative was for the legislature to pass a law, Assembly bill 375, that would mimic the major features of the ballot initiative, but would have been much more easily amended if there were unforeseen consequences.

TODAY was the deadline for pulling the ballot initiative.

So the legislature made a bargain from hell.  They passed the bill, Governor Brown signed it, but the bill has a poison pill in it.  If the ballot initiative isn’t pulled, the law is null and void.  Mactaggert agreed to pull the initiative if the bill is passed and signed.  He did pull the initiative today.

So tech companies get a law that has more wiggle room than the initiative would have had, but way less flexibility than what they can do today.

AND, unless they plan on having two Internets, one for California and one for the rest of the country, the change will affect everyone.

The bill was a work in progress up until the time is was voted on – we have seen that in Congress many times, so that should not surprise anyone.  Now that it has been signed into law, people will start dissecting it.  Without regard to the nuances, here  is what the San Jose Mercury News says about it.

First, the bill does not take effect until 2020, which is probably a fgood thing.

Like the GDPR, the law will allow consumers to know what data is collected on them, opt out of collection and hold companies accountable for data breaches.

When California passed the landmark privacy law SB 1386 in 2003, everyone thought they were crazy, and maybe they were, but 1386 is the basis of every privacy law in the United States.

CA AB 375 may do that again – leading the way.  The saying goes, “As goes California, so goes the rest of the country”.

The passing of this bill came right on the heels of the Exactis data breach of 340 MILLION people and businesses, so the California tech companies were playing Russian roulette with at least 4 bullets.  In light of this breach, would California voters enshrine a much more aggressive law into the Constitution?

One part of the bill that companies who do business in California are breathing a sigh of relief over is that, under AB 375 you and I can Sue a company for a breach – something that does not exist today – but under the ballot initiative, we could sue if they violated any part of the law.  Still, the threat of 30 million Californians suing you over a data breach should get the attention of most Board members.

In exchange for limiting the right to sue, residents can ask for what information companies have on them, twice a year, for free.  It also gives people the right to delete it.

For kids under 16, companies must get an opt-in to collect their data in the first place.

Google and Facebook want to change the law already, but I assume that if they stray too far, Mactaggart will dust off the initiative, which now will probably seem to many Californians like a tweak and the odds of passing a new initiative are greatly increased.

After today, Californians will expect this to be the new norm.

Facebook and Google’s trade group said that they want to change it so that Californians get all the benefits and opportunities consumers expect.  One of the benefits many consumers expect is a tiny little bit of privacy.  One of the benefits that Facebook and Google want to sell every little thing that they can find out about you.

A recent poll found that 73 percent of those polled think there should be more regulation of big tech companies, so I would say they (Facebook and Google and their friends) should be very careful about what they do or they may get something that they REEEEEALY don’t like – a new ballot initiative.

Professor Eric Goldman, Professor of Law at Santa Clara University School of Law, co-director of the school’s High Tech Law Institute and supervisor of the school’s Privacy Law Certificate writes an incredible blog.

Yesterday he wrote the longest blog post I have ever seen him write about this, at the time, bill.

I won’t even try to recreate the blog in this post, but a link to it is available at the end.

Professor Goldman calls the bill a privacy bomb.  Depending on which side you are on, it is either a good bomb or a bad bomb.

The bill creates what is now called the California Comsumer Privacy Act of 2018, effective in 18 months on January 1, 2020.

Just like GDPR, businesses of all sizes would need to create a mechanism to respond to consumer requests for data, deletion requests and data sharing limitations.  Businesses can decline to delete information if they meet one of the several allowances.

It prohibit a third party (like Exactis who was just breached) from selling personal data about a consumer unless the consumer has received explicit notice and has the right to opt out.  For businesses that are in the business of selling your data, this is a nightmare.

Just like GDPR, businesses have to provide a conspicuous link on their homepage for “Do Not Sell My Personal Information”.  Today, if there even is a way to do it, it is buried on page 22 of privacy policy full of dense legalese.

The bill would prohibit discrimination against a consumer because they exercised their rights under the law.  Discrimination includes denying goods or services to the consumer, charging different prices, providing a different level or quality of goods or services .

But there is a takeaway here.

They can charge a different price or different level of service if that difference is reasonably (are the lawyers paying attention) related to the value provided to the consumer by their data.  So, if Facebook can make say $5 a month per user by selling their data, they could say that if you don’t want us to sell your data, give us your credit card and we are going to charge you $5 a month.  Under that scenario they could not say that they want to charge you $25 a month.

Businesses are authorized to pay you to be allowed to sell your data (which somehow is different from charging you a different rate for selling your data),  Consumers would have to opt-in for that.

Like GDPR, businesses have to disclose a whole bunch of new information in their privacy policy.

Finally (this post is already way too long), the bill allows consumers to initiate a civil action and collect damages of between $100 and $750 per incident, or actual damages, whichever is GREATER, in case of a breach of unencrypted data.

Professor Goldman’s post has a lot of additional information, so please read it.

The bill does have an exemption for small businesses.  The law applies to businesses which meet ANY of these criteria:

  •  $25 million in revenue -OR-
  • Derives more than 50% of its revenue from selling data -OR-
  • Buys, sells, shares for commercial purposes or receives for commercial purposes the information on 50,000 or more consumers,  households or devices.  That means 137 visitors a day.

My guess is that the last item is the one that will catch most small businesses.

I will write more about this as the details become more solid. Professor Goldman wrote his blog based on a three day old version of the bill, so who knows what got added or deleted.

Information about the bill can be found on the Assembly’s web site, but as of tonight, the enrolled bill is not there.  Here is a link to the bill’s history.

Information for this post came from the San Joe Mercury News and Prof. Eric Goldman’s Privacy Blog.

 

Facebooktwitterredditlinkedinmailby feather

Colorado Governor Signs New Cyber Security Bill Into Law

Effective September 1, 2018, *ALL* companies doing business in Colorado will have just 30 days to notify residents if their data was breached.  That is just one of the new rules.

The rules apply to both government entities and businesses, which is a bit of a surprise.  Different laws, but basically the same requirements.

What will businesses need to do?

  • Have a written policy for the destruction or proper disposal of paper and electronic documents containing personal information.
  • Implement and maintain reasonable security procedures and practices that are appropriate to the nature and size of the business.  While this gives you a lot of wiggle room, you may need to justify to a judge or the attorney general why you called your practices reasonable.
  • If you use any third party services (which is pretty much everybody), you must require that third party to implement and maintain reasonable security practices and procedures unless you choose to be liable for their practices instead (which is not a great idea).
  • In case of a breach, notify residents providing specific information about the breach.  If the business does not have sufficient information to contact residents directly or if the cost of contacting residents will exceed $250,000 (or a couple of other reasons), an alternate notification process will kick in, which includes a prominent notice on the company’s web site and notification via state-wide media.
  • If the breach affects more than 500 people, the business must notify the attorney general and if it affects more than 1,000 people, the business must also notify the credit reporting agencies.  Consumers cannot waive these rights in a contract or other agreement.
  • If encrypted data is breached, notification is not required if the encryption mechanism is not compromised.  This means that if a powered off laptop which is encrypted is stolen, then notification is likely not required, but otherwise, it probably is required.
  •  Criminal charges may be brought against a business under certain circumstances.

This law leaves a lot of leeway for the Attorney General to interpret things and the current AG was very active in shaping this bill, so I would not count on him being lax when it comes to prosecution.

Facebooktwitterredditlinkedinmailby feather

Amazon Sells Face Recognition Tech To Cops

Amazon is selling facial recognition technology that it has developed – called Rekognition – to law enforcement agencies and maybe others – Amazon won’t say.

While there is nothing illegal about this and if Amazon doesn’t do it, others likely would, it certainly raises privacy concerns.

Two police departments that are known to have purchased the software are using it in different ways.

The Washington County, Oregon Sheriff is using it to match suspects to people in their database.  They use it, they say, about 20 times a day.  It cost the department $400 to upload 305,000 mugshots and it costs them $6 a month to use the service.  These numbers have to be very attractive to law enforcement.

The Orlando, FL police department, however, is using it very differently.  Orlando has a series of surveillance cameras throughout the city to watch people who are out in public.  They call them public safety cameras since that likely sounds better than the 1984-esque alternative.  Using these cameras and Amazon’s facial recognition system, the city can look at the images to find “persons of interest”.  Of course, most of us won’t complain if the city we live in is safer, but it also means that likely your every move in Orlando (and maybe other cities, we do not know) could be being monitored and potentially recorded.

Some people say that if you are not doing anything wrong you shouldn’t object to being surveilled.

As we recently discovered, all of the major cell phone companies sell your location data to anyone who’s check will clear.  Is there any reason that cash-strapped cities won’t do the same?  Maybe with the pictures showing what you were doing and with whom?  Don’t know.  There are no clear universal laws covering this other than you do not have an expectation of privacy when you are outside.

So, what can or should you do?

Unfortunately, in this case, there is not a lot that you can do.

Be aware, for one, that your actions are not private, may be recorded, and you may be identified and your actions cataloged.  This is somewhat like what automated license plate readers do in some cities, only a little more intrusive.

Write to your politicians if you think that there should be limits on the surveillance that your government should be doing, absent probable cause.  It may or may not make a difference, but certainly if people do not complain, the politicians will assume you don’t care.

Finally, let your friends know what is happening.  An informed citizenry is critical to a democracy.

So stay tuned.  I suspect that Jeff Bezos won’t change his mind and stop selling this technology because even if he does, someone else will likely step in to replace him (maybe Facebook).  This story will take a while to play out.

Information for this post came from The LA Times.

Facebooktwitterredditlinkedinmailby feather

Facebook is in More Hot Water

Glad I am not Mark Zuckerberg,

Well, maybe.  I think I would like to have his bank account 🙂

Facebook is making some efforts to rehabilitate it’s image within the fundamental constraint that it is selling your data for a living.  While pretending that it is all for your benefit.

As part of this rehab effort, Facebook is reviewing tens of thousands (or more) of apps to find ones that are misusing data.

So far, they have “suspended” about 200 apps.

One app, myPersonality, has likely misused large amounts of data on millions of users over the last 3-4 years.  It, too, is now suspended.

To quote someone (there is a debate as to who) :  With Great Power Comes Great Responsibility.

This may be a defining moment for Facebook.

So what should you do?

The greatest power is the power wielded by the Internet user.  Facebook can only collect information that you provide it. Same for Google.  Sometimes the information is provided willingly.  Other times it is much less obvious, like when Google collects information about what web pages you visit and for how long.

Hopefully, for most people, it is becoming painfully obvious that YOU are the product.

So be careful about what apps you install, what data you provide and to whom.  Or not.  But, if not, understand the implications.  

One thing you should assume.  If you provide information to an app or a public web site, it could become public.   If that is a problem, don’t provide the information.

Information for this post came from The Register.

Facebooktwitterredditlinkedinmailby feather