Data Digest № 020
Welcome to the 20th edition of the Data Digest, where I sum up the most important happenings in the data industry. This week’s two week overview includes: VICE uncovers DMVs dirty data dealings, Facebook reveals 2 million apps require privacy investigations, businesses scramble to comply with the CCPA, secret F.B.I. subpoenas scoop up personal data, millions of American’s health data is found available on the internet, Facebook mingles with your love life, sneaky Bluetooth location tracking, and more. Enjoy!
Sign up 👉 right here 👈 to get the Data Digest in your inbox.
American Drivers’ Personal Data Commercialized By DMVs
VICE revealed that several Department of Motor Vehicles (DMVs) are selling American drivers’ data for tens of millions of dollars without their consent. The investigation, based on hundreds of DMV documents, uncovered that “Wisconsin DMV had data selling agreements with over 3100 different entities, including around two dozen private investigation firms”. Similar arrangements were also found in the Virginia DMV. Senator Bernie Sanders stated, “Nobody — from agencies like the DMV to large corporations like Facebook and Google — should be profiting from sharing or selling personal information without meaningful consent. Congress must get serious about ending practices that violate the privacy of ordinary Americans.”
Senator Mark Warner said,“this is just another example of how unwitting consumers are to the ways in which their data is collected, sold or shared, and commercialized. The standard talking point that consumers ‘don’t care about privacy’ has been increasingly disproven, as we learn that consumers and policymakers have been kept in the dark for years about data collection and commercialization practices.” Reckless ways of selling data have been legitimized, and in some cases encouraged, by inadequate federal privacy laws. All worrying signs that the current legal system to protect user privacy and user agency of personal information will not suffice, and that a federal data privacy regulation framework, like the California Consumer Privacy Act (CCPA), is more urgent than ever before.
Facebook Reveals That Two Million Apps Could Have Misused Personal Data
Facebook revealed the privacy issues and scale of suspensions associated with the Cambridge Analytica scandal in 2018 were much larger than they previously disclosed. The court documents exposed that Facebook identified approximately two million apps that needed to be investigated, in order to confirm whether they’d misused people’s personal data. Maura Healey, the attorney general for Massachusetts stated, “For nearly a year, Facebook has fought to shield information about improper data-sharing with app developers…If only Facebook cared this much about privacy when it was giving away the personal data of everyone you know online.” Because the investigation would undergo such a large capacity of resources, it was narrowed to a focus group of 10,000 apps. Of those, Facebook commenced a “detailed background check” of the developers behind 2,000 apps in order to determine whether they flagged signs of fraud or if they had significant connections to “entities of interest”. The sheer hypocrisy that the company has been fighting to keep these documents hidden away from the public eye for almost a year, and simultaneously conjuring up a rampant privacy PR front, is frankly unfathomable.
The California Data Privacy Law Is Approaching
California’s landmark data privacy regulation will go into effect on Jan 1st, 2020. It’s estimated that over 500,000 U.S. businesses will fit the criteria to comply. The law applies to any for-profit business that conducts business in California and
- generates a revenue of more than $25 million
- holds personal information of at least 50,000 consumers
- generates at least 50% of its revenue from selling data.
This is a tall order for companies who haven’t previously been on top of their data collection practices, as it requires them to keep all their customer data in one place and match up individuals’ data across disparate systems. “You have to find a way to capture all that information and track it so you know what’s happening with that information,” said Dan Koslofsky, associate general counsel for privacy and data security at Gap. “And that’s a pretty significant undertaking for most companies. Unless you’ve been in a regulated space like health care or financial services, you probably haven’t done that previously.” Rena Mears, a principal with the law firm DLA Piper commented that “99% of the businesses that we’re dealing with are choosing to make the law apply to all their U.S. customers.” Rapidly changing data regulations can heavily drain a business’s resources. As legislation across the U.S. aims to enhance the privacy rights of consumers, businesses will continue to scramble for compliance. Businesses that take a proactive rather than reactive approach to data privacy, instead of simply complying with new legislation, will come out on top. Innovative and preventive data governance solutions like Datawallet enable companies to establish, and more importantly, maintain the trust of their consumers.
Secret F.B.I. Subpoenas Scoop Up Personal Data From Scores of Companies
Documents that were obtained by the Electronic Frontier Foundation by way of a lawsuit and subsequently shared with The New York Times, have revealed that the F.B.I. has been using secret subpoenas to obtain personal data from more than 120 companies, including credit agencies, major cellular providers, financial institutions and universities. The NYT reported that “the demands can scoop up a variety of information, including usernames, locations, IP addresses and records of purchases. They don’t require a judge’s approval and usually come with a gag order, leaving them shrouded in secrecy.” They included information on 750 subpoenas, of which there are expected to be approximately half a million since 2001 following the expansion of rights under the Patriot Act. The highest number of the so-called “National Security Letters” were received by Equifax, Experian and AT&T, who received more than 50 each. Transunion, T-Mobile and Verizon came second with more than 40. Yahoo, Google and Microsoft got more than 20 each, and over 60 companies only received one. Albert Gidari, privacy director at Stanford’s Center for Internet and Society, noted that “Telecoms and financial institutions get little attention” compared to Silicon Valley firms, mostly because these firms are less likely to fight the gag orders relative to big tech.
Millions of Americans’ Medical Images and Data Are Leaked on the Internet.
Confidential patient records of over 5 million U.S. citizens and over 16 million scans worldwide were uncovered online by ProPublica and the German broadcaster Bayerischer Rundfunk. Anyone with basic computer skills can access the images and sensitive health data. During the investigation, they found 187 servers that were used to store and retrieve medical data left almost completely unprotected without basic security protocols, such as passwords. Jackie Singh, a cybersecurity researcher accurately stated, “It’s not even hacking. It’s walking into an open door.” Data included patients’ names, birthdates, Social Security Numbers and sometimes even their echocardiograms. Several security experts noted the exposure of such sensitive medical data could violate the Health Insurance Portability and Accountability Act (HIPAA).
Facebook’s Mingling With Your Love Life
Charlie Warzel wrote an opinion piece for the New York Times on why not to trust Facebook with your love life. Though it seems obvious, the feature will probably remain a top attraction for many, after all, they’re “just connecting people” right? “No ads, no revenue, just love.” Charlie notes that the new Dating feature might not be as charitable as it seems. With Facebook doing some “mingling of its own”, by merging Instagram and Facebook contacts, stories and photos. Furthermore, he goes on to list Facebook’s incredible track history of data abuse, surely, one you shouldn’t entrust your most intimate details with. Nevertheless, other dating apps haven’t shown much more promise. Tinder is another prime data offender hoarding troves of information people choose to disclose. Including locations, interests, pictures, career history, tastes and personal preferences. The problem with these ‘new features’ is that the only goal for the company selling them, is to collect more data on their customers in order to increase their ad serving efficacy― maybe not within the feature itself, but certainly outside of it. The fact that this is not clearly communicated and hidden behind an apparently humanistic motivation, is troublesome.
The Not So Secret Plan For Boris Johnson To Gather Personal Data
In the run-up to Brexit, Boris Johnson has requested that the Cabinet Office obtain access to all GOV.UK data in order to “accelerate his ambitions for a digital revolution in public services”. Privacy advocates and opposition leaders have questioned the legal and ethical implications of pooling user data across government. The potential for this to take place without user consent and with poor protection over the data rights of the public is a huge concern for privacy campaigners and policy experts. GOV.UK provides information and provides services from passports to pensions. It’s the government’s public platform for some of the UK population’s most personal information. As of this month, it has become the hub for the government’s publicity campaign to prepare voters and businesses for a no-deal Brexit. Government funded advertising on Facebook and other social media platforms is urging people to “Get Ready for Brexit”, directing them to GOV.UK for more information. Using public data from GOV.UK to drive political campaigns without consent could lead to significant distrust, and make the public hesitant to share data with the government in the future.
Hong Kong Protesters Personal Data Leaked by Russian Website
A Russian domain was found to uncover the detailed personal information of Hong Kong protesters and journalists. This has been looked on as a politically motivated event that classifies yet another serious limitation to the city’s dwindling civil liberties. “Doxing can be done for several reasons, but in this case, it seems the goal is to harass and to encourage self-censorship,” said Tsui, a journalism professor at the University of Hong Kong. “It is also aimed at discouraging people from protesting or speaking the truth.” The Chinese state media were reportedly also promoting the site according to Tsui, who also believes this was a reflection of Beijing’s fear towards the Hong Kong protests.
Bluetooth Enables Companies To Sneakily Track Your Location
Apple’s iOS 13 update integrated a new privacy measure that requires apps to ask for your consent in order to use your device’s Bluetooth, to stop companies sneakily tracking your location by using beacons in stores. Chris Welch, a reporter for Wired, was shocked to find out just how many apps have subsequently asked him for Bluetooth permissions. Apple also increased transparency on location tracking by alerting users how many times an app, such as Google Maps, tracked their location in the background― visualized on a map. This is a good move forward from Apple. Data tracking transparency will hopefully encourage people to adjust their privacy settings running in the background. However, many users will likely misunderstand the prompts for consent and grant location access regardless.
Data on almost every Ecuadorian citizen leaked
The personal data of 17 million Ecuadorian citizens, including 6.7 million children, was found to be publically available on an unsecured cloud server by security company vpnMentor. This was an incredibly serious data breach that involved a huge amount of sensitive and personally identifiable information. The exposed files included basic identity data as well as financial information, phone numbers, family records, marriage dates, education histories and work records. The security researchers who uncovered the breach said, “This data breach is particularly serious simply because of how much information was revealed about each individual”. A quick search of the data could reveal home addresses, information about children, models and registration plates of the cars they drove and financial information. Such negligence of deeply personal information is a huge security lapse and extremely dangerous when in the hands of criminal gangs. Ecuador’s computer emergency security team thankfully managed to respond quickly and cut off open access.
Other Reads This Week
Facebook, Google, Apple and Amazon Stuck In Government Cross Hairs
UNICEF data leak reveals personal info of 8,000 online learners
LastPass Uncovered A Password-Exposing Bug
Google Will Listen to Your Conversations Again, But Ask First
If you’re interested in what we’re doing at Datawallet, including our all-in-one CCPA compliance product that not only helps you stay ahead of data privacy regulation such as CCPA but also helps you build profound trust with your customers, go to https://datawallet.com/
Best,
Serafin
