Tag Archives: Big data

You ARE The Product

While this should not come as much of a surprise, it is interesting none the less.

The Edison email app, one of the top 100 productivity apps on the Apple app store, scrapes user’s email inboxes and sells the data.

This information came from a confidential J.P. Morgan presentation to investors who use the data to either make stock picks or business decisions.

Edison says that it “processes” user’s inboxes.  It is not clear to  users that processing means scraping their data.

Their website says ‘No ads’ and ‘Privacy First’ and that ‘Edison Trends practices privacy by design’.  These terms have no legal meaning at all, but they sound good.  Trends is one of the Edison entities that sells user’s data.

Edison has created features that users like.  Features like package tracking and price tracking.  That, of course, provides them more data to sell.

Edison says that they sell consumer purchase metrics including brand loyalty, wallet share, purchase preferences, etc.

Another company, Foxintelligence, cleans up users’ inboxes.  In the process, they reap reams of user data that they sell.

Foxintelligence’s COO said that creates value for both sides without compromising privacy.

Of course, if this was true, they would have been more upfront about what they are doing.

Some of Foxintelligence’s clients include Paypal, Bain & Company and McKinsey.

Rakuten also does this;  last month they created an opt-out page on their web site.  They said that was to comply with California’s new privacy law.

Motherboard says that they have a document that the price of one category of Rakuten data is over $100,000.

The Wall Street Journal says that Edison employees read people’s emails in order to improve their software.

While none of this is illegal (at least I don’t think so), none of the companies are excited about telling users what they are doing and that they are selling their data.  Even if the data is pseudo-anonymized, deanonymizing such data is almost trivial.

With laws like California’s CCPA which allows people to opt out of their data being sold – reducing the value of the dataset and the HUGE revenue streams the data generates, companies who’s business depends on being opaque about your data are definitely scared.  Also, companies who buy the data want more data to suck into their business models.

Last year 10 other states had CCPA-like bills introduced.  While none passed, it is likely more will be introduced in the next session.

Source: Vice



Security news for the Week Ending May 24, 2019

SalesForce Gives Users Access To All of Your Company’s Data

In what can only be called an Oops, SalesForce deployed a script last Friday that gave users of certain parts of SalesForce access to all of the data that a company had on the system.  The good news is that it didn’t show you anyone else’s data,  but it did give users both read and write access to all of their company’s data.

In order to fix it, Salesforce took down large parts of its environment, causing some companies that depend on SalesForce to shut their company down and send employees home.

This brings up the issue of disaster recovery and business continuity.  Just because it is in the cloud does not mean that you won’t have a disaster.  It is not clear if replicating your SalesForce app to another data center would have kept these companies working.  Source: ZDNet.

Google Tracks Your Online Purchases Through GMail

While this is probably not going to show up as a surprise, Google scans your emails to find receipts from online purchases and stores them in your Google purchase history at https://myaccount.google.com/purchases .  This is true whether you use Google Pay or not.  One user reported that Google tracked their Dominos Pizza and 1-800-Flowers purchases, as well as Amazon, among other stores.

You can delete this history if have masochistic tendencies, but I doubt anyone is going to do that because it requires you to delete the underlying email that caused it to populate the purchase, one by one.  There is also no way to turn this “Feature” off.

It appears that it keeps this data forever.

Google said they are not using this data to serve ads, but they did not respond to the question about if they use it for other purposes.  Source: Bleeping Computer.

President Trump Building An Email List to Bypass Social Media

Welcome to the world of big data.  The Prez has created a survey for people to submit information about how they have been wronged by social media.  And get you subscribed to his email list.  Nothing illegal.  Nothing nefarious.  Just a big data grab.

If you read the user agreement, it says you “grant the U.S. Government a license to use, edit, display, publish, broadcast, transmit, post, or otherwise distribute all or part of the Content.  (NOTE: That “content” includes your email address and phone number).  The license you grant is irrevocable and valid in perpetuity, throughout the world, and in all forms of media.” 

This seems to be hosted on the Whitehouse.Gov servers.  It is not clear who will have access to this data or for what purpose.  Source: Vice.

Colorado Governor Declares Statewide Emergency After Ransomware Attack

Last year the Colorado Department of Transportation suffered a ransomware attack.  Initially the state thought it was getting a handle on the attack, but ten days later it came back.

It was the first time any state had issued a Statewide Emergency for a cyberattack.  Ever!  Anywhere!

It had the affect that the state was able to mobilize the National Guard, call in resources from other departments, activate the state Department of Homeland Security and Emergency Management and get help from the FBI and the US Department of Homeland Security.  It also allowed them to call for “Mutual Aid”, the process where neighboring jurisdictions  – in this case neighboring states – provided assistance.

It worked and since then, other states have begun to do this.

When you have a disaster, even a cyber disaster, you need a lot of resources and an emergency declaration is one way to do it. Source: StateScoop.


Latest Breach – 885 Million Records

First American Financial, one of the largest title insurance companies, exposed 885 million records going back to 2003 due to a software design flaw.  The records include all kinds of sensitive records that are associated with real estate closings.  Source:  Krebs on Security.

Your Tweets Could Affect Your Insurance Rates

While the big data vs. insurance rates battle is in its infancy, that does not mean that insurers don’t have plans.  They do.

Some are already using data from consumers to affect rates.  Some insurers say that the data that consumers give them could lower rates and SOME insurers say that the data won’t be used to raise rates.  Since this is still in its infancy, don’t count on those statements for much.

Swiss Re, one of the biggest reinsurers (the insurance companies’ insurance company) just bought digi.me .  Digi.me is currently allowing consumers to aggregate data in their system .  That data will be shared with businesses to give consumers targeted ads and discounts.  At least for now.

Discovery’s Vitality program collects diet, exercise and other information.  Make the “right” choices and you might get a premium discount or cash back.  Make the wrong choices and…

Allstate’s Drivewise gives drivers who install a gizmo in their car which sends driving data to Allstate discounts if you drive “appropriately”.  That is only a short step from penalizing you if you drive like Mario Andretti.

They could also use people’s public social media posts to affect rates too.  Have a salad for dinner and get discount points.  Have a burger and beer and your rates go up.

Refuse to share data and maybe you can’t get insurance at any price.

There are very few laws in the United States that control what insurance companies can do with “public” data or even data that they buy from the likes of R.L. Polk (owned by IHS now), A.C. Nielsen and others, each of which have data on tens of millions of people.

Also remember that the Internet never forgets.  Even if you improve your behavior, that data is still there in those databases.  Articles that I wrote in the 1990s are available.

And with things like smart TVs and smart refrigerators, what you eat and what you watch might affect your ability to get insurance.  Or your rates.

This is complete conjecture at this point but I sure wouldn’t rule it out.

Information for this post came from Reuters.

Uber Releases Data on 11.6 Mil Passengers, 583k Drivers

One of the downsides of collecting data is that you may have to disclose it.  In Uber’s case, it collects a lot of data, so regulators and law enforcement can ask for that data.  In this case, even though the release of all this data is not a breach, it still could be a cause for privacy concern.

I was in New York this week and took a taxi on several occasions.  I went to the corner, got into the cab, told the driver where I wanted to go and when we got there, gave the driver some cash.  While the taxi company could tell the taxi and livery commission that they took a passenger from this address to that address, that is about all they know.

Contrast that to Uber.  They know exactly who there customer is.  Their customer is required to pay with a credit card.  They know where you started and where you ended and how many trips you take.

This is the first transparency report Uber has released, so let’s look at what they said:

  • For the second half of 2015, they gave information on 5 million passengers and 300,000 drivers to California regulators.
  • Nationally, they gave regulators information on 11.6 million passengers and 583,000 drivers.
  • Airport authorities received information on 1.6 million passengers and 156,000 drivers.
  • On the other hand, law enforcement only asked for information on 408 passenger accounts and 205 driver accounts.  Of course, that could represents thousands of trips, or more,  in total.  Most of this was to catch customers using stolen credit cards, they said.

While I agree that this is far from a data breach, still it is a concern.  How many data elements did Uber release?  Why do regulators need it?  How are the regulators protecting it?   Regulators are not required to have a reason for asking for the the data other than they want it – no subpoena, no judge, no warrant – and there is no real appeals process.  For companies like Uber, the threat is that the regulators could make their life pretty messy if they make a stink.

For me, I continue to use taxicabs.  They seem a lot less invasive than Uber’s big data collection machine.  And, as far as I can tell, taxis don’t use surge pricing.

Call me old fashioned.

Information for this post came from the San Jose Mercury News.