Facebook has warned that it may pull out of Europe if the Irish data protection commissioner enforces a ban on sharing data with the US, after a landmark ruling by the European court of justice found in July that there were insufficient safeguards against snooping by US intelligence agencies.

In a court filing in Dublin, Facebook’s associate general counsel wrote that enforcing the ban would leave the company unable to operate.

“In the event that [Facebook] were subject to a complete suspension of the transfer of users’ data to the US,” Yvonne Cunnane argued, “it is not clear … how, in those circumstances, it could continue to provide the Facebook and Instagram services in the EU.”

Facebook denied the filing was a threat, arguing in a statement that it was a simple reflection of reality. “Facebook is not threatening to withdraw from Europe,” a spokesperson said.

“Legal documents filed with the Irish high court set out the simple reality that Facebook, and many other businesses, organisations and services, rely on data transfers between the EU and the US in order to operate their services. A lack of safe, secure and legal international data transfers would damage the economy and hamper the growth of data-driven businesses in the EU, just as we seek a recovery from Covid-19.”

The filing is the latest volley in a legal battle that has lasted almost a decade. In 2011, Max Schrems, an Austrian lawyer, began filing privacy complaints with the Irish data protection commissioner, which regulates Facebook in the EU, about the social network’s practices.

Those complaints gathered momentum two years later, when the Guardian revealed the NSA’s Prism program, a vast surveillance operation involving direct access to the systems of Google, Facebook, Apple and other US internet companies. Schrems filed a further privacy complaint, which was eventually referred to the European court of justice.

That court found in 2015 that, because of the existence of Prism, the “Safe Harbour” agreement, which allowed US companies to transfer the data of EU citizens back home, was invalid.

The EU then attempted a second legal agreement for the data transfers, a so-called privacy shield; that too was invalidated in July this year, with the court again ruling that the US does not limit surveillance of EU citizens.

In September, the Irish data protection commissioner began the process of enforcing that ruling. The commissioner issued a preliminary order compelling the social network to suspend data transfers overseas.

In response, Nick Clegg, the company’s head of global affairs and communications, published a blogpost that argued that “international data transfers underpin the global economy and support many of the services that are fundamental to our daily lives”.

“In the worst-case scenario, this could mean that a small tech start-up in Germany would no longer be able to use a US-based cloud provider,” he wrote. “A Spanish product development company could no longer be able to run an operation across multiple time zones. A French retailer may find they can no longer maintain a call centre in Morocco.”

Clegg added: “We support global rules that can ensure consistent treatment of data around the world.”

Source: Facebook says it may quit Europe over ban on sharing data with US | Technology | The Guardian

Yep, mr Clegg. But the law is the law. And it’s a good law. Having EU Citizens’ private data in the hands of the megalomanic 4th Reich US government is not a good idea – in the EU people like the idea of having rights and privacy.

Six million would-be U.S. immigrants face expanded collection of their biometric data, including iris scans, palm-, and voice-prints, facial recognition images, and DNA, under a proposed federal rule. The Department of Homeland Security also for the first time would gather that data from American citizens sponsoring or benefiting from a visa application.

Years in the making, the biometrics immigration rule has garnered more than 160 comments since its Sept. 11 publication. The 30-day comment period closes on Oct 13. A final version could be in place by Inauguration Day.

Immigration and privacy advocates have voiced concerns over who will have to comply with the new requirements, why President Donald Trump is making this push so late in his term, and what it means for a federal agency already claiming a lack of resources.

“The only words to describe this proposed rule is breathtaking,” said Doug Rand, who worked on technology and immigration policy in the Obama White House and then joined the Federation of American Scientists. “It’s clearly designed to drastically expand surveillance of immigrants, U.S. citizens, employers.”

The 300-plus-page plan updates current biometrics requirements so that “any applicant, petitioner, sponsor, beneficiary, or individual filing or associated with an immigration benefit or request, including U.S. citizens, must appear for biometrics collection without regard to age unless the agency waives or exempts the requirement.”

The DHS estimates an additional 2.17 million new biometrics submissions will be collected annually, an increase from the current 3.9 million, under the rule.

[…]

The DHS already collects fingerprints from some visa applicants. The new rule would expand that biometrics-gathering to iris images, palm- and voice- prints. The agency wants authority to require or request DNA testing to prove familial relationships where kinship is in question. The DNA data could be stored indefinitely, under the proposed rule.

[…]

While the current proposal doesn’t expressly reference employers, that doesn’t mean it couldn’t be applied to employer-backed visa holders down the road, said Michael Nowlan, co-leader of Clark Hill’s Immigration Business unit. “It’s just amazing to me how broad this is.”

One potential scenario for employers petitioning for visa-holding workers or sponsoring foreign workers for green cards is that legal counsel or even a human resources officer may be required to submit biometrics on the company’s behalf.

[…]

Should Trump win re-election, his administration can use this period of uncertainty to accelerate this regulation and carry it out in the new year. If Trump loses, and his team makes it final it before Democrat Joe Biden takes office, it’s a “huge headache” for the next administration, Rand said.

“It’s basically like burning down the house on your way out,” Rand said.

Source: Trump Pushes to Reap Biometric Data From Immigrants, Americans

This kind of data is dangerous in and of itself. Keeping it in a centralised database is a horrible idea – history has shown us again and again that these are abused and unsafe. And this is data about people that the people themselves, as well as their families, descendants, can’t change. Ever.

Facebook is again being sued for allegedly spying on Instagram users, this time through the unauthorized use of their mobile phone cameras. Bloomberg reports: The lawsuit springs from media reports in July that the photo-sharing app appeared to be accessing iPhone cameras even when they weren’t actively being used. Facebook denied the reports and blamed a bug, which it said it was correcting, for triggering what it described as false notifications that Instagram was accessing iPhone cameras.

In the complaint filed Thursday in federal court in San Francisco, New Jersey Instagram user Brittany Conditi contends the app’s use of the camera is intentional and done for the purpose of collecting “lucrative and valuable data on its users that it would not otherwise have access to.” By “obtaining extremely private and intimate personal data on their users, including in the privacy of their own homes,” Instagram and Facebook are able to collect “valuable insights and market research,” according to the complaint.

Source: Facebook Accused of Watching Instagram Users Through Cameras – Slashdot

In an update to its Android Developer Program Policy, Google on Wednesday said stalkerware apps in its app store can no longer be used to stalk non-consenting adults.

Stalkerware, which the web giant defines as “code that transmits personal information off the device without adequate notice or consent and doesn’t display a persistent notification that this is happening,” may still be used for keeping track of one’s kids.

But starting October 1, 2020, the ad biz says it’s no longer acceptable for Android apps in the Google Play Store to track another person, such as a spouse, without permission, unless there’s a persistent visible notification that data is being transmitted.

The ban follows a similar prohibition in August on Google-served ads for “spyware and technology used for intimate partner surveillance,” which reportedly hasn’t worked very well.

In recent years, computer security experts have argued that the privacy and security risks in intimate relationships remain haven’t been adequately anticipated or addressed.

But rules against invasive behavior aren’t necessarily effective. Via Twitter, Michael Veale, a lecturer at University College London, observed that a 2018 research paper “found that ‘abusers frequently exploit dual-use applications—tools whose main purpose is legitimate but that can be easily repurposed to function as spyware,’ so banning explicit stalkerware of questionable efficacy.”

Google will continue to allow non-stalkerware apps (i.e. policy compliant apps) to monitor and track people, provided the programs are not marketed as surveillance apps, they disclose any such functions, and they present the requisite persistent notification and icon.

Monitoring apps of the permissible sort continue to be subject to removal for violating applicable laws in the locations where they’re published, and may not link to resources (e.g. servers, SDKs) that provide policy violating functions or non-compliant APKs hosted outside the Google Play Store.

Google’s developer policy update also includes a ban on misrepresentation, both for apps and developer accounts. Apps or accounts that impersonate a person or organization, or attempt to conceal the app’s purpose or ownership, or engage in coordinated misleading activity, are no longer allowed.

Source: Google bans stalkerware apps from Android store. Which is cool but… why were they allowed in the first place? • The Register

To answer the question: The tech giants will do almost anything to get  your location information because it allows them to know and control you better.

The Weather Channel app settles suit over selling location data of 49m people without consent

Private Intel Firm Buys Location Data to Track People to their ‘Doorstep’ sourced from innocuous seeming apps

How Location Tracking Actually Works on Your Smartphone (and how to manipulate it – kind of)

Google collects Android location data even if you turn it off and don’t have a SIM card inserted

US carmakers collect and keep driven locations

And some more links

IBM and the Los Angeles city attorney’s office have settled a privacy lawsuit brought after The Weather Channel app was found to be selling user location data without proper disclosure. The lawsuit was filed last year, at which point the app had 45 million active users.

IBM has changed the way that users are informed, and also agreed to donate $1M worth of technology to assist LA County with its coronavirus contact tracing efforts …

 

Associated Press reports.

The operator of The Weather Channel mobile app has agreed to change how it informs users about its location-tracking practices and sale of personal data as part of a settlement with the Los Angeles city attorney’s office, officials said Wednesday.

City Attorney Mike Feuer alleged in a 2019 lawsuit that app users were misled when they agreed to share their location information in exchange for personalized forecasts and alerts. Instead, the lawsuit claimed users were unaware they had surrendered personal privacy when the company sold their data to third parties.

Feuer announced the settlement Wednesday with the app’s operator, TWC Product and Technology LLC, and owner IBM Corp. The app’s disclosure screens were initially revised after the lawsuit was filed and future changes that will be monitored by the city attorney’s office are planned.

Source: The Weather Channel app settles suit over selling location data – 9to5Mac

In June, Apple unveiled plans for an iOS 14 privacy update that forces developers to gather users’ consent before tracking their activities across third-party apps and websites. Needless to say, giving users more control over how their information is gathered and trafficked is expected to bruise advertisers—especially Facebook, which uses that information to narrow its targeting functions.

As the initial autumn deadline closed in, Facebook protested last week that the change could render Facebook’s Audience Network—its ad service offered to third-party apps—“so ineffective on iOS 14 that it may not make sense to offer it on iOS 14 in the future.” The company claimed that blocking personalization is expected to cut Audience Network revenue by half or more, and that the move would hurt the over 19,000 developers who work with Facebook, many of which are “small businesses that depend on ads to support their livelihood.”

Apple’s messaging to users, as illustrated in the latest promo images for iOS 14, doesn’t give surveillance a nice ring. It will tell you bluntly that such-and-such app “would like permission to track you across apps and websites owned by other companies.” Apple pointed out to Gizmodo that it still embraces in-app advertising and does not prohibit tracking. In fact, Facebook can still gather that data (using Apple’s advertiser ID), if it’s willing to ask iOS users to agree to be tracked (using that scary messaging.) But both Apple and Facebook know that the data collection business operates more smoothly when begging for forgiveness later rather than asking permission now. If not, companies wouldn’t have mastered the art of doublespeak and constructed labyrinthine settings menus.

Apple, on the other hand, will still be able to benefit from gathering your information in various ways without asking permission because Apple doesn’t necessarily need to share or gather your information with data brokers and outside companies—your data is already growing organically within Apple’s walled garden. For example, Apple might show you an ad for a weight loss app in the App Store based on the fact that you read an article from a lifestyle publication in the Apple News app—a function which is automatically enabled, and can be toggled off, under “Apple Advertising.” Similarly, Apple says that developers can use data gained from activity within their own apps through Apple’s vendor-specific identifier. (Apple says that the “tracking” prompt would still show up if Apple-created apps intend to share information beyond Apple.)

But it’s hard to imagine a competing vendor that would have access to such a sprawling network of native data, aside from Google, which has its own devices and browser and advertiser ID. And sticking the notification on Facebook polishes Apple’s self-fashioned reputation a big tech company which values privacy. (It is not.)

[…]

Apple says that now apps won’t need to ask users permission to be tracked until 2021, “to give developers time to make necessary changes.” Apple will also require developers to submit details on the data their apps collect—including “sensitive information” such as race, sexual orientation, disability, and political affiliation—which will be published in the App Store later this year.

Source: After Facebook Balks, Apple Delays Privacy Feature

A threat intelligence firm called HYAS, a private company that tries to prevent or investigates hacks against its clients, is buying location data harvested from ordinary apps installed on peoples’ phones around the world, and using it to unmask hackers. The company is a business, not a law enforcement agency, and claims to be able to track people to their “doorstep.”

The news highlights the complex supply chain and sale of location data, traveling from apps whose users are in some cases unaware that the software is selling their location, through to data brokers, and finally to end clients who use the data itself. The news also shows that while some location firms repeatedly reassure the public that their data is focused on the high level, aggregated, pseudonymous tracking of groups of people, some companies do buy and use location data from a largely unregulated market explicitly for the purpose of identifying specific individuals.

HYAS’ location data comes from X-Mode, a company that started with an app named “Drunk Mode,” designed to prevent college students from making drunk phone calls and has since pivoted to selling user data from a wide swath of apps. Apps that mention X-Mode in their privacy policies include Perfect365, a beauty app, and other innocuous looking apps such as an MP3 file converter.

“As a TI [threat intelligence] tool it’s incredible, but ethically it stinks,” a source in the threat intelligence industry who received a demo of HYAS’ product told Motherboard. Motherboard granted the source anonymity as they weren’t authorized by their company to speak to the press.

[…]

HYAS differs in that it provides a concrete example of a company deliberately sourcing mobile phone location data with the intention of identifying and pinpointing particular people and providing that service to its own clients. Independently of Motherboard, the office of Senator Ron Wyden, which has been investigating the location data market, also discovered HYAS was using mobile location data. A Wyden aide said they had spoken with HYAS about the use of the data. HYAS said the mobile location data is used to unmask people who may be using a Virtual Private Network (VPN) to hide their identity, according to the Wyden aide.

In a webinar uploaded to HYAS’ website, Todd Thiemann, VP of marketing at the company, describes how HYAS used location data to track a suspected hacker.

“We found out it was the city of Abuja, and on a city block in an apartment building that you can see down there below,” he says during the webinar. “We found the command and control domain used for the compromised employees, and used this threat actor’s login into the registrar, along with our geolocation granular mobile data to confirm right down to his house. We also got his first and last name, and verified his cellphone with a Nigerian mobile operator.”

A screenshot of a webinar given by HYAS, in which the company explains how it has used mobile application location data.

On its website, HYAS claims to have some Fortune 25 companies, large tech firms, as well as law enforcement and intelligence agencies as clients.

[…]

Customers can include banks who want to get a heads-up on whether a freshly dumped cache of stolen credit card data belongs to them; a retailer trying to protect themselves from hackers; or a business checking if any of their employees’ login details are being traded by cybercriminals.

Some threat intelligence companies also sell services to government agencies, including the FBI, DHS, and Secret Service. The Department of Justice oftens acknowledges the work of particular threat intelligence companies in the department’s announcement of charges or indictments against hackers and other types of criminals.

But some other members of the threat intelligence industry criticized HYAS’ use of mobile app location data. The CEO of another threat intelligence firm told Motherboard that their company does not use the same sort of information that HYAS does.

The threat intelligence source who originally alerted Motherboard to HYAS recalled “being super shook at how they collected it,” referring to the location data.

A senior employee of a third threat intelligence firm said that location data is not hard to buy.

[…]

Motherboard found several location data companies that list HYAS in their privacy policies. One of those is X-Mode, a company that plants its own code into ordinary smartphone apps to then harvest location information. An X-Mode spokesperson told Motherboard in an email that the company’s data collecting code, or software development kit (SDK), is in over 400 apps and gathers information on 60 million global monthly users on average. X-Mode also develops some of its own apps which use location data, including parental monitoring app PlanC and fitness tracker Burn App.

“Whatever your need, the XDK Visualizer is here to show you that our signature SDK is too legit to quit (literally, it’s always on),” the description for another of X-Code’s own apps, which visualizes the company’s data collection to attract clients, reads.

“They’re like many location trackers but seem more aggressive to be honest,” Will Strafach, founder of the app Guardian, which alerts users to other apps accessing their location data, told Motherboard in an online chat. In January, X-Mode acquired the assets of Location Sciences, another location firm, expanding X-Mode’s dataset.

[…]

Motherboard then identified a number of apps whose own privacy policies mention X-Mode. They included Perfect365, a beauty-focused app that people can use to virtually try on different types of makeup with their device’s camera.

[…]

Various government agencies have bought access to location data from other companies. Last month, Motherboard found that U.S. Customs and Border Protection (CBP) paid $476,000 to a firm that sells phone location data. CBP has used the data to scan parts of the U.S. border, and the Internal Revenue Service (IRS) tried to use the same data to track criminal suspects but was unsuccessful.

Source: Private Intel Firm Buys Location Data to Track People to their ‘Doorstep’

Google and Apple have updated their COVID-19 contact-tracing tool to make it possible to notify users of potential exposures to the novel coronavirus without an app.

The new Exposure Notifications Express spec is baked into iOS 13.7, which emerged this week and will appear in an Android update due later this month.

This is not, repeat not, pervasive Bluetooth surveillance. The tool requires users to opt in, although public health authorities can use the tool to send notifications suggesting that residents do so.

Those who choose to participate agree to have their device use Bluetooth to search for other nearby opted-in devices, with an exchange of anonymised identifiers used to track encounters. If a user tests positive, and agrees to notify authorities, other users will be told that they are at risk and should act accordingly.

The update is designed to let health authorities use Bluetooth-powered contact-tracing without having to build their own apps. It’s still non-trivial to play, as the system requires one server to verify test results and another to run both contact-tracing apps and the app-free service.

Apple has published a succinct explainer here and Google has offered up code for notifications server on GitHub.

A couple of dozen US states have signed up for the new tool but other jurisdictions – among them India, Singapore and Australia – are persisting with their own approaches on the basis that the Apple/Google tech makes it harder for their manual contact-tracers to access information.

Source: COVID-19 tracing without an app? There’s an iOS and Android update for that • The Register

Considering the work both companies do with China and other friendly states, it would not surprise me that the “user opt in” feature becomes an “all users opt in without their knowing because the state is the people and the state knows best” feature in some places.

The U.S. government has taken the opportunity during the global pandemic, when people aren’t traveling out of the country much, to roll out a new platform for storing information they believe they are entitled to take from people crossing the border. A new filing reveals how the U.S. Border Patrol will store data from traveler devices centrally, keeping it backed up and searchable for up to 75 years.

On July 30 the Department of Homeland Security published a privacy impact assessment detailing the electronic data that they may choose to collect from people crossing the border – and what happens to that data.

• Border Patrol claims the right to search laptops, thumb drives, cell phones, and other
  devices capable of storing electronic information” and when they call it a ‘border search the can do this not just when you’re “crossing the U.S. border” in either direction (i.e. when you’re leaving, not just when you’re entering the country) but even “at the extended border” which generally means within 100 miles of the border, which encompasses where two-thirds of the U.S. population lives.
• They needed an updated privacy impact assessment because of a new “enterprise-wide solution to manage and analyze certain types of information and metadata USBP collects from electronic devices” – and they they actually keep on file.

Border Patrol will “acquire a mirror copy of the data on the device” they take from a traveler and store it locally. Before uploading it to their network they check to make sure there’s no porn on it (so they search your devices to find porn first). Then once they’ve determined it’s “clean” they transfer the data first to an encrypted thumb drive and then to the Border Patrol-side system called PLX.

Examples of what they plan to keep from travelers’ devices include e-mails; videos and pictures; texts and chat messages; financial accounts and transactions; location history; web browser bookmarks; tasks list; calendar; call logs; contracts. Information is stored for 75 years although if it’s not related to any crime it may be deleted after 20 years.

The government emphasizes they’ve been collecting this information, what’s changed is simply that they’ll be storing it in a central system where everything “will now by accessible to a larger number of USBP agents with no nexus” to suspected illegal activity. They promise, though, to restrict access and train staff not to do anything they aren’t supposed to. And they don’t see risk to privacy because they’ve published a notice (that I’m now writing about) telling you how your privacy may be violated.

Electronic device searches have been on the rise. Between October 2008 and June 2010 6500 devices were searched. In 2016 there were 10,000 device searches, and 30,200 in 2017.

It’s not clear though that these searches are all actually legal. In November 2019 a federal judge in Boston ruled that forensic searches of cell phones require at least reasonable suspicion “that the devices contain contraband.”

Source: US Border Patrol Says They Can Create Central Repository Of Traveler Emails, Keep Them For 75 Years – View from the Wing

it was such an unsecured database that the Comparitech researchers, led by Bob Diachenko, discovered on August 1, leaving the personal profile data of nearly 235 million Instagram, TikTok and YouTube users up for grabs.

The data was spread across several datasets; the most significant being two coming in at just under 100 million each and containing profile records apparently scraped from Instagram. The third-largest was a dataset of some 42 million TikTok users, followed by just under 4 million YouTube user profiles.

MORE FROM FORBESGot An Email From A Hacker With Your Password? Do These 3 ThingsBy Davey Winder

Comparitech says that, based on the samples it collected, one in five records contained either a telephone number or email address. Every record also included at least some, sometimes all, the following information:

• Profile name
• Full real name
• Profile photo
• Account description

Statistics about follower engagement, including:

• Number of followers
• Engagement rate
• Follower growth rate
• Audience gender
• Audience age
• Audience location
• Likes
• Last post timestamp
• Age
• Gender

“The information would probably be most valuable to spammers and cybercriminals running phishing campaigns,” Paul Bischoff, Comparitech editor, says. “Even though the data is publicly accessible, the fact that it was leaked in aggregate as a well-structured database makes it much more valuable than each profile would be in isolation,” Bischoff adds. Indeed, Bischoff told me that it would be easy for a bot to use the database to post targeted spam comments on any Instagram profile matching criteria such as gender, age or number of followers.

Tracing the source of the leaked data

So, where did all this data originate? The researchers suggest that the evidence, including dataset names, pointed to a company called Deep Social. However, Deep Social was banned by both Facebook and Instagram in 2018 after scraping user profile data. The company was wound down sometime after this.

A Facebook company spokesperson told me that “scraping people’s information from Instagram is a clear violation of our policies. We revoked Deep Social’s access to our platform in June 2018 and sent a legal notice prohibiting any further data collection.”

Once the researchers found the database and the clues to its origin, “we sent an alert to Deep Social, assuming the data belonged to them,” Bischoff says. The administrators of Deep Social then forwarded the disclosure to a Hong Kong-registered social media influencer data-marketing company called Social Data. “Social Data shut down the database about three hours after our initial email,” Bischoff says.

[…]

Source: 235 Million Instagram, TikTok And YouTube User Profiles Exposed In Massive Data Leak

Babel Street is a shadowy organization that offers a product called Locate X that is reportedly used to gather anonymized location data from a host of popular apps that users have unwittingly installed on their phones. When we say “unwittingly,” we mean that not everyone is aware that random innocuous apps are often bundling and anonymizing their data to be sold off to the highest bidder.

Back in March, Protocol reported that U.S. Customs and Border Protection had a contract to use Locate X and that sources inside the secretive company described the system’s capabilities as allowing a user “to draw a digital fence around an address or area, pinpoint mobile devices that were within that area, and see where else those devices have traveled, going back months.”

Protocol’s sources also said that the Secret Service had used the Locate X system in the course of investing a large credit card skimming operation. On Monday, Motherboard confirmed the investigation when it published an internal Secret Service document it acquired through a Freedom of Information Act (FOIA) request. (You can view the full document here.)

The document covers a relationship between Secret Service and Babel Street from September 28, 2017, to September 27, 2018. In the past, the Secret Service has reportedly used a seperate social media surveillance product from Babel Street, and the newly-released document totals fees paid after the addition of the Locate X license as $1,999,394.

[…]

Based on Fourth Amendment protections, law enforcement typically has to get a warrant or court order to seek to obtain Americans’ location data. In 2018, the Supreme Court ruled that cops still need a warrant to gather cellphone location data from network providers. And while law enforcement can obtain a warrant for specific cases as it seeks to view location data from a specific region of interest at a specific time, the Locate X system saves government agencies the time of going through judicial review with a next-best-thing approach.

The data brokerage industry benefits from the confusion that the public has about what information is collected and shared by various private companies that are perfectly within their legal rights. You can debate whether it’s acceptable for private companies to sell this data to each other for the purpose of making profits. But when this kind of sale is made to the U.S. government, it’s hard to argue that these practices aren’t, at least, violating the spirit of our constitutional rights.

Source: Secret Service Bought Access to Bable Street’s Locate X Spy Tool

Toyota already operates a “Mobility Services Platform” that it says helps it to “develop, deploy, and manage the next generation of data-driven mobility services for driver and passenger safety, security, comfort, and convenience”.

That data comes from a device called the “Data Communication Module” (DCM) that Toyota fits into many models in Japan, the USA and China.

Toyota reckons the data could turn into “new contextual services such as car share, rideshare, full-service lease, and new corporate and consumer services such as proactive vehicle maintenance notifications and driving behavior-based insurance.”

Toyota’s connected car vision. Click to enlarge

The company has touted that vision since at least the year 2016, but precious little evidence of it turning into products is available.

Which may be why Toyota has signed with AWS for not just cloud tech but also professional services.

The two companies say their joint efforts “will help build a foundation for streamlined and secure data sharing throughout the company and accelerate its move toward CASE (Connected, Autonomous/Automated, Shared and Electric) mobility technologies.”

Neither party has specified just which bits of the AWS cloud Toyota will take for a spin but it seems sensible to suggest the auto-maker is going to need lots of storage and analytics capabilities, making AWS S3 and Kinesis likely candidates for a test drive.

Whatever Toyota uses, prepare for privacy ponderings because while cheaper car insurance sounds lovely, having an insurer source driving data from a manufacturer has plenty of potential pitfalls.

Source: Oh what a feeling: New Toyotas will upload data to AWS to help create custom insurance premiums based on driver behaviour • The Register

No, this isn’t a good thing and I hope there’s an opt out

The U.S. Department of Commerce and the European Commission have initiated discussions to evaluate the potential for an enhanced EU-U.S. Privacy Shield framework to comply with the July 16 judgment of the Court of Justice of the European Union in the Schrems II case. This judgment declared that this framework is no longer a valid mechanism to transfer personal data from the European Union to the United States.

The European Union and the United States recognize the vital importance of data protection and the significance of cross-border data transfers to our citizens and economies. We share a commitment to privacy and the rule of law, and to further deepening our economic relationship, and have collaborated on these matters for several decades.

Source: Joint Press Statement from U.S. Secretary of Commerce Wilbur Ross and European Commissioner for Justice Didier Reynders | U.S. Department of Commerce

A group of nearly a dozen lawmakers led by member of Congress Anna Eshoo wrote to the California Department of Motor Vehicles (DMV) on Wednesday looking for answers on how and why the organization sells the personal data of residents. The letter comes after Motherboard revealed last year that the DMV was making $50 million annually from selling drivers’ information.

The news highlights how selling personal data is not limited to private companies, but some government entities follow similar practices too.

“What information is being sold, to whom it is sold, and what guardrails are associated with the sale remain unclear,” the letter, signed by congress members including Ted Lieu, Barbara Lee, and Mike Thompson, as well as California Assembly members Kevin Mullin and Mark Stone, reads.

Specifically, the letter asks what types of organizations has the DMV disclosed drivers’ data to in the past three years. Motherboard has previously reported on how other DMVs around the country sold such information to private investigators, including those hired to spy on suspected cheating spouses. In an earlier email to Motherboard, the California DMV said data requesters may include insurance companies, vehicle manufacturers, and prospective employers.

The information sold in general by DMVs includes names, physical addresses, and car registration information. Multiple other DMVs previously confirmed they have cut-off access to some clients after they abused the data.

On Wednesday, the California DMV said in an emailed statement, “The DMV does not sell driver information for marketing purposes or to generate revenue outside of the cost of administering its requester program—which only provides certain driver and vehicle related information as statutorily required.”

“The DMV takes its obligation to protect personal information very seriously. Information is only released according to California law, and the DMV continues to review its release practices to ensure information is only released to authorized persons/entities and only for authorized purposes. For example, if a car manufacturer is required to send a recall notice to thousands of owners of a particular model of car, the DMV may provide the car manufacturer with information on California owners of this particular model through this program,” the statement added.

After Motherboard’s earlier investigation into the sale of DMV data to private investigators, senators criticized the practice. Bernie Sanders more specifically said that DMVs should not profit from selling such data.

“In today’s ever-increasing digital world, our private information is too often stolen, abused, used for profit or grossly mishandled,” the new letter from lawmakers reads. “It’s critical that the custodians of the personal information of Americans—from corporations to government agencies—be held to high standards of data protection in order to restore the right of privacy in our country.”

Source: Lawmakers Ask California DMV How It Makes $50 Million a Year Selling Drivers’ Data

The nation’s largest private equity firm is interested in buying your DNA data. The going rate: $261 per person. That appears to be what Blackstone, the $63 billion private equity giant, is willing to pay for genetic data controlled by one of the major companies gathering it from millions of customers.

Earlier this week, Blackstone announced it was paying $4.7 billion to acquire Ancestry.com, a pioneer in pop genetics that was launched in the 1990s to help people find out more about their family heritage.

Ancestry’s customers get an at-home DNA kit that they send back to the company. Ancestry then adds that DNA information to its database and sends its users a report about their likely family history. The company will also match you to other family members in its system, including distant cousins you may or may not want to hear from. And for up to $400 a year, you can continue to search Ancestry’s database to add to your knowledge of your family tree.

Ancestry has some information, mostly collected from public databases, on hundreds of millions of individuals. But its most valuable information is that of the people who have taken its DNA tests, which totals 18 million. And at Blackstone’s $4.7 billion purchase price that translates to just over $250 each.

[…]

Source: Private equity wants to own your DNA – CBS News

Your Google Home speaker may have been quietly recording sounds around your house without your permission or authorization, it was revealed this week.

The Chocolate Factory admitted it had accidentally turned on a feature that allowed its voice-controlled AI-based assistant to activate and snoop on its surroundings. Normally, the device only starts actively listening in and making a note of what it hears after it has heard wake words, such as “Ok, Google” or “Hey, Google,” for privacy reasons. Prior to waking, it’s constantly listening out for those words, but is not supposed to keep a record of what it hears.

Yet punters noticed their Google Homes had been recording random sounds, without any wake word uttered, when they started receiving notifications on their phone that showed the device had heard things like a smoke alarm beeping, or glass breaking in their homes – all without giving their approval.

Google said the feature had been accidentally turned on during a recent software update, and it has now been switched off, Protocol reported. It may be that this feature is or was intended to be used for home security at some point: imagine the assistant waking up whenever it hears a break in, for instance. Google just bought a $450m, or 6.6 per cent, stake in anti-burglary giant ADT.

Source: Whoops, our bad, we just may have ‘accidentally’ left Google Home devices recording your every word, sound, sorry • The Register

The Australian government has filed its second lawsuit against Google in less than a year over privacy concerns, this time alleging the tech giant misled Australian consumers in an attempt to gather information for targeted ads. The Australian Competition and Consumers Commission (ACCC), the country’s consumer watchdog, says Google didn’t obtain explicit consent from consumers to collect personal data, according to a statement.

The ACCC cites a 2016 change to Google’s policy in which the company began collecting data about Google account holders’ activity on non-Google sites. Previously, this data was collected by ad-serving technology company DoubleClick and was stored separately, not linked to users’ Google accounts. Google acquired DoubleClick in 2008, and the 2016 change to Google’s policy meant Google and DoubleClick’s data on consumers were combined. Google then used the beefed-up data to sell even more targeted advertising.

From June 2016 to December 2018, Google account holders were met with a pop-up that explained “optional features” to accounts regarding how the company collected their data. Consumers could click “I agree,” and Google would begin collecting a “wide range of personally identifiable information” from them, according to the ACCC. The lawsuit contends that the pop-up didn’t adequately explain what consumers were agreeing to.

“The ACCC considers that consumers effectively pay for Google’s services with their data, so this change introduced by Google increased the ‘price’ of Google’s services, without consumers’ knowledge,” said ACCC Chair Rod Sims. Had more consumers sufficiently understood Google’s change in policy, many may not have consented to it, according to the ACCC.

Google told the Associated Press it disagrees with the ACCC’s allegations, and says Google account holders had been asked to “consent via prominent and easy-to-understand notifications.” It’s unclear what penalty the ACCC is seeking with the lawsuit.

Last October, the ACCC sued Google claiming the company misled Android users about the ability to opt out of location tracking on phones and tablets. That case is headed to mediation next week, according to a February Computer World article.

Source: Australian government sues Google for misleading consumers in data collection | Engadget

you can get this functionality by downloading and installing a simple app from the Google Play Store: Access Dots. It’s free, it’s easy, and it helps you up your Android’s security game. I would almost call it a must-install for anyone, because it’s as unobtrusive as it is helpful.

Download and launch the app, and you’ll see one simple setting you have to enable. That’s all you have to do to fire up Access Dots’ basic functionality.

Well, that and tapping on the new “Access Dots” listing in your Accessibility settings, and then enabling the service there, too.

Head back to your Android’s Home screen and…you won’t see anything. Zilch. That’s the point. Pull up your Camera app, however, and you’ll see a big green icon appear in the upper-right corner of your device. Tap on your Google Assistant’s microphone icon, and you’ll see an orange dot; the same as what iOS 14 users see.

If you don’t like these colors, you can change them to whatever you want in Access Dots’ settings. You can even change the location of said dot, as well as its size. Tap on the little “History” icon in Access Dots’ main UI—you can’t miss it—and you’ll even be able to browse a log of which apps requested camera of microphone access and for how long they used it:

Though I’m not a huge fan of how many ads litter the Access Dots app, I respect someone’s need to make a little cash. You only see them when you launch the app. Otherwise, all you’ll see on your phone are those dots. That’s not a terrible trade-off, I’d say, given how much this simple security app can do.

Source: See When Other Apps Use Your Microphone or Camera With This Android App

A handful of Chrome users have sued Google, accusing the browser maker of collecting personal information despite their decision not to sync data stored in Chrome with a Google Account.

The lawsuit [PDF], filed on Monday in a US federal district court in San Jose, California, claimed Google promises not to collect personal information from Chrome users who choose not to sync their browser data with a Google Account but does so anyway.

“Google intentionally and unlawfully causes Chrome to record and send users’ personal information to Google regardless of whether a user elects to Sync or even has a Google account,” the complaint stated.

Filed on behalf of “unsynced” plaintiffs Patrick Calhoun, Elaine Crespo, Hadiyah Jackson and Claudia Kindler – all said to have stopped using Chrome and to wish to return to it, rather than use a different browser, once Google stops tracking unsynced users – the lawsuit cited the Chrome Privacy Notice.

Since 2016, that notice has promised, “You don’t need to provide any personal information to use Chrome.” And since 2019, it has said, “the personal information that Chrome stores won’t be sent to Google unless you choose to store that data in your Google Account by turning on sync,” with earlier versions offering variants on that wording.

Nonetheless, whether or not account synchronization has been enabled, it’s claimed, Google uses Chrome to collect IP addresses linked to user agent data, identifying cookies, unique browser identifiers called X-Client Data Headers, and browsing history. And it does so supposedly in violation of federal wiretap laws and state statutes.

Google then links that information with individuals and their devices, it’s claimed, through practices like cookie syncing, where cookies set in a third-party context get associated with cookies set in a first-party context.

“Cookie synching allows cooperating websites to learn each other’s cookie identification numbers for the same user,” the complaint says. “Once the cookie synching operation is complete, the two websites exchange information that they have collected and hold about a user, further making these cookies ‘Personal Information.'”

The litigants pointed to Google’s plan to phase out third-party cookies, and noted Google doesn’t need cookies due to the ability of its X-Client-Data Header to uniquely identify people.

Source: We’re suing Google for harvesting our personal info even though we opted out of Chrome sync – netizens • The Register

Twitter contractors with high-level administrative access to accounts regularly abused their privileges to spy on celebrities including Beyoncé, including approximating their movements via internet protocol addresses, according to a report by Bloomberg.

Over 1,500 workers and contractors at Twitter who handle internal support requests and manage user accounts have high-level privileges that enable them to override user security settings and reset their accounts via Twitter’s backend, as well as view certain details of accounts like IP addresses, phone numbers, and email addresses.

[…]

Two of the former Twitter employees told Bloomberg that projects such as enhancing security of “the system that houses Twitter’s backup files or enhancing oversight of the system used to monitor contractor activity were, at times, shelved for engineering products designed to enhance revenue.” In the meantime, some of those with access (some of whom were contractors with Cognizant at up to six separate work sites) abused it to view details including IP addresses of users. Executives didn’t prioritize policing the internal support team, two of the former employees told Bloomberg, and at times Twitter security allegedly had trouble tracking misconduct due to sheer volume.

A system was in place to create access logs, but it could be fooled by simply creating bullshit support tickets that made the spying appear legitimate; two of the former employees told Bloomberg that from 2017 to 2018 members of the internal support team “made a kind of game out of” the workaround. The security risks inherent to granting access to so many people were reportedly brought up to the company’s board repeatedly from 2015-2019, but little changed.

This had consequences beyond the most recent hack. Last year, the Department of Justice announced charges against two former employees (a U.S. national and a Saudi citizen) that it accused of espionage on behalf of an individual close to Saudi Crown Prince Mohammed bin Salman. The DOJ alleged that the intent of the operation was to gain access to private information on political dissidents.

Source: Twitter Contractors Abused Access to Beyoncé’s Account: Report

The EU has demanded that Google make major concessions relating to its $2.1 billion acquisition of fitness-tracking company Fitbit if the deal is to be allowed to proceed imminently, according to people with direct knowledge of the discussions.

Since it was announced last November, the acquisition has faced steep opposition from consumer groups and regulators, who have raised concerns over the effect of Google’s access to Fitbit’s health data on competition.

EU regulators now want the company to pledge that it will not use that information to “further enhance its search advantage” and that it will grant third parties equal access to it, these people said.

The move comes days after the EU regulators suffered a major blow in Luxembourg, losing a landmark case that would have forced Apple to pay back €14.3 billion in taxes to Ireland.

Brussels insiders said that a refusal by Google to comply with the new demands would probably result in a protracted investigation, adding that such a scenario could ultimately leave the EU at a disadvantage.

“It is like a poker game,” said a person following the case closely. “In a lengthy probe, the commission risks having fewer or no pledges and still having to clear the deal.”

They added that the discussions over the acquisition were “intense,” and there was no guarantee that any agreement between Brussels and Google would be reached.

Google had previously promised it would not use Fitbit’s health data to improve its own advertising, but according to Brussels insiders, the commitment was not sufficient to assuage the EU’s concerns nor those of US regulators also examining the deal.

Source: EU demands major concessions from Google over Fitbit deal | Ars Technica

Uhmmm so they want everybody to have access to this extremely private data?