Two German researchers say they have exposed the porn-browsing habits of a judge, a cyber-crime investigation and the drug preferences of a politician.

The pair obtained huge amounts of information about the browsing habits of three million German citizens from companies that gather “clickstreams”.

These are detailed records of everywhere that people go online.

The researchers argue such data – which some firms scoop up and use to target ads – should be protected.
[…]
The pair found that 95% of the data they obtained came from 10 popular browser extensions.
[…]
The public information included links people shared via Twitter, YouTube videos they reported watching, news articles they passed on via social media or when they posted online photos of items they bought or places they visited.

In many cases, he said, it was even easier to de-anonymise because the clickstreams contained links to people’s personal social media admin pages which directly revealed their identity.

Source: It is easy to expose users’ secret web habits, say researchers – BBC News

G Suite’s Gmail is already not used as input for ads personalization, and Google has decided to follow suit later this year in our free consumer Gmail service. Consumer Gmail content will not be used or scanned for any ads personalization after this change. This decision brings Gmail ads in line with how we personalize ads for other Google products. Ads shown are based on users’ settings. Users can change those settings at any time, including disabling ads personalization. G Suite will continue to be ad free.

Source: As G Suite gains traction in the enterprise, G Suite’s Gmail and consumer Gmail to more closely align

This is what is called a phyrric victory

[As you fill out a form] You change your mind and close the page before clicking the Submit button and agreeing to Quicken’s privacy policy.[…]Your email address and phone number have already been sent to a server at “murdoog.com,” which is owned by NaviStone, a company that advertises its ability to unmask anonymous website visitors and figure out their home addresses. NaviStone’s code on Quicken’s site invisibly grabbed each piece of your information as you filled it out, before you could hit the “Submit” button.

During a recent investigation into how a drug-trial recruitment company called Acurian Health tracks down people who look online for information about their medical conditions, we discovered NaviStone’s code on sites run by Acurian, Quicken Loans, a continuing education center, a clothing store for plus-sized women, and a host of other retailers. Using Javascript, those sites were transmitting information from people as soon as they typed or auto-filled it into an online form. That way, the company would have it even if those people immediately changed their minds and closed the page.
[…]
Only one site of the dozens we reviewed, Gardeners.com, explicitly revealed in its privacy policy what it was doing, the site was about how to have a great garden and make it look better with glow in the dark pebbles and other accesories. It read, “Information you enter is collected even if you cancel or do not complete an order.” The rest of the sites had the usual legalese in their policies about using standard tracking tech such as cookies and Web beacons, which did not describe the way this particular information capture works.

Source: Before You Hit ‘Submit,’ This Company Has Already Logged Your Personal Data

Not only are they saving your data without your consent, they boast that they can send you post within 2 days. Once Gizmodo tested a few of the sites with their technology enabled, they denied everything, even though Gizmodo was sitting on the proof. Scumbags.

Tails is a live operating system that you can start on almost any computer from a DVD, USB stick, or SD card.

It aims at preserving your privacy and anonymity, and helps you to:

use the Internet anonymously and circumvent censorship;
all connections to the Internet are forced to go through the Tor network;
leave no trace on the computer you are using unless you ask it explicitly;
use state-of-the-art cryptographic tools to encrypt your files, emails and instant messaging.

https://tails.boum.org/index.en.html

Weg met telemetrie en ruime dataverzameling – het kan dus wel.

Source: Wil je privacy? Gebruik dan de Chinese Windows 10!

Microsoft has released a version of Windows 10 for the Chinese (!) market that doesn’t send all sorts of telemetry and private data to itself. This version is not available for the rest of us, in the rest of the world, Microsoft still has you as a secondary product.

The credit card companies began to monetise the histories a few years ago. Facebook signed deals with data companies including Experian, allowing it to mingle third party offline and online data, something it also calls “closing the loop”. Last year Facebook was reported to combine six or seven data sources to create its “Facebook Graph”.

Last year too, Google created “super profiles” of its users, breaking an earlier promise never to mingle data from your search history, YouTube viewing history or GPS location (constantly tracked by Android) with DoubleClick cookie information unless you explicitly opted in. Super profiles have prompted an antitrust complain from Oracle, arguing that the combined data hoard creates an insurmountable barrier to entry for any ad competitor to Google.

“The new credit-card data enables the tech giant to connect these digital trails to real-world purchase records in a far more extensive way than was possible before,” the WaPo reports. “Neither gets to see the encrypted data that the other side brings.”

Source: Google now mingles everything you’ve bought with everywhere you’ve been • The Register

Pretty scary that your credit card history is being sold – i was not aware of that fact!

Netgear NightHawk R7000 users who ran last week’s firmware upgrade need to check their settings, because the company added a remote data collection feature to the units.

A sharp-eyed user posted the T&Cs change to Slashdot.

Netgear lumps the slurp as routine diagnostic data.

“Such data may include information regarding the router’s running status, number of devices connected to the router, types of connections, LAN/WAN status, WiFi bands and channels, IP address, MAC address, serial number, and similar technical data about the use and functioning of the router, as well as its WiFi network.”

Much of this is probably benign, but posters to the Slashdot thread were concerned about IP address and MAC address being collected by the company.

The good news is that you can turn it off: the instructions are here.

Source: Netgear ‘fixes’ router by adding phone-home features that record your IP and MAC address

The Liberal Democrats have pledged to end the “Orwellian nightmare” of mass-snooping powers in the Investigatory Powers Act ahead of their manifesto launch.

They will propose to roll back state surveillance powers by ending the indiscriminate bulk collection of communications data and internet connection records.

The party also committed to fighting Conservative attempts to undermine encryption, which it warned will put people’s online security at risk.

It comes as a recent leaked draft document from the Home Office has revealed that government aims to be able to access anyone’s communications within 24 hours and to bring an end to encrypted messages under the recently passed Investigatory Powers Bill.

Under the plans, companies would be legally required to introduce a backdoor to their systems so authorities can read all correspondence if required.

Source: Lib Dems pledge to end ‘Orwellian’ snooping powers in manifesto

Finally someone who cares!

The ever-expanding operations of Uber are defined by two interlocking and zealously guarded sets of information: the things the world-dominating ride-hailing company knows about you, and the things it doesn’t want you to know about it. Both kinds of secrets have been in play in the Superior Court of California in San Francisco, as Ward Spangenberg, a former forensic investigator for Uber, has pursued a wrongful-termination lawsuit against the company.

Source: Uber Doesn’t Want You to See This Document About Its Vast Data Surveillance System

It’s a good rundown on the Uber stories and privacy invasions that have been happening recently.

uXDT is the practice of advertisers hiding ultrasounds in their ads. When the ad plays on a TV or radio, or some ad code runs on a mobile or computer, it emits ultrasounds that are picked up by the microphone of nearby laptops, desktops, tablets or smartphones.

SDKs embedded in apps installed on those devices relay the beacon back to the online advertiser, who then knows that the user of TV “x” is also the owner of smartphone “Y” and links their two previous advertising profiles together, creating a broader picture of the user’s interests, device portfolio, home, and even family members.
[…]
Their results revealed Shopkick ultrasonic beacons at 4 of 35 stores in two European cities. The situation isn’t that worrisome, as users have to open an app with the Shopkick SDK for the beacon to be picked up.

Source: 234 Android Applications Are Currently Using Ultrasonic Beacons to Track Users

The Burger King Hello Google ad is an example of this, except without advertiser feedback. Creepy.

The U.S. National Security Agency collected more than 151 million records of Americans’ phone calls last year, even after Congress limited its ability to collect bulk phone records, according to an annual report issued on Tuesday by the top U.S. intelligence officer.

The report from the office of Director of National Intelligence Dan Coats was the first measure of the effects of the 2015 USA Freedom Act, which limited the NSA to collecting phone records and contacts of people U.S. and allied intelligence agencies suspect may have ties to terrorism.

It found that the NSA collected the 151 million records even though it had warrants from the secret Foreign Intelligence Surveillance court to spy on only 42 terrorism suspects in 2016, in addition to a handful identified the previous year.

The NSA has been gathering a vast quantity of telephone “metadata,” records of callers’ and recipients’ phone numbers and the times and durations of the calls – but not their content – since the September 11, 2001, attacks.

Source: NSA collected Americans’ phone records despite law change: report

How to easily unsubscribe your Gmail email address from mailing lists, newsletters, junk and other unsolicited bulk mail that is clogging up your Gmail inbox.

Source: How to Easily Unsubscribe from Bulk Emails in Gmail – Unroll.me Alternative

ISPs may be forced to block sites which fail to do so, and the fact that many such sites are not based in the UK nor subject to British law shall pose plenty of difficulties for the law’s implementation, as will its provisions forcing ISPs to prohibit access to “non-conventional sex acts”, which has provoked plenty of criticism from the less vanilla members of society.

The legislation, which requires websites serving up adult content to verify users’ ages or be blocked by ISPs, was criticised as an “unworkable proposal” by Open Rights Group, among others, including feminist pornographer Pandora Blake:

On the passing of the bill, Open Rights Group’s executive director Jim Killock said: “Age verification is an accident waiting to happen. Despite repeated warnings, parliament has failed to listen to concerns about the privacy and security of people who want to watch legal adult content.

“As we saw with the Ashley Madison leaks, the hacking of private information about people’s sex lives, has huge repercussions for those involved. The UK government has failed to take responsibility for its proposals and placed the responsibility for people’s privacy into the hands of porn companies.”
[…]
Last year, the National Audit Office warned of government’s data-handling capabilities, noting that there were 9,000 data breaches over the reporting period and warning that “cuts to departmental budgets and staff numbers, and increasing demands form citizens for online public services, have changed the way government collects, stores and manages information.”

Samson said that large parts of the Digital Economy Bill regarding data sharing remained unclear, and noted that it received Royal Assent with a lot of information left to follow.

“We’ve been told throughout the process that everything will adhere to the Data Protection Act, but that will be redundant from May of next year when the EU’s General Data Protection Regulation comes in,” said Samson. “Whatever is drafted to comply with the DPA will have to change for the GDPR, which means ensuring the individual’s consent and knowledge regarding how their data is being used.”

Source: Just delete the internet – pr0n-blocking legislation receives Royal Assent

But a New York Times profile of Uber this weekend revealed, in passing, that Unroll.me, which is owned by a company called Slice Intelligence, isn’t just in the business of tidying up customers’ inboxes. Slice makes money by scanning its users’ email for receipts, then packaging that information into intel reports on consumer habits. Uber, for example, was paying Slice to find users’ Lyft receipts, so it could see how much they were spending each month, “as a proxy for the health of Lyft’s business.”

On its website, Slice brags that it has access to 4.2 million people’s inboxes, where it quietly sits looking at receipts from “hundreds of thousands of retailers.” Many Unroll.me users have been quite upset to learn about the extent of the data collection, which the service’s CEO, Jojo Hedaya, wrote in a blog post yesterday is “heartbreaking.”

“[W]hile we try our best to be open about our business model, recent customer feedback tells me we weren’t explicit enough,” Hedaya wrote.

Source: How Did Unroll.me Get Users to Allow It to Sell Their Inbox Data?

Hint – they used some nice tricks including the “for any purpose” line…

Google has been ordered by a US court to cough up people’s private Gmail messages stored overseas – because if that information can be viewed stateside, it is subject to American search warrants, apparently.

During a hearing on Wednesday in California, magistrate judge Laurel Beeler rejected [PDF] the advertising giant’s objections to a US government search warrant seeking data stored on its foreign servers. The Mountain View goliath had filed a motion to quash the warrant, and was denied.

The warrant, issued on June 30, 2016, ordered Google to hand over information on a number of specific Gmail accounts, including message content, attachments, metadata, and locational data.

While Google complied with the warrants and handed all of the requested records for several accounts over to Uncle Sam’s agents, it refused to cough up information on two accounts and declined to access attachments on two others, arguing that because the data was held outside the US it was not covered by the warrant, as was decided in the Microsoft email brouhaha.

Judge Beeler, however, disagreed with the Chocolate Factory’s assessment, reasoning that if Google was able to pull up the data on its own machines in the US, then it should fall under a US court’s jurisdiction and, because it would be pulled from Google’s HQ in Mountain View, it was not considered overseas content the way Microsoft’s Ireland-based info was.

Source: Nuh-uh, Google, you WILL hand over emails stored on foreign servers, says US judge

Because in the US, are your base are belong to US

Now

Windows 10 Home and Pro has, right now, two levels of data collection, Basic and Full. When a computer is in Basic mode, Microsoft says Win 10 takes a note of the state of your hardware and its specifications, your internet connection quality, records of crashes and hangs by software, any compatibility problems, driver usage data, which apps you’ve installed and how you use them, and other bits and pieces.

In Full mode, shedloads more is sent over. It includes everything at the Basic level plus records of events generated by the operating system, and your “inking and typing data.” Engineers, with permission from Microsoft’s privacy governance team, can obtain users’ documents that trigger crashes in applications, so they can work out what’s going wrong. The techies can also run diagnostic tools remotely on the computers, again with permission from their overseers.
And next

In the Creators Update, aka Windows 10 version 1703, all this information will be collected in Basic mode. A lot of it is to help Microsofties pinpoint the cause of crashes and potential new malware infections, although it includes things like logs of you giving applications administrator privileges via the UAC, battery life readings, firmware version details, details of your hardware down to the color and serial number of the machine, which cell network you’re using, and so on.

Then there’s the information collected in Full mode, which includes everything in Basic plus your user settings and preferences, your browser choice, lists of your peripherals, the apps you use to edit and view images and videos, how long you use the mouse and keyboard, all the applications you’ve ever installed, URLs to videos you’ve watched that triggered an error, URLs to music that triggered an error, time spent reading ebooks, text typed in a Microsoft web browser’s address and search bar, URLs visited, visited webpage titles, the words you’ve spoken to Cortana or had translated to text by the system, your ink strokes, and more.

Source: Put down your coffee and admire the sheer amount of data Windows 10 Creators Update will slurp from your PC

This is just ridiculous!

The US House of Representatives has just approved a “congressional disapproval” vote of privacy rules, which gives your ISP the right to sell your internet history to the highest bidder.

The measure passed by 215 votes to 205.

This follows the same vote in the Senate last week. Just prior to the vote, a White House spokesman said the president supported the bill, meaning that the decision will soon become law.

This approval means that whoever you pay to provide you with internet access – Comcast, AT&T, Time Warner Cable, etc – will be able to sell everything they know about your use of the internet to third parties without requiring your approval and without even informing you.

Your ISP already knows quite a lot about you: your name and address, quite possibly your age, and a host of other personally identifiable information such as your social security number. That’s on the customer information side. On the service side, they know which websites you visit, when, and how often.

That information can be used to build a very detailed picture of who you are: what your political and sexual leanings are; whether you have kids; when you are at home; whether you have any medical conditions; and so on – a thousand different data points that, if they have sufficient value to companies willing to pay for them, will soon be traded without your knowledge.

Source: Your internet history on sale to highest bidder: US Congress votes to shred ISP privacy rules

This is just incredible, even in Trumpland: rape and pillage the peons!

Set up a VPN!

The ability for companies to follow you from one platform to another — from your phone to your laptop to a physical store — is called cross-device tracking, and for businesses that want to market and sell stuff to you, it is basically the holy grail.

With robust tracking, a company can follow you basically from the moment you wake up and check social media feeds on your phone, through your commute, to work, back through the evening, and once more to your bed at night.
[…]
To get there, the FTC recently held a workshop on Cross-Device tracking, and has now published a report [PDF] highlighting some key facts about this increasingly popular practice.

Source: 5 Things We’ve Learned About How Companies Track You Online And Off – Consumerist

These same organizations also employ the use of social media analytics in order to reach the best target audience. Many of the tracked pieces of information helps them in this regard. More accurate advertising is very beneficial to them for obvious reasons.

1. You don’t need always to be logged in to be tracked.
2. Cross-device tracking can actually improve account security.
3. Companies are not at all transparent about tracking practices.
4. Consumers have very little control.
5. The industry is working on some voluntary self-regulation… sort of.

A U.S. judge has ordered Google to comply with search warrants seeking customer emails stored outside the United States, diverging from a federal appeals court that reached the opposite conclusion in a similar case involving Microsoft Corp (MSFT.O).

U.S. Magistrate Judge Thomas Rueter in Philadelphia ruled on Friday that transferring emails from a foreign server so FBI agents could review them locally as part of a domestic fraud probe did not qualify as a seizure.

The judge said this was because there was “no meaningful interference” with the account holder’s “possessory interest” in the data sought.

“Though the retrieval of the electronic data by Google from its multiple data centers abroad has the potential for an invasion of privacy, the actual infringement of privacy occurs at the time of disclosure in the United States,” Rueter wrote.

Source: Google, unlike Microsoft, must turn over foreign emails: U.S. judge

I guess Rueter finds that invasion of privacy is no meaningful interference.

California electronics maker Vizio will cough up $2.2m after its smart TVs spied on millions of people.

America’s trade watchdog, the FTC, said today the payment will settle a complaint filed by the state of New Jersey accusing Vizio of violating privacy regulations: the biz had collected the viewing habits of 11 million television sets throughout the country without warning or permission.

According to the state attorney general’s federal complaint [PDF], from February 2014 to March 2016, Vizio noted down exactly what its customers were watching and then resold all those records as summaries to third parties – which were mostly advertising companies.

The usage data was not only collected while customers were watching over-the-air or cable TV broadcasts, but also when they were watching DVDs or streaming video from websites and over-the-top services like Netflix.

Vizio harvested surveillance on people and their families so precise, it knew exactly what you were watching, second by second, and even took copies of the watched video, according to prosecutors. Additionally, we’re told, Vizio resold summaries of personal information about its customers it had gathered, including age, marital status, and household income, to advertisers without consent.

Source: Vizio coughs up $2.2m after its smart TVs spied on millions of families • The Register

No mention of the records having to be destroyed though?