Fresh Cambridge Analytica leak ‘shows global manipulation is out of control’

Posted on by

An explosive leak of tens of thousands of documents from the defunct data firm Cambridge Analytica is set to expose the inner workings of the company that collapsed after the Observer revealed it had misappropriated 87 million Facebook profiles.

More than 100,000 documents relating to work in 68 countries that will lay bare the global infrastructure of an operation used to manipulate voters on “an industrial scale” are set to be released over the next months.

It comes as Christopher Steele, the ex-head of MI6’s Russia desk and the intelligence expert behind the so-called “Steele dossier” into Trump’s relationship with Russia, said that while the company had closed down, the failure to properly punish bad actors meant that the prospects for manipulation of the US election this year were even worse.

The release of documents began on New Year’s Day on an anonymous Twitter account, @HindsightFiles, with links to material on elections in Malaysia, Kenya and Brazil. The documents were revealed to have come from Brittany Kaiser, an ex-Cambridge Analytica employee turned whistleblower, and to be the same ones subpoenaed by Robert Mueller’s investigation into Russian interference in the 2016 presidential election

Source: Fresh Cambridge Analytica leak ‘shows global manipulation is out of control’ | UK news | The Guardian

U.S. government limits exports of artificial intelligence software – seem to have forgotten what happened when they limited cryptographic exports in the 90s

Posted on by

The Trump administration will make it more difficult to export artificial intelligence software as of next week, part of a bid to keep sensitive technologies out of the hands of rival powers like China.

Under a new rule that goes into effect on Monday, companies that export certain types of geospatial imagery software from the United States must apply for a license to send it overseas except when it is being shipped to Canada.

The measure is the first to be finalized by the Commerce Department under a mandate from a 2018 law, which tasked the agency with writing rules to boost oversight of exports of sensitive technology to adversaries like China, for economic and security reasons.

Reuters first reported that the agency was finalizing a set of narrow rules to limit such exports in a boon to U.S. industry that feared a much tougher tougher crackdown on sales abroad.

Source: U.S. government limits exports of artificial intelligence software – Reuters

Just in case you forgot about encryption products, clipper chips etc: US products were weakened with backdoors, which meant a) no-one wanted US products and b) there was a wildfire growth of non-US encryption products. So basically the US goal to limit cryptography failed and at a cost to US producers.

Bosch’s LCD Car Visor Only Blocks Your View of the Road Where the Sun Is In Your Eyes

Posted on by

Instead of a rigid panel wrapped in fabric, Bosch’s Virtual Visor features an LCD panel that can be flipped down when the sun is hanging out on the horizon. The panel works alongside a camera that’s pointed at a driver’s face whose live video feed is processed using a custom trained AI to recognize facial features like the nose, mouth, and, most importantly, the eyes. The camera system should recognize shadows cast on the driver’s eyes, and it uses this ability to darken only the areas on the LCD visor where intense sunlight would be passing through and impairing a driver’s vision. The region of the visor that’s darkened is constantly changing based on both the vehicle and driver’s movements, but the rest should remain transparent to provide a less obstructed view of the road and other vehicles ahead.

The Virtual Visor actually started life as a side project for three of Bosch’s powertrain engineers who developed it in their free time and harvested the parts they needed from a discarded computer monitor. As to when the feature will start showing up as an option in new cars remains to be seen—if ever. If you’ve ever dropped your phone or poked at a screen too hard you’ve already aware of how fragile LCD panels can be, so there will need to be lots of in-vehicle testing before this ever goes mainstream. But it’s a clever innovation using technology that at this point is relatively cheap and readily available, so hopefully this is an upgrade that’s not too far away.

Source: Bosch’s LCD Car Visor Only Blocks Your View of the Road Where the Sun Is In Your Eyes

Smart speaker maker Sonos takes heat for deliberately bricking older kit with ‘Trade Up’ plan

Posted on by

Soundbar and smart-speaker-flinger Sonos is starting the new year with the wrong kind of publicity.

Customers and netizens are protesting against its policy of deliberately rendering working systems unusable, which is bad for the environment as it sends devices prematurely to an electronic waste graveyard.

The policy is also hazardous for those who unknowingly purchase a disabled device on the second-hand market, or even for users who perhaps mistake “recycle” for “reset”.

The culprit is Sonos’s so-called “Trade Up Program” which gives customers a 30 per cent discount off a new device, provided they follow steps to place their existing hardware into “Recycle mode”. Sonos has explained that “when you recycle an eligible Sonos product, you are choosing to permanently deactivate it. Once you confirm you’d like to recycle your product, the decision cannot be reversed.” There is a 21-day countdown (giving you time to receive your shiny new hardware) and then it is useless, “even if the product has been reset to its factory settings.”

Sonos suggests taking the now useless gadget to a local e-waste recycling centre, or sending it back to Sonos, though it remarks that scrapping it locally is “more eco-friendly than shipping it to Sonos”. In fact, agreeing either to return it or to use a “certified electronics recycler” is part of the terms and conditions, though the obvious question is how well this is enforced or whether customers even notice this detail when participating in the scheme.

The truth of course is that no recycling option is eco-friendly in comparison to someone continuing to enjoy the device doing what it does best, which is to play music. Even if a user is conscientious about finding an electronic waste recycling centre, there is a human and environmental cost involved, and not all parts can be recycled.

Sonos has posted on the subject of sustainability and has a “director of sustainability”, Mark Heintz, making its “Trade Up” policy even harder to understand.

Why not allow these products to be resold or reused? Community manager Ryan S said: “While we’re proud of how long our products last, we don’t really want these old, second-hand products to be the first experience a new customer has with Sonos.”

While this makes perfect business sense for Sonos, it is a weak rationale from an environmental perspective. Reactions like this one on Twitter are common. “I’ve bought and recommended my last Sonos product. Please change your practice, at the very least be honest about it and don’t flash the sustainability card for something that’s clearly not.”

Source: Smart speaker maker Sonos takes heat for deliberately bricking older kit with ‘Trade Up’ plan • The Register

The World’s Largest Floating Wind Farm Is Here

Posted on by

This is the second day of the new decade, and the world’s largest floating wind farm is already doing its damn thing and generating electricity.

Located off the coast of Portugal, the WindFloat Atlantic wind farm connected to the grid on New Year’s Eve. And this is only the first of the project’s three platforms. Once all go online, the floating wind farm will be able to produce enough energy for about 60,000 homes a year. Like many European countries (including Denmark and the UK), Portugal has been investing heavily in wind as a viable clean energy option.

Source: The World’s Largest Floating Wind Farm Is Here

This particle accelerator fits on the head of a pin

Posted on by

If you know nothing else about particle accelerators, you probably know that they’re big — sometimes miles long. But a new approach from Stanford researchers has led to an accelerator shorter from end to end than a human hair is wide.

The general idea behind particle accelerators is that they’re a long line of radiation emitters that smack the target particle with radiation at the exact right time to propel it forward a little faster than before. The problem is that depending on the radiation you use and the speed and resultant energy you want to produce, these things can get real big, real fast.

That also limits their applications; you can’t exactly put a particle accelerator in your lab or clinic if they’re half a kilometer long and take megawatts to run. Something smaller could be useful, even if it was nowhere near those power levels — and that’s what these Stanford scientists set out to make.

 

“We want to miniaturize accelerator technology in a way that makes it a more accessible research tool,” explained project lead Jelena Vuckovic in a Stanford news release.

But this wasn’t designed like a traditional particle accelerator like the Large Hadron Collider or one at collaborator SLAC’s National Accelerator Laboratory. Instead of engineering it from the bottom up, they fed their requirements to an “inverse design algorithm” that produced the kind of energy pattern they needed from the infrared radiation emitters they wanted to use.

That’s partly because infrared radiation has a much shorter wavelength than something like microwaves, meaning the mechanisms themselves can be made much smaller — perhaps too small to adequately design the ordinary way.

The algorithm’s solution to the team’s requirements led to an unusual structure that looks more like a Rorschach test than a particle accelerator. But these blobs and channels are precisely contoured to guide infrared laser light pulse in such a way that they push electrons along the center up to a significant proportion of the speed of light.

The resulting “accelerator on a chip” is only a few dozen microns across, making it comfortably smaller than a human hair and more than possible to stack a few on the head of a pin. A couple thousand of them, really.

And it will take a couple thousand to get the electrons up to the energy levels needed to be useful — but don’t worry, that’s all part of the plan. The chips are fully integrated but can be put in a series easily to create longer assemblies that produce larger powers.

These won’t be rivaling macro-size accelerators like SLAC’s or the Large Hadron Collider, but they could be much more useful for research and clinical applications where planet-destroying power levels aren’t required. For instance, a chip-sized electron accelerator might be able to direct radiation into a tumor surgically rather than through the skin.

The team’s work is published in a paper today in the journal Science.

Source: This particle accelerator fits on the head of a pin – TechCrunch

Government exposes addresses of > 1000 new year honours recipients

Posted on by

More than 1,000 celebrities, government employees and politicians who have received honours had their home and work addresses posted on a government website, the Guardian can reveal.

The accidental disclosure of the tranche of personal details is likely to be considered a significant security breach, particularly as senior police and Ministry of Defence staff were among those whose addresses were made public.

Many of the more than a dozen MoD employees and senior counter-terrorism officers who received honours in the new year list had their home addresses revealed in a downloadable list, along with countless others who may believe the disclosure has put them in a vulnerable position.

Prominent public figures including the musician Elton John, the cricketer Ben Stokes, NHS England’s chief executive, Simon Stevens, the politicians Iain Duncan Smith and Diana Johnson, TV chef Nadiya Hussain, and the former director of public prosecutions Alison Saunders were among those whose home addresses were published.

Others included Jonathan Jones, the permanent secretary of the government’s legal department, and John Manzoni, the Cabinet Office permanent secretary. Less well-known figures included academics, Holocaust survivors, prison staff and community and faith leaders.

It is thought the document seen by the Guardian, which contains the details of 1,097 people, went online at 10.30pm on Friday and was taken down in the early hours of Saturday.

The vast majority of people on the list had their house numbers, street names and postcodes included.

Source: Government exposes addresses of new year honours recipients | UK news | The Guardian

Wyze data leak may have exposed personal data of millions of users

Posted on by

Security camera startup Wyze has confirmed it suffered a data leak this month that may have left the personal information of millions of its customers exposed on the internet. No passwords or financial information were exposed, but email addresses, Wi-Fi network IDs and body metrics were left unprotected from Dec. 4 through Dec. 26, the company said Friday.

More than 2.4 million Wyze customers were affected by the leak, according to cybersecurity firm Twelve Security, which first reported on the leak

“We are still looking into this event to figure out why and how this happened,” he wrote.

In an update Sunday, Song said Wyze discovered a second unprotected database during its investigation of the data leak. It’s unclear what information was stored in this database, but Song said passwords and personal financial data weren’t included.

Source: Wyze data leak may have exposed personal data of millions of users – CNET

Researchers detail AI that de-hazes and colorizes underwater photos

Posted on by

Ever notice that underwater images tend to be be blurry and somewhat distorted? That’s because phenomena like light attenuation and back-scattering adversely affect visibility. To remedy this, researchers at Harbin Engineering University in China devised a machine learning algorithm that generates realistic water images, along with a second algorithm that trains on those images to both restore natural color and reduce haze. They say that their approach qualitatively and quantitatively matches the state of the art, and that it’s able to process upwards of 125 frames per second running on a single graphics card.

The team notes that most underwater image enhancement algorithms (such as those that adjust white balance) aren’t based on physical imaging models, making them poorly suited to the task. By contrast, this approach taps a generative adversarial network (GAN) — an AI model consisting of a generator that attempts to fool a discriminator into classifying synthetic samples as real-world samples — to produce a set of images of specific survey sites that are fed into a second algorithm, called U-Net.

The team trained the GAN on a corpus of labeled scenes containing 3,733 images and corresponding depth maps, chiefly of scallops, sea cucumbers, sea urchins, and other such organisms living within indoor marine farms. They also sourced open data sets including NY Depth, which comprises thousands of underwater photographs in total.

Post-training, the researchers compared the results of their twin-model approach to that of baselines. They point out that their technique has advantages in that it’s uniform in its color restoration, and that it recovers green-toned images well without destroying the underlying structure of the original input image. It also generally manages to recover color while maintaining “proper” brightness and contrast, a task at which competing solutions aren’t particularly adept.

It’s worth noting that the researchers’ method isn’t the first to reconstruct frames from damaged footage. Cambridge Consultants’ DeepRay leverages a GAN trained on a data set of 100,000 still images to remove distortion introduced by an opaque pane of glass, and the open source DeOldify project employs a family of AI models including GANs to colorize and restore old images and film footage. Elsewhere, scientists at Microsoft Research Asia in September detailed an end-to-end system for autonomous video colorization; researchers at Nvidia last year described a framework that infers colors from just one colorized and annotated video frame; and Google AI in June introduced an algorithm that colorizes grayscale videos without manual human supervision.

Source: Researchers detail AI that de-hazes and colorizes underwater photos

France slaps Google with $166M antitrust fine for opaque and inconsistent ad rules

Posted on by

France’s competition watchdog has slapped Google with a €150 million (~$166 million) fine after finding the tech giant abused its dominant position in the online search advertising market.

In a decision announced today — following a lengthy investigation into the online ad sector — the competition authority sanctioned Google for adopting what it describes as “opaque and difficult to understand” operating rules for its ad platform, Google Ads, and for applying them in “an unfair and random manner.”

The watchdog has ordered Google to clarify how it draws up rules for the operation of Google Ads and its procedures for suspending accounts. The tech giant will also have to put in place measures to prevent, detect and deal with violations of Google Ads rules.

A Google spokesman told TechCrunch the company will appeal the decision.

The decision — which comes hard on the heels of a market study report by the U.K.’s competition watchdog asking for views on whether Google should be broken up — relates to search ads which appear when a user of Google’s search engine searches for something and ads are served alongside organic search results.

More specifically, it relates to the rules Google applies to its Ads platform which set conditions under which advertisers can broadcast ads — rules the watchdog found to be confusing and inconsistently applied.

It also found Google had changed its position on the interpretation of the rules over time, which it said generated instability for some advertisers who were kept in a situation of legal and economic insecurity.

In France, Google holds a dominant position in the online search market, with its search engine responsible for more than 90% of searches carried out, and holds more than 80% of the online ad market linked to searches, per the watchdog, which notes that that dominance puts requirements on it to define operating rules of its ad platform in an objective, transparent and non-discriminatory manner.

However, it found Google’s wording of ad rules failed to live up to that standard — saying it is “not based on any precise and stable definition, which gives Google full latitude to interpret them according to situations.”

Explaining its decision in a press release, the Autorité de la Concurrence writes [translated by Google Translate]:

[T]he French Competition Authority considers that the Google Ads operating rules imposed by Google on advertisers are established and applied under non-objective, non-transparent and discriminatory conditions. The opacity and lack of objectivity of these rules make it very difficult for advertisers to apply them, while Google has all the discretion to modify its interpretation of the rules in a way that is difficult to predict, and decide accordingly whether the sites comply with them or not. This allows Google to apply them in a discriminatory or inconsistent manner. This leads to damage both for advertisers and for search engine users.

The watchdog’s multi-year investigation of the online ad sector was instigated after a complaint by a company called Gibmedia — which raised an objection more than four years ago after Google closed its Google Ads account without notice.

Source: France slaps Google with $166M antitrust fine for opaque and inconsistent ad rules | TechCrunch

Twitter Warns Millions of Android App Users to Update Immediately

Posted on by

This week, Twitter confirmed a vulnerability in its Android app that could let hackers see your “nonpublic account information” and commandeer your account to send tweets and direct messages.

According to a Twitter Privacy Center blog posted Friday, the (recently patched) security issue could allow hackers to gain control of an account and access data like location information and protected tweets “through a complicated process involving the insertion of malicious code into restricted storage areas of the Twitter app,” potentially putting the app’s millions of users at risk. A tweet from Twitter support later elaborated that the issue was fixed for Android version 7.93.4 (released in November for KitKat) as well as version 8.18 (released in October for Lollipop and newer).

Source: Twitter Warns Millions of Android App Users to Update Immediately

Chinese hacker group caught bypassing 2FA

Posted on by

Security researchers say they found evidence that a Chinese government-linked hacking group has been bypassing two-factor authentication (2FA) in a recent wave of attacks.

The attacks have been attributed to a group the cyber-security industry is tracking as APT20, believed to operate on the behest of the Beijing government, Dutch cyber-security firm Fox-IT said in a report published last week.

The group’s primary targets were government entities and managed service providers (MSPs). The government entities and MSPs were active in fields like aviation, healthcare, finance, insurance, energy, and even something as niche as gambling and physical locks.

Recent APT20 activity

The Fox-IT report comes to fill in a gap in the group’s history. APT20’s hacking goes back to 2011, but researchers lost track of the group’s operations in 2016-2017, when they changed their mode of operation.

Fox-IT’s report documents what the group has been doing over the past two years and how they’ve been doing it.

According to researchers, the hackers used web servers as the initial point of entry into a target’s systems, with a particular focus on JBoss, an enterprise application platform often found in large corporate and government networks.

APT20 used vulnerabilities to gain access to these servers, install web shells, and then spread laterally through a victim’s internal systems.

While on the inside, Fox-IT said the group dumped passwords and looked for administrator accounts, in order to maximize their access. A primary concern was obtaining VPN credentials, so hackers could escalate access to more secure areas of a victim’s infrastructure, or use the VPN accounts as more stable backdoors.

Fox-IT said that despite what appears to be a very prodigious hacking activity over the past two years, “overall the actor has been able to stay under the radar.”

They did so, researchers explain, by using legitimate tools that were already installed on hacked devices, rather than downloading their own custom-built malware, which could have been detected by local security software.

APT20 seen bypassing 2FA

But this wasn’t the thing that stood out the most in all the attacks the Dutch security firm investigated. Fox-IT analysts said they found evidence the hackers connected to VPN accounts protected by 2FA.

How they did it remains unclear; although, the Fox-IT team has their theory. They said APT20 stole an RSA SecurID software token from a hacked system, which the Chinese actor then used on its computers to generate valid one-time codes and bypass 2FA at will.

Normally, this wouldn’t be possible. To use one of these software tokens, the user would need to connect a physical (hardware) device to their computer. The device and the software token would then generate a valid 2FA code. If the device was missing, the RSA SecureID software would generate an error.

rsa-passcode-error.png
Image: Fox-IT

The Fox-IT team explains how hackers might have gone around this issue:

The software token is generated for a specific system, but of course this system specific value could easily be retrieved by the actor when having access to the system of the victim.

As it turns out, the actor does not actually need to go through the trouble of obtaining the victim’s system specific value, because this specific value is only checked when importing the SecurID Token Seed, and has no relation to the seed used to generate actual 2-factor tokens. This means the actor can actually simply patch the check which verifies if the imported soft token was generated for this system, and does not need to bother with stealing the system specific value at all.

In short, all the actor has to do to make use of the 2 factor authentication codes is to steal an RSA SecurID Software Token and to patch 1 instruction, which results in the generation of valid tokens.

rsa-passcode.png
Image: Fox-IT

Wocao

Fox-IT said it was able to investigate APT20’s attacks because they were called in by one of the hacked companies to help investigate and respond to the hacks.

More on these attacks can be found in a report named “Operation Wocao.”

Source: Chinese hacker group caught bypassing 2FA | ZDNet

Twelve Million Phones, One Dataset (no, not  your phone companies’), Zero Privacy – The New York Times

Posted on by

Every minute of every day, everywhere on the planet, dozens of companies — largely unregulated, little scrutinized — are logging the movements of tens of millions of people with mobile phones and storing the information in gigantic data files. The Times Privacy Project obtained one such file, by far the largest and most sensitive ever to be reviewed by journalists. It holds more than 50 billion location pings from the phones of more than 12 million Americans as they moved through several major cities, including Washington, New York, San Francisco and Los Angeles.

Each piece of information in this file represents the precise location of a single smartphone over a period of several months in 2016 and 2017. The data was provided to Times Opinion by sources who asked to remain anonymous because they were not authorized to share it and could face severe penalties for doing so. The sources of the information said they had grown alarmed about how it might be abused and urgently wanted to inform the public and lawmakers.

[Related: How to Track President Trump — Read more about the national security risks found in the data.]

After spending months sifting through the data, tracking the movements of people across the country and speaking with dozens of data companies, technologists, lawyers and academics who study this field, we feel the same sense of alarm. In the cities that the data file covers, it tracks people from nearly every neighborhood and block, whether they live in mobile homes in Alexandria, Va., or luxury towers in Manhattan.

One search turned up more than a dozen people visiting the Playboy Mansion, some overnight. Without much effort we spotted visitors to the estates of Johnny Depp, Tiger Woods and Arnold Schwarzenegger, connecting the devices’ owners to the residences indefinitely.

If you lived in one of the cities the dataset covers and use apps that share your location — anything from weather apps to local news apps to coupon savers — you could be in there, too.

If you could see the full trove, you might never use your phone the same way again.

A typical day at Grand Central Terminal
in New York City
Satellite imagery: Microsoft

The data reviewed by Times Opinion didn’t come from a telecom or giant tech company, nor did it come from a governmental surveillance operation. It originated from a location data company, one of dozens quietly collecting precise movements using software slipped onto mobile phone apps. You’ve probably never heard of most of the companies — and yet to anyone who has access to this data, your life is an open book. They can see the places you go every moment of the day, whom you meet with or spend the night with, where you pray, whether you visit a methadone clinic, a psychiatrist’s office or a massage parlor.

[…]

The companies that collect all this information on your movements justify their business on the basis of three claims: People consent to be tracked, the data is anonymous and the data is secure.

None of those claims hold up, based on the file we’ve obtained and our review of company practices.

Yes, the location data contains billions of data points with no identifiable information like names or email addresses. But it’s child’s play to connect real names to the dots that appear on the maps.

[…]

In most cases, ascertaining a home location and an office location was enough to identify a person. Consider your daily commute: Would any other smartphone travel directly between your house and your office every day?

Describing location data as anonymous is “a completely false claim” that has been debunked in multiple studies, Paul Ohm, a law professor and privacy researcher at the Georgetown University Law Center, told us. “Really precise, longitudinal geolocation information is absolutely impossible to anonymize.”

“D.N.A.,” he added, “is probably the only thing that’s harder to anonymize than precise geolocation information.”

[Work in the location tracking industry? Seen an abuse of data? We want to hear from you. Using a non-work phone or computer, contact us on a secure line at 440-295-5934, @charliewarzel on Wire or email Charlie Warzel and Stuart A. Thompson directly.]

Yet companies continue to claim that the data are anonymous. In marketing materials and at trade conferences, anonymity is a major selling point — key to allaying concerns over such invasive monitoring.

To evaluate the companies’ claims, we turned most of our attention to identifying people in positions of power. With the help of publicly available information, like home addresses, we easily identified and then tracked scores of notables. We followed military officials with security clearances as they drove home at night. We tracked law enforcement officers as they took their kids to school. We watched high-powered lawyers (and their guests) as they traveled from private jets to vacation properties. We did not name any of the people we identified without their permission.

The data set is large enough that it surely points to scandal and crime but our purpose wasn’t to dig up dirt. We wanted to document the risk of underregulated surveillance.

Watching dots move across a map sometimes revealed hints of faltering marriages, evidence of drug addiction, records of visits to psychological facilities.

Connecting a sanitized ping to an actual human in time and place could feel like reading someone else’s diary.

[…]

The inauguration weekend yielded a trove of personal stories and experiences: elite attendees at presidential ceremonies, religious observers at church services, supporters assembling across the National Mall — all surveilled and recorded permanently in rigorous detail.

Protesters were tracked just as rigorously. After the pings of Trump supporters, basking in victory, vanished from the National Mall on Friday evening, they were replaced hours later by those of participants in the Women’s March, as a crowd of nearly half a million descended on the capital. Examining just a photo from the event, you might be hard-pressed to tie a face to a name. But in our data, pings at the protest connected to clear trails through the data, documenting the lives of protesters in the months before and after the protest, including where they lived and worked.

[…]

Inauguration Day weekend was marked by other protests — and riots. Hundreds of protesters, some in black hoods and masks, gathered north of the National Mall that Friday, eventually setting fire to a limousine near Franklin Square. The data documented those rioters, too. Filtering the data to that precise time and location led us to the doorsteps of some who were there. Police were present as well, many with faces obscured by riot gear. The data led us to the homes of at least two police officers who had been at the scene.

As revealing as our searches of Washington were, we were relying on just one slice of data, sourced from one company, focused on one city, covering less than one year. Location data companies collect orders of magnitude more information every day than the totality of what Times Opinion received.

Data firms also typically draw on other sources of information that we didn’t use. We lacked the mobile advertising IDs or other identifiers that advertisers often combine with demographic information like home ZIP codes, age, gender, even phone numbers and emails to create detailed audience profiles used in targeted advertising. When datasets are combined, privacy risks can be amplified. Whatever protections existed in the location dataset can crumble with the addition of only one or two other sources.

There are dozens of companies profiting off such data daily across the world — by collecting it directly from smartphones, creating new technology to better capture the data or creating audience profiles for targeted advertising.

The full collection of companies can feel dizzying, as it’s constantly changing and seems impossible to pin down. Many use technical and nuanced language that may be confusing to average smartphone users.

While many of them have been involved in the business of tracking us for years, the companies themselves are unfamiliar to most Americans. (Companies can work with data derived from GPS sensors, Bluetooth beacons and other sources. Not all companies in the location data business collect, buy, sell or work with granular location data.)

A Selection of Companies Working

in the Location Data Business

Sources: MightySignal, LUMA Partners and AppFigures.

Location data companies generally downplay the risks of collecting such revealing information at scale. Many also say they’re not very concerned about potential regulation or software updates that could make it more difficult to collect location data.

[…]

Does it really matter that your information isn’t actually anonymous? Location data companies argue that your data is safe — that it poses no real risk because it’s stored on guarded servers. This assurance has been undermined by the parade of publicly reported data breaches — to say nothing of breaches that don’t make headlines. In truth, sensitive information can be easily transferred or leaked, as evidenced by this very story.

We’re constantly shedding data, for example, by surfing the internet or making credit card purchases. But location data is different. Our precise locations are used fleetingly in the moment for a targeted ad or notification, but then repurposed indefinitely for much more profitable ends, like tying your purchases to billboard ads you drove past on the freeway. Many apps that use your location, like weather services, work perfectly well without your precise location — but collecting your location feeds a lucrative secondary business of analyzing, licensing and transferring that information to third parties.

The data contains simple information like date, latitude and longitude, making it easy to inspect, download and transfer. Note: Values are randomized to protect sources and device owners.

For many Americans, the only real risk they face from having their information exposed would be embarrassment or inconvenience. But for others, like survivors of abuse, the risks could be substantial. And who can say what practices or relationships any given individual might want to keep private, to withhold from friends, family, employers or the government? We found hundreds of pings in mosques and churches, abortion clinics, queer spaces and other sensitive areas.

In one case, we observed a change in the regular movements of a Microsoft engineer. He made a visit one Tuesday afternoon to the main Seattle campus of a Microsoft competitor, Amazon. The following month, he started a new job at Amazon. It took minutes to identify him as Ben Broili, a manager now for Amazon Prime Air, a drone delivery service.

“I can’t say I’m surprised,” Mr. Broili told us in early December. “But knowing that you all can get ahold of it and comb through and place me to see where I work and live — that’s weird.” That we could so easily discern that Mr. Broili was out on a job interview raises some obvious questions, like: Could the internal location surveillance of executives and employees become standard corporate practice?

[…]

If this kind of location data makes it easy to keep tabs on employees, it makes it just as simple to stalk celebrities. Their private conduct — even in the dead of night, in residences and far from paparazzi — could come under even closer scrutiny.

Reporters hoping to evade other forms of surveillance by meeting in person with a source might want to rethink that practice. Every major newsroom covered by the data contained dozens of pings; we easily traced one Washington Post journalist through Arlington, Va.

In other cases, there were detours to hotels and late-night visits to the homes of prominent people. One person, plucked from the data in Los Angeles nearly at random, was found traveling to and from roadside motels multiple times, for visits of only a few hours each time.

While these pointillist pings don’t in themselves reveal a complete picture, a lot can be gleaned by examining the date, time and length of time at each point.

Large data companies like Foursquare — perhaps the most familiar name in the location data business — say they don’t sell detailed location data like the kind reviewed for this story but rather use it to inform analysis, such as measuring whether you entered a store after seeing an ad on your mobile phone.

But a number of companies do sell the detailed data. Buyers are typically data brokers and advertising companies. But some of them have little to do with consumer advertising, including financial institutions, geospatial analysis companies and real estate investment firms that can process and analyze such large quantities of information. They might pay more than $1 million for a tranche of data, according to a former location data company employee who agreed to speak anonymously.

Location data is also collected and shared alongside a mobile advertising ID, a supposedly anonymous identifier about 30 digits long that allows advertisers and other businesses to tie activity together across apps. The ID is also used to combine location trails with other information like your name, home address, email, phone number or even an identifier tied to your Wi-Fi network.

The data can change hands in almost real time, so fast that your location could be transferred from your smartphone to the app’s servers and exported to third parties in milliseconds. This is how, for example, you might see an ad for a new car some time after walking through a dealership.

That data can then be resold, copied, pirated and abused. There’s no way you can ever retrieve it.

Location data is about far more than consumers seeing a few more relevant ads. This information provides critical intelligence for big businesses. The Weather Channel app’s parent company, for example, analyzed users’ location data for hedge funds, according to a lawsuit filed in Los Angeles this year that was triggered by Times reporting. And Foursquare received much attention in 2016 after using its data trove to predict that after an E. coli crisis, Chipotle’s sales would drop by 30 percent in the coming months. Its same-store sales ultimately fell 29.7 percent.

Much of the concern over location data has focused on telecom giants like Verizon and AT&T, which have been selling location data to third parties for years. Last year, Motherboard, Vice’s technology website, found that once the data was sold, it was being shared to help bounty hunters find specific cellphones in real time. The resulting scandal forced the telecom giants to pledge they would stop selling location movements to data brokers.

Yet no law prohibits them from doing so.

[…]

If this information is so sensitive, why is it collected in the first place?

For brands, following someone’s precise movements is key to understanding the “customer journey” — every step of the process from seeing an ad to buying a product. It’s the Holy Grail of advertising, one marketer said, the complete picture that connects all of our interests and online activity with our real-world actions.

Once they have the complete customer journey, companies know a lot about what we want, what we buy and what made us buy it. Other groups have begun to find ways to use it too. Political campaigns could analyze the interests and demographics of rally attendees and use that information to shape their messages to try to manipulate particular groups. Governments around the world could have a new tool to identify protestors.

Pointillist location data also has some clear benefits to society. Researchers can use the raw data to provide key insights for transportation studies and government planners. The City Council of Portland, Ore., unanimously approved a deal to study traffic and transit by monitoring millions of cellphones. Unicef announced a plan to use aggregated mobile location data to study epidemics, natural disasters and demographics.

For individual consumers, the value of constant tracking is less tangible. And the lack of transparency from the advertising and tech industries raises still more concerns.

Does a coupon app need to sell second-by-second location data to other companies to be profitable? Does that really justify allowing companies to track millions and potentially expose our private lives?

Data companies say users consent to tracking when they agree to share their location. But those consent screens rarely make clear how the data is being packaged and sold. If companies were clearer about what they were doing with the data, would anyone agree to share it?

What about data collected years ago, before hacks and leaks made privacy a forefront issue? Should it still be used, or should it be deleted for good?

If it’s possible that data stored securely today can easily be hacked, leaked or stolen, is this kind of data worth that risk?

Is all of this surveillance and risk worth it merely so that we can be served slightly more relevant ads? Or so that hedge fund managers can get richer?

The companies profiting from our every move can’t be expected to voluntarily limit their practices. Congress has to step in to protect Americans’ needs as consumers and rights as citizens.

Until then, one thing is certain: We are living in the world’s most advanced surveillance system. This system wasn’t created deliberately. It was built through the interplay of technological advance and the profit motive. It was built to make money. The greatest trick technology companies ever played was persuading society to surveil itself.

Source: Opinion | Twelve Million Phones, One Dataset, Zero Privacy – The New York Times

267 Million Phone Numbers & Facebook User IDs Exposed Online

Posted on by

A database containing more than 267 million Facebook user IDs, phone numbers, and names was left exposed on the web for anyone to access without a password or any other authentication.

Comparitech partnered with security researcher Bob Diachenko to uncover the Elasticsearch cluster. Diachenko believes the trove of data is most likely the result of an illegal scraping operation or Facebook API abuse by criminals in Vietnam, according to the evidence.

[…]

Diachenko immediately notified the internet service provider managing the IP address of the server so that access could be removed. However, Diachenko says the data was also posted to a hacker forum as a download.

Timeline of the exposure

The database was exposed for nearly two weeks before access was removed.

[…]

In total 267,140,436 records were exposed. Most of the affected users were from the United States. Diachenko says all of them seem to be valid. Each contained:

  • A unique Facebook ID
  • A phone number
  • A full name
  • A timestamp

Source: Report: 267 Million Phone Numbers & Facebook User IDs Exposed Online

Airbnb is a platform not an estate agent, says Europe’s top court – means they don’t have to collect taxes for counties either

Posted on by

Airbnb will be breathing a sigh of relief today: Europe’s top court has judged it to be an online platform, which merely connects people looking for short-term accommodation, rather than a full-blown estate agent.

The ruling may make it harder for the “home sharing” platform to be forced to comply with local property regulations — at least under current regional rules governing e-commerce platforms.

The judgement by the Court of Justice of the European Union (CJEU) today follows a complaint made by a French tourism association, AHTOP, which had argued Airbnb should hold a professional estate agent licence. And, that by not having one, the platform giant was in breach of a piece of French legislation known as the “Hoguet Law.”

However, the court disagreed — siding with Airbnb’s argument that its business must be classified as an “information society service” under EU Directive 2000/31 on electronic commerce.

Commenting on the ruling in a statement, Luca Tosoni, a research fellow at the Norwegian Research Center for Computers and Law at the University of Oslo, told us: “The Court’s finding that online platforms that facilitate the provision of short-term accommodation services, such as Airbnb, qualify as providers of ‘information society services’ entails strict limitations on the ability to introduce or enforce restrictive measures on similar services by a Member State other than that in whose territory the relevant service provider is established.”

Source: Airbnb is a platform not an estate agent, says Europe’s top court | TechCrunch

Amsterdam was hoping to make Airbnb collect tourist taxes too, which the county of Amsterdam will now have to do themselves. Also, Amsterdam – a 100% tourist city – is now whining that it doesn’t want tourists any more and is blaming Airbnb for having them.

 

IBM Research Created a New Battery That Outperforms Lithium-Ion, uses seawater instead of nickel and lithium

Posted on by

scientists at IBM Research have developed a new battery whose unique ingredients can be extracted from seawater instead of mining.

The problems with the design of current battery technologies like lithium-ion are well known, we just tend to turn a blind eye when it means our smartphones can run for a full day without a charge. In addition to lithium, they require heavy metals like cobalt, manganese, and nickel which come from giant mines that present hazards to the environment, and often to those doing the actual mining. These metals are also a finite resource, and as more and more devices and vehicles switch to battery power, their availability is going to decrease at a staggering pace.

As a potential solution, scientists at IBM Research’s Battery Lab came up with a new design that replaces the need for cobalt and nickel in the cathode, and also uses a new liquid electrolyte (the material in a battery that helps ions move from one end to the other) with a high flash point. The combination of the new cathode and the electrolyte materials was also found to limit the creation of lithium dendrites which are spiky structures that often develop in lithium-ion batteries that can lead to short circuits. So not only would this new battery have less of an impact on the environment to manufacture, but it would also be considerably safer to use, with a drastically reduced risk of fire or explosions.

But the benefits of IBM Research’s design don’t stop there. The researchers believe the new battery would have a larger capacity than existing lithium-ion batteries, could potentially charge to about 80 percent of its full capacity in just five minutes, would be more energy-efficient, and, on top of it all, it would be cheaper to manufacture which in turn means they could help reduce the cost of gadgets and electric vehicles. These results are estimations based on how the battery has performed in the lab so far, but IBM Research is teaming up with companies like Mercedes-Benz Research and Development to further explore this technology, so it will be quite a few years before you’re able to feel a little less guilty about your smartphone addiction.

Source: IBM Research Created a New Battery That Outperforms Lithium-Ion

A Data Leak Exposed The Personal Information Of Over 3,000 Ring Users – Really, just don’t get one of these things!

Posted on by

The log-in credentials for 3,672 Ring camera owners were compromised this week, exposing log-in emails, passwords, time zones, and the names people give to specific Ring cameras, which are often the same as camera locations, such as “bedroom” or “front door.”

Using the log-in email and password, an intruder could access a Ring customer’s home address, telephone number, and payment information, including the kind of card they have, and its last four digits and security code. An intruder could also access live camera footage from all active Ring cameras associated with an account, as well as a 30- to 60-day video history, depending on the user’s cloud storage plan.

Source: A Data Leak Exposed The Personal Information Of Over 3,000 Ring Users

HP loses appeal vs 123inkt for suddenly borking non-HP ink cartridges in their printer with a software update

Posted on by

HP is being held liable for damages to 123inkt customers who bought the ink cartridges which they suddenly couldn’t use any more. From personal experience I know how annoying this is as several printers have started doing very sketchy things suddenly which were magically ‘fixed’ by inserting HP ink cartridges. It’s ink, people, there’s no way that another’s ink could break a printer.

Source: HP verliest hoger beroep Stichting 123inkt-huismerk klanten – Emerce

We Tested Ring’s Security. It’s Awful

Posted on by

It’s not so much being watched. It’s that I don’t really know if I’m being watched or not.

From across the other side of the world, a colleague has just accessed my Ring account, and in turn, a live-feed of a Ring camera in my apartment. He sent a screenshot of me stretching, getting ready for work. Then a second colleague accessed the camera from another country, and started talking to me through the Ring device.

“Joe can you tell I’m watching you type,” they added in a Slack message. The blue light which signals someone is watching the camera feed faded away. But I still couldn’t shake the feeling of someone may be tuning in. I went into another room.

[…]

Last week a wave of local media reports found hackers harassed people through Ring devices. In one case a hacker taunted a child in Mississippi, in another someone hurled racist insults at a Florida family. Motherboard found hackers have made dedicated software for more swiftly gaining access to Ring cameras by churning through previously compromised email addresses and passwords, and that some hackers were live-streaming the Ring abuse on their own so-called podcast dubbed “NulledCast.”

In response to the hacks, Ring put much of the blame for these hacks on its users in a blog post Thursday.

“Customer trust is important to us, and we take the security of our devices and service extremely seriously. As a precaution, we highly encourage all Ring users to follow security best practices to ensure your Ring account stays secure,” it said. To be clear, a user who decides to use a unique password on their Ring device and two-factor authentication is going to be safer than one who is reusing previously hacked credentials from another website. But rather than implementing its own safeguards, Ring is putting this onus on users to deploy security best practices; time and time again we’ve seen that people using mass-market consumer devices aren’t going to know or implement robust security measures at all times.

Ring is not offering basic security precautions, such as double-checking whether someone logging in from an unknown IP address is the legitimate user, or providing a way to see how many users are currently logged in—entirely common security measures across a wealth of online services.

[…]

A Ring account is not a normal online account. Rather than a username and password protecting messages or snippets of personal information, such as with, say, a video game account, breaking into a Ring account can grant access to exceptionally intimate and private parts of someone’s life and potentially puts their physical security at risk. Some customers install these cameras in their bedrooms or those of their children. Through an issue in the way a Ring-related app functions, Gizmodo found these cameras are installed all across the country. Someone with access can hear conversations and watch people, potentially without alerting the victims that they are being spied on. The app displays a user-selected address for the camera, and the live feed could be used to determine whether the person is home, which could be useful if someone were, for example, planning a robbery. Once a hacker has broken into the account, they can watch not only live streams of the camera, but can also silently watch archived video of people—and families—going about their days.

Source: We Tested Ring’s Security. It’s Awful – VICE

Private equity buys Lastpass owner LogMeIn – will they start monetising your logins?

Posted on by

Remote access, collaboration and password manager provider LogMeIn has been sold to a private equity outfit for $4.3bn.

A consortium led by private equity firm Francisco Partners (along with Evergreen, the PE arm of tech activist investor Elliott Management), will pay $86.05 in cash for each LogMeIn share – a 25 per cent premium on prices before talk about the takeover surfaced in September.

LogMeIn’s board of directors is in favour of the buy. Chief executive Bill Wagner said the deal recognised the value of the firm and would provide for: “both our core and growth assets”.

The sale should close in mid-2020, subject to the usual shareholder and regulatory hurdles. Logmein also has 45 days to look at alternative offers.

In 2018 LogMeIn made revenues of $1.2bn and profits of $446m.

The company runs a bunch of subsidiaries which offer collaboration software and web meetings products, virtual telephony services, remote technical support, and customer service bots as well as several identity and password manager products.

Logmein bought LastPass, which now claims 18.6 million users, for $110m in 2015. That purchase raised concerns about exactly how LastPass’s new owner would exploit the user data it held, and today’s news is unlikely to allay any of those fears.

The next year, LogMeIn merged with Citrix’s GoTo business, a year after its spinoff.

Source: Log us out: Private equity snaffles Lastpass owner LogMeIn • The Register

Amazon, Apple, Google, and the Zigbee Alliance joined together to form working group to develop open standard for smart home devices

Posted on by

Amazon, Apple, Google, and the Zigbee Alliance joined together to promote the formation of the Working Group. Zigbee Alliance board member companies IKEA, Legrand, NXP Semiconductors, Resideo, Samsung SmartThings, Schneider Electric, Signify (formerly Philips Lighting), Silicon Labs, Somfy, and Wulian are also on board to join the Working Group and contribute to the project.

The goal of the Connected Home over IP project is to simplify development for manufacturers and increase compatibility for consumers. The project is built around a shared belief that smart home devices should be secure, reliable, and seamless to use. By building upon Internet Protocol (IP), the project aims to enable communication across smart home devices, mobile apps, and cloud services and to define a specific set of IP-based networking technologies for device certification.

The industry Working Group will take an open-source approach for the development and implementation of a new, unified connectivity protocol. The project intends to use contributions from market-tested smart home technologies from Amazon, Apple, Google, Zigbee Alliance, and others. The decision to leverage these technologies is expected to accelerate the development of the protocol, and deliver benefits to manufacturers and consumers faster.

The project aims to make it easier for device manufacturers to build devices that are compatible with smart home and voice services such as Amazon’s Alexa, Apple’s Siri, Google’s Assistant, and others. The planned protocol will complement existing technologies, and Working Group members encourage device manufacturers to continue innovating using technologies available today.

Source: Project Connected Home over IP

Camouflage made of quantum material could hide you from infrared cameras

Posted on by

Infrared cameras detect people and other objects by the heat they emit. Now, researchers have discovered the uncanny ability of a material to hide a target by masking its telltale heat properties.

The effect works for a range of temperatures that one day could include humans and vehicles, presenting a future asset to stealth technologies, the researchers say.

What makes the material special is its quantum nature—properties that are unexplainable by classical physics. The study, published today in the Proceedings of the National Academy of Sciences, is one step closer to unlocking the quantum material’s full potential.

The work was conducted by scientists and engineers at the University of Wisconsin-Madison, Harvard University, Purdue University, the Massachusetts Institute of Technology and Brookhaven National Laboratory.

Fooling is not new. Over the past few years, researchers have developed other materials made of graphene and black silicon that toy with , also hiding objects from cameras.

But how the quantum material in this study tricks an infrared camera is unique: it decouples an object’s from its thermal light radiation, which is counterintuitive based on what is known about how materials behave according to fundamental physics laws. The decoupling allows information about an object’s temperature to be hidden from an infrared camera.

The discovery does not violate any laws of physics, but suggests that these laws might be more flexible than conventionally thought.

Quantum phenomena tend to come with surprises. Several properties of the material, samarium oxide, have been a mystery since its discovery a few decades ago.

Shriram Ramanathan, a professor of materials engineering at Purdue, has investigated samarium nickel oxide for the past 10 years. Earlier this year, Ramanathan’s lab co-discovered that the material also has the counterintuitive ability to be a good insulator of electrical current in low-oxygen environments, rather than an unstable conductor, when oxygen is removed from its molecular structure.

Additionally, samarium nickel oxide is one of a few materials that can switch from an insulating phase to a conducting phase at high temperatures. University of Wisconsin-Madison researcher Mikhail Kats suspected that materials with this property might be capable of decoupling temperature and .

“There is a promise of engineering thermal radiation to control heat transfer and make it either easier or harder to identify and probe objects via infrared imaging,” said Kats, an associate professor of electrical and computer engineering.

Ramanathan’s lab created films of samarium nickel oxide on sapphire substrates to be compared with reference materials. Kats’ group measured spectroscopic emission and captured infrared images of each material as it was heated and cooled. Unlike other materials, samarium nickel oxide barely appeared hotter when it was heated up and maintained this effect between 105 and 135 degrees Celsius.

“Typically, when you heat or cool a material, the electrical resistance changes slowly. But for samarium nickel oxide, resistance changes in an unconventional manner from an insulating to a conducting state, which keeps its thermal light emission properties nearly the same for a certain temperature range,” Ramanathan said.

Because thermal light emission doesn’t change when temperature changes, that means the two are uncoupled over a 30-degree range.

According to the Kats, this study paves the way for not only concealing information from infrared cameras, but also for making new types of optics and even improving infrared cameras themselves.

“We are looking forward to exploring this material and related nickel oxides for infrared components such as tunable filters, optical limiters that protect sensors, and new sensitive light detectors,” Kats said.

More information: Temperature-independent thermal radiation, Proceedings of the National Academy of Sciences (2019). DOI: 10.1073/pnas.1911244116 , https://www.pnas.org/content/early/2019/12/16/1911244116 , https://arxiv.org/abs/1902.00252

Source: Camouflage made of quantum material could hide you from infrared cameras

Your Modern Car Is A Privacy Nightmare

Posted on by

Next time you feel the need to justify to a family member, friend, or random acquaintance why you drive an old shitbox instead of a much more comfortable, modern vehicle, here’s another reason for you to trot out: your old shitbox, unlike every modern car, is not spying on you.

That’s the takeaway from a Washington Post investigation that hacked into a 2017 Chevy Volt to see what data the car hoovers up. The answer is: yikes.

From the Post:

Among the trove of data points were unique identifiers for my and Doug’s [the car’s owner] phones, and a detailed log of phone calls from the previous week. There was a long list of contacts, right down to people’s address, emails and even photos.

In our Chevy, we probably glimpsed just a fraction of what GM knows. We didn’t see what was uploaded to GM’s computers, because we couldn’t access the live OnStar cellular connection.

And it’s not just Chevy:

Mason has hacked into Fords that record locations once every few minutes, even when you don’t use the navigation system. He’s seen German cars with 300-gigabyte hard drives — five times as much as a basic iPhone 11. The Tesla Model 3 can collect video snippets from the car’s many cameras. Coming next: face data, used to personalize the vehicle and track driver attention.

Perhaps most troublingly, GM wouldn’t even share with the car’s owner what data about him it collected and shared.

And for what? Why are automakers collecting all this information about you? The short answer is they have no idea but are experimenting with the dumbest possible uses for it:

Automakers haven’t had a data reckoning yet, but they’re due for one. GM ran an experiment in which it tracked the radio music tastes of 90,000 volunteer drivers to look for patterns with where they traveled. According to the Detroit Free Press, GM told marketers that the data might help them persuade a country music fan who normally stopped at Tim Horton’s to go to McDonald’s instead.

That’s right, it wants to collect as much information about you as possible so it can take money from fast-food restaurants to target people who like a certain type of music, which is definitely, definitely a real indicator of what type of fast food restaurant you go to.

You should check out the entire investigation, as there are a lot of other fascinating bits in there, like what can be learned about a used infotainment system bought on eBay.

One point the article doesn’t mention, but that I think is important, is how badly this bodes for the electric future, since pretty much by definition every electric car must have at least some form of a computer. Unfortunately, making cars is hard and expensive so it’s unlikely a new privacy-focused electric automaker will pop up any time soon. I mean, hell, we barely even have privacy-focused phones.

Privacy or environmentally friendly: choose one. The future, it is trash.

Source: Your Modern Car Is A Privacy Nightmare

Remember Unrollme, the biz that helped you automatically ditch unwanted emails? Yeah, it was selling your data, even though it said it wouldn’t

Posted on by

If you were one of the millions of people that signed up with Unrollme to cut down on the emails from outfits you once bought a product from, we have some bad news for you: it has been storing and selling your data.

On Tuesday, America’s Federal Trade Commission finalized a settlement [PDF] with the New York City company, noting that it had deceived netizens when it promised not to “touch” people’s emails when they gave it permission to unsubscribe from, block, or otherwise get rid of marketing mailings they didn’t want.

It did touch them. In fact, it grabbed copies of e-receipts sent to customers after they’d bought something – often including someone’s name and physical address – and provided them to its parent company, Slice Technologies. Slice then used the information to compile reports that it sold to the very businesses people were trying to escape from.

Huge numbers of people signed up with Unrollme as a quick and easy way to cut down on the endless emails consumers get sent when they either buy something on the web, or provide their email address in-store or online. It can be time-consuming and tedious to click “unsubscribe” on emails as they come into your inbox, so Unrollme combined them in a single daily report with the ability to easily remove emails. This required granting Unrollme access to your inbox.

As the adage goes, if a product is free, you are the product. And so it was with Unrollme, which scooped up all that delicious data from people’s emails, and provided it to Slice, which was then stored and compiled into market research analytics products that it sold.

And before you get all told-you-so and free-market about it, consider this: Unrollme knew that a significant number of potential customers would drop out of the sign-up process as soon as they were informed that the company would require access to their email account, and so it wooed them by making a series of comforting statements about how it wouldn’t actually do anything with that access.

Examples?

Here’s one: “You need to authorize us to access your emails. Don’t worry, this is just to watch for those pesky newsletters, we’ll never touch your personal stuff.”

Source: Remember Unrollme, the biz that helped you automatically ditch unwanted emails? Yeah, it was selling your data • The Register