Perfect anonymization of data sets that contain personal information has failed. But the process of protecting data subjects in shared information remains integral to privacy practice and policy. While the deidentification debate has been vigorous and productive, there is no clear direction for policy. As a result, the law has been slow to adapt a holistic approach to protecting data subjects when data sets are released to others. Currently, the law is focused on whether an individual can be identified within a given set. We argue that the best way to move data release policy past the alleged failures of anonymization is to focus on the process of minimizing risk of reidentification and sensitive attribute disclosure, not preventing harm. Process-based data release policy, which resembles the law of data security, will help us move past the limitations of focusing on whether data sets have been “anonymized.” It draws upon different tactics to protect the privacy of data subjects, including accurate deidentification rhetoric, contracts prohibiting reidentification and sensitive attribute disclosure, data enclaves, and query-based strategies to match required protections with the level of risk. By focusing on process, data release policy can better balance privacy and utility where nearly all data exchanges carry some risk.
paper here

The popular streaming service is now the latest platform that is opening its data to targeted advertising. Everything from your age and gender, to the music genres you like to listen will be available to various third-party companies.

Spotify is calling it programmatic buying and has already enabled it. Advertisers will have access to the 70 million people that use Spotify’s free, ad-supported streaming across 59 countries. By viewing your song picks, these buyers will be able to look for specific users who might be the best matches for the products they’re selling.

Source: Spotify is now selling your information to advertisers

the new legislation — which Edward Snowden has called “Russia’s new Big Brother law” — is not only severe against those involved in “international terrorism,” its financing, and its non-denunciation. Law enforcement agencies will also be granted access to any user’s messages without any judicial oversight.

Several key provisions will directly affect the internet and telecom industry. In particular, telecom operators and internet resources will need to store the recordings of all phone calls and the content of all text messages for a period of six months. They will be required to cooperate with the Federal Security Service (FSB) to make their users’ communications fully accessible to this organization.

Source: Russian leader Putin signs controversial ‘Big Brother’ law

More than 800 UK police staff inappropriately accessed personal information between June 2011 and December 2015, according to a report from activist group Big Brother Watch.

The report says some police staff used their access to a growing trove of police data, which includes personal information on civilians, for entertainment and personal and financial gain.

ot only was some information not needed for official police work, according to the report, but was shared with third parties outside the police, including some organized crime groups, 877 times.

In total, 2,315 incidents of inappropriate access or distribution of data were reported.

The majority of incidents, 1,283, ended up with no disciplinary action taking place, while 297 ended in a resignation or dismissal, 258 resulted in a written or verbal warning, and 70 led to a criminal conviction or caution.

Facebook wants to show advertisers that their ads make you visit their bricks-and-mortar stores and buy their stuff. To do this, they’ll use phones’ location services to track whether people actually walk into the stores after seeing an ad.

Source: Facebook Will Start Tracking Which Stores You Walk Into

Researchers from the University of Washington and the University of California, San Diego did an experiment to see what could be learned from just the information many cars are already recording. The result was that the way people drove was as identifiable as a fingerprint. […] When it was given data from all 16 sensors for the whole drive, the match was made 100 percent of the time. When it was given data from five sensors, three sensors, and even just the brake pedal, the match was made 100 percent of the time.

On just 15 minutes of data and all 16 sensors, the match was made 100 percent of the time. Just the brake pedal was 87 percent accurate.

This research reveals just how much data your car is actually collecting—and that turning over all that data through apps or insurance company dongles may be revealing more about yourself than you realize. Tesla, with its auto-uploading feature, probably knows a lot about its drivers.

Source: You Can Absolutely Be Identified Just By How You Drive

In a study published online Monday in the journal Proceedings of the National Academy of Sciences, Stanford University researchers demonstrated how they used publicly available sources—like Google searches and the paid background-check service Intelius—to identify “the overwhelming majority” of their 823 volunteers based only on their anonymized call and SMS metadata.

Using data collected through a special Android app, the Stanford researchers determined that they could easily identify people based on their call and message logs.

The results cast doubt on claims by senior intelligence officials that telephone and Internet “metadata”—information about communications, but not the content of those communications—should be subjected to a lower privacy threshold because it is less sensitive.

Contrary to those claims, the researchers wrote, “telephone metadata is densely interconnected, susceptible to reidentification, and enables highly sensitive inferences.” Study shows phone metadata is much more sensitive than top spies admit

The NCC, a consumer rights watchdog, is conducting an investigation into 20 apps’ terms and conditions to see if the apps do what their permissions say they do and to monitor data flows. Tinder has already been reported to the Norwegian data protection authority for similar breaches of privacy laws. The NCC’s investigation into Runkeeper discovered that user location data is tracked around the clock and gets transmitted to a third party advertiser in the U.S. called Kiip.me.

Source: Runkeeper is secretly tracking you around the clock and sending your data to advertisers

In my hands is something dangerous. It is proof that someone moved confidential government data out of Mexico and into the United States. It is a hard drive with 93.4 million downloaded voter registration records— The Mexican voter database.

See the interview with Chris Vickery commenting on this breach:

Before going any further, let’s make one thing very clear. I’m not the one who transmitted the data out of Mexico. Someone else will have to answer for that. However, eight days ago (April 14th), I did discover a publicly accessible database, hosted on an Amazon cloud server, containing these records. There was no password or authentication of any sort required. It was configured purely for public access. Why? I have no clue.

After reporting the situation to the US State Department, DHS, the Mexican Embassy in Washington, the Mexican Instituto Nacional Electoral (INE), and Amazon, the database was finally taken offline April 22nd, 2016.

Under Mexican law, these files are “strictly confidential”, carrying a penalty of up to 12 years in prison for anyone extracting this data from the government for personal gain. We’re talking about names, home addresses, birthdates, a couple of national identification numbers, and a few other bits of info.

Source: BREAKING: Massive Breach of Mexican Voter Data – Blog – MacKeeper™

The new rules include provisions on:

a right to be forgotten,

“clear and affirmative consent” to the processing of private data by the person concerned,

a right to transfer your data to another service provider,

the right to know when your data has been hacked,

ensuring that privacy policies are explained in clear and understandable language, and

stronger enforcement and fines up to 4% of firms’ total worldwide annual turnover, as a deterrent to breaking the rules.

Source: Data protection reform – Parliament approves new rules fit for the digital era

So we get simpler EULAs that no one will read either… But it’s nice to have control over your own data and the right to know when your data has been breeched. Not that you can do much with that knowledge, but ok.

Hotjar is a new and easy way to truly understand your web and mobile site visitors.

Source: Hotjar – Heatmaps, Visitor Recordings, Conversion Funnels, Form Analytics, Feedback Polls and Surveys in One Platform

I’ve been seeing this on more and more sites recently. They state that the service is cheap (but no pricing to be found) and I’m very curious if they keep your data and link it to you as a person on multiple tracked sites?

Clearista products were designed with medical applications in mind before they became beauty products. The idea was that removing the product got you access to traces or biological markers that give an insight into the health of a person. They also cover blemishes and dark spots on the skin. So the CIA is interested, as DNA is one of the markers they can pick up. They use their vehicle In-Q-Tel (IQT) to fund Skincential Sciences, which produces Clearista (among other products)

Source: CIA’s Venture Capital Arm Is Funding Skin Care Products That Collect DNA