An early test of the GDPR: taking on data brokers

SOPA Images via Getty Images

Major data brokers Acxiom and Oracle are among seven companies accused of violating GDPR laws on personal information privacy. Advocates hope the complaints will shed light on the opaque ways that personal data is traded through third parties online both in the EU and the US.

The General Data Protection Regulation is a sweeping personal data privacy law that came into force in late May in the EU. For the rest of the world, it’s viewed as a bellwether for whether Big Tech can be held in check when immense data leaks seem to happen with painful regularity.

Formal complaints to European regulators under the GDPR by UK non-profit Privacy International were also filed against ad-tech companies Criteo, Quantcast and Tapad as well as credit agencies Equifax (the subject of a massive breach just last year) and Experian.

“Our complaints target companies that, despite exploiting the data of millions of people, are not household names and therefore rarely have their practices challenged,” said Ailidh Callander, legal officer at Privacy International, in an email to Engadget. “These companies’ business models are premised on data exploitation.”

Data brokers aggregate personal information from other sources — for instance, websites you’ve visited or credit card records — to create a complex profile on who they think you are. That profile may include political leanings and income, and subsequently get sold to brands or social networks. Acxiom claims to have data on about 700 million people globally. Consumers often don’t hand data directly to these companies via their own websites — the way one would with, say, Facebook — which allows the data trading to operate in relative obscurity.

This alleged lack of consent is precisely what Privacy International is targeting. The non-profit also claims that these companies lack “legitimate interest” (in legal terms) for processing the personal data, which may infer political, ethnic and religious affiliations. The companies fail to comply, according to Privacy International, with the principles of “transparency, fairness, purpose limitation, data minimisation, accuracy and confidentiality and integrity” — in other words, nearly all of the new privacy law’s core foundations.

“The law has changed and these companies need to as well,” said Callander. “There is a gap between how [the] GDPR conceptualises data privacy and [how] these companies do and the onus is on them (if necessary, pushed by regulators) to close it.”

In public statements, Experian has said: “We have worked hard to ensure that we are compliant with GDPR and we continue to believe that our services meet its requirements.” Criteo has stated: “We have complete confidence in our privacy practices.”

Companies are still feeling out just how the law is going to be enforced, which is why test cases like this bear watching. Facebook and Google are among the other companies who have faced complaints so far. A spokesman from the Data Protection Commission in Ireland, where many American tech firms keep European headquarters, said the regulators have already received 2,500 breach notifications and 1,200 complaints related to the GDPR since May.

Let’s block ads! (Why?)

Link to original source

Cathay Pacific data breach affects up to 9.4 million customers

S3studio via Getty Images

Cathay Pacific, the primary airline of Hong Kong known for its high-speed WiFi, was hit with a major data breach that affects up to 9.4 million passengers. The company said that personal information including passport numbers, identity card numbers, credit card numbers, frequent flyer membership program numbers, customer service comments and travel history had been compromised. No passwords were compromised, which may not be any consolation.

In a statement, Cathay Pacific said it was in the process of contacting passengers who had data exposed in the breach. For the time being, the company doesn’t believe that any of the personal data has been misused. It also stated that the credit card information compromised in the leak was either expired or incomplete and did not include CVV codes.

While word of the exposure has just been made public, Cathay Pacific copped to first spotting suspicious activity on its network back in March. The company said it took “immediate action” to contain the breach and has since patched up its information system. In May, it confirmed that personal information was accessed and then proceeded to wait five months before informing the public.

Word of the Cathay Pacific breach comes just over a month after British Airways revealed that its website was hacked. That incident affected a much smaller share of passengers — about 380,000 in total — but exposed personal and financial information including names, addresses, and credit card information.

Let’s block ads! (Why?)

Link to original source

Facebook’s confusion about its Portal camera is concerning

Facebook couldn’t have picked a worse time to introduce Portal, a camera-equipped smart display designed to make video chatting in your home easier. And, if the rumors are true, the company is reportedly also preparing to launch a video chat camera for your TV, based on the same system as Portal. Not only does news of this hardware come at a time when when Facebook is under major scrutiny after suffering a massive data breach in September, which exposed private information of 29 million users, including usernames, birth date, gender, location, religion and the devices used to browse the site. But the most concerning part about Portal, is that Facebook’s own executives don’t seem to have a basic understanding of what types of data the company will be collecting or what it will be using it for.

As Recode reports, during the announcement of Portal, Facebook execs said no data collected through the hardware, such as call logs or third-party app usage, would be used to serve users targeted ads on Facebook. But, over a week later, Facebook (which has not replied to our request for comment) told the publication that this information was actually wrong.

“Portal voice calling is built on the Messenger infrastructure, so when you make a video call on Portal, we collect the same types of information (i.e. usage data such as length of calls, frequency of calls) that we collect on other Messenger-enabled devices,” a Facebook spokesperson told Recode this week. “We may use this information to inform the ads we show you across our platforms. Other general usage data, such as aggregate usage of apps, etc., may also feed into the information that we use to serve ads.”


Given that nearly 90 percent of Facebook’s revenue comes from ads, the fact that Portal would be collecting data for advertisers to sell you products or services shouldn’t come as a surprise. That’s the company’s business model in a nutshell. But, if Facebook executives don’t even know how their company is going to use their devices to serve its bottom line, especially when it includes collecting people’s information, then what hope do the rest of us have. Sure, Facebook came forward and corrected its mistake, but those facts should have been well known on day one.

Facebook’s Portal product lead, Rafa Camargo, told Recode the company doesn’t have any plans to use data collected from the device for ad-targeting purposes, since the smart display doesn’t run ads. “I think [my colleague] was intending to say that we don’t intend to use it,” he said, before adding, “Potentially, it could be used.”

“The timing of this is really odd from Facebook given Cambridge Analytica and the recent massive breach. [It] promised new tools like ‘Delete History’ several months ago to allay privacy concerns, but instead of delivering on that, [it rolls out] this in-home product with access to lots of personal information.”

Still, when you’re already under the microscope for being careless with people’s data, as Facebook is, you simply can’t afford to launch a product with this much confusion — especially when you’re launching a $199 video camera that’s going to be watching people in their home.

Facebook’s latest mishap was being hacked and exposing detailed personal information of 29 million people. But who can forget the scandal caused by the political firm Cambridge Analytica in March, which harvested data of up to 87 million users without their consent or Facebook’s knowledge. It just makes you wonder why Facebook thought anyone would trust a camera from it in their home right now?

“These devices have access to really sensitive data, even more than normal Facebook products. Persistent cameras and microphones in your house carry with them a heightened sense of privacy concern,” Justin Brookman, director of privacy and technology policy at Consumers Union, told Engadget. “The timing of this is really odd from Facebook given Cambridge Analytica and the recent massive breach. [It] promised new tools like ‘Delete History’ several months ago to allay privacy concerns, but instead of delivering on that, [it rolls out] this in-home product with access to lots of personal information.”

Brookman said part of this could be because Facebook feels like it’s getting left behind in the smart home race, by rivals like Google and Amazon. “Operating from that place of desperation and urgency,” he said, can lead to some questionable choices. But, whatever the reason may be, Facebook’s launch of Portal couldn’t be more of a tone-deaf move. And the company doesn’t help itself by creating unnecessary confusion.

Images: Facebook

Let’s block ads! (Why?)

Link to original source

WSJ: Facebook believes spammers were behind its massive data breach

MANDEL NGAN via Getty Images

More than two weeks after Facebook revealed a massive data breach, we still don’t know who was using the flaw in its site to access information on tens of millions of users. Now the Wall Street Journal reports, based on anonymous sources, that the company believes spammers perpetrated the hack in an attempt to make money via deceptive advertising.

Facebook eventually said that about 30 million people actually had their login tokens stolen (you can see if your account was among them by checking this page), and said that the attackers took account details and contact information. Still, the paper said “internal researchers” believe the people behind it are existing Facebook and Instagram spammers who claim to run a “digital marketing company.”

The lines between misinformation spread by nation-state sponsored trolls, shady analytics companies and spammers chasing trendy topics to make a buck have become increasingly blurred in recent years, so it’s difficult to know if this adds up or if we’ll ever know who exactly stole the information and where it ended up. Facebook VP Guy Rosen said on Friday that the company did not believe this attack was related to upcoming midterm elections, but other than indicating the FBI is also investigating, it hasn’t publicly said anything else about who might have done it or why.

Let’s block ads! (Why?)

Link to original source

After Math: Every robot was parkour fighting

Boston Dynamics

What a week it’s been! Between Google’s Pixel 3 event, the lucky landing by the Soyuz crew, and Facebook’s latest data breach, it feels like we almost didn’t have time to talk about Waymo’s self-driving cars, Amazon’s new line of picker bots and Boston Dynamic’s gymnastic droids. But that’s where the After Math comes in.


10 million miles: Waymo’s self-driving cars have notched another milestone, having travelled a whopping 10 million test miles on public roads. Of course that figure pales against the seven billion virtual miles its control systems have been trained on.


$1.66 trillion: Even as the Pentagon gears up to invest more than a trillion dollars on next-gen weapons systems, the Government Accountability Office (GAO) released a scathing report this week, pointing out that virtually all of America’s current weapon systems are vulnerable to hacking. Though that seems like a lot of work when just about any modern despot can simply buy off the President’s support via stays in his hotel chain.


Every major telecom: Bloomberg broke a story this week suggesting that China’s Super Micro had sold hardware laden with spy chips to various US telecom companies. Each and every service provider asked about the allegations denied them but that hasn’t stopped speculation and Bloomberg is standing by its story.


$15 an hour: That’s how much less Amazon’s new generation of “picker bots” — ones designed to collect products throughout a warehouse and deliver them to a packer — will make compared to the human workers that they’re designed to replace.


29 million: What week here in Hell World would be complete without yet another announcement regarding how Facebook has compromised its users’ privacy through a combination of poor oversight and sheer incompetence? Check here to see if you’ve been impacted.


30 million: Though maybe there is an upside to this stream of data breaches. People seem to finally be taking their privacy seriously, as evidenced of the millions of internet users who now run their search requests through DuckDuckGo every day.

fuck pnr

48 Months: That’s how long it took to develop an Atlas robot capable of taking untethered strolls through the woods to get to this parkour-playing robo-gymnast. This thing is frickin awesome.

Let’s block ads! (Why?)

Link to original source

Pentagon data breach compromises up to 30,000 workers

Bill Clark via Getty Images

The Pentagon still has to grapple with data security woes despite efforts to harden its sites and networks. Defense Department officials have revealed that a travel record data breach at an unnamed contractor exposed the personal info of military and civilian staffers, including credit cards. An AP source said that this didn’t compromise classified material, but it affected “as many as” 30,000 workers. There’s a chance that number might get larger, according to the source.

It’s not certain when the intrusion took place. Department staff warned leaders on October 4th after discovering the breach, but it might have taken place earlier and gone unnoticed. The organization is contacting affected individuals in the days ahead and promises fraud protection services.

The timing is… less than ideal. The Government Accountability Office only just issued a report saying that the Defense Department had made progress on securing its networks, but was falling short in protecting weapon systems. Clearly, there’s work to be done beyond that, even if the scale isn’t as large as some high-profile government hacks. Institutions are only as secure as the vendors they use, and a flaw at one partner can have far-reaching repercussions.

Let’s block ads! (Why?)

Link to original source

Here’s how to see if you were affected by Facebook’s breach


Today, Facebook provided additional information on the data breach it disclosed last month. Whereas it initially said up to 50 million users might have been affected, it now reports that 30 million were impacted by the breach. By exploiting a system vulnerability, attackers were able to steal digital keys called access tokens from those 30 million users, and Facebook has now laid out how those users were affected. The company is also notifying those impacted, but if you don’t want to wait to be notified, you can check if your account was affected through this link.

The 30 million users whose access tokens were stolen fall into one of three categories. The attackers accessed name and contact information for around 15 million users. But for another 14 million, those behind the attack were able to access all sorts of information including username, gender, location, language, relationship status, religion, hometown, current city, birthdate, education, work, places where they checked in or were tagged, website, people or Pages followed, recent searches and device types used to access Facebook. For the final one million, though their access tokens were indeed stolen, the attackers didn’t access any of their information.

The notifications Facebook is sending out will reflect those three categories and describe what information was accessed. The company is delivering them to the top of users’ News Feeds over the next three days, but again, if you don’t want to wait, just check your status here.

Let’s block ads! (Why?)

Link to original source

Facebook says recent data breach wasn't 'related to the midterms'

Even though the number of users affected by Facebook’s most recent hack was lowered to 29 million, from 50 million, it’s still safe to say the attack was worse than originally thought. That’s because we now know that the breach, which Facebook revealed a couple of weeks ago, exposed very detailed information of 14 million of those users, including their username, birthdate, gender, location, relationship status, religion, hometown, self-reported current city, education, work, the devices they used to access Facebook and the last 10 places they checked into (or were tagged in) on the site. The attackers, whose identities Facebook won’t reveal because of an ongoing FBI investigation, were also able to view which people/Pages were followed by these 14 million users, as well as their 15 most recent searches on Facebook.

With the midterm elections in the US just around the corner, this type of information could be extremely valuable to anyone looking to interfere come November. But, during a call with reporters on Friday, Facebook’s VP of Product Management Guy Rosen, said that the company has “no reason to believe this specific attack was related to the midterms.” He said protecting elections is a “big focus” for Facebook and that it has many teams “ensuring that we can protect the security of the upcoming elections, as well as all other elections around the world.

Rosen, again citing the ongoing FBI investigation, said he couldn’t provide a detailed breakdown of the amount of affected users by country, only going as far as saying the “attack was fairly broad.” Over the coming days, Facebook will begin alerting people whose information was exposed, which will let them know whether they were part of the 14 million or 15 million group. The latter is less severe, yet still serious, since hackers were only able to access their name and contact details, such as phone number, email or both, depending on what info they had on their profile.

“We take these incidents very, very seriously, and nothing is more important to us than the security of people’s information.” Rosen said, in response to a question about why people should continue to trust Facebook after incidents like this and the Cambridge Analytica scandal. “That’s why we’re coming forward consistently to explain what we have learned. We know adversaries will always be interested in services like ours, that’s why it’s very important for us to invest in this and to make sure that we can improve our detection capabilities and we can strengthen our defenses.”

Let’s block ads! (Why?)

Link to original source

Facebook’s recent hack exposed private information of 29 million users

Thomas Trutschel via Getty Images

Late last month, Facebook announced a data breach that affected up to 50 million of its users. The issue involved access tokens — digital keys that let people remain logged into Facebook — and a vulnerability allowed attackers to steal those tokens and hijack other users’ Facebook accounts. The company has now released an update on that report and it now says fewer people were affected that it originally thought. “Of the 50 million people whose access tokens we believed were affected, about 30 million actually had their tokens stolen,” it said.

Facebook reports that for 15 million of the affected users, those behind the attack gained access to two types of information — their name and contact details such as phone numbers and email addresses. For 14 million users, attackers accessed much more information including name and contact info as well as other profile details like username, gender, location, language, relationship status, religion, hometown, current city, birthdate, education, work, places where they checked in or were tagged, website, people or Pages followed, recent searches and device types used to access Facebook.

For the final one million users whose access tokens were stolen, the attackers didn’t access any of their information.

Facebook notes that the breach didn’t affect its other products, like Messenger, Messenger Kids, Instagram, WhatsApp, Oculus or Workplace. The attack also didn’t include features such as Pages, payments and advertising or developer accounts or any third-party apps. Facebook will continue to investigate the matter and it says it’s looking into “the possibility of smaller-scale attacks,” though it didn’t elaborate on what those might entail.

It’s still working with the FBI, FTC and other authorities as it investigates the breach. It will also notify the 30 million people whose access tokens were stolen, providing them with more details about what information might have been accessed and what they can do to protect themselves from suspicious contact going forward.


Let’s block ads! (Why?)

Link to original source

Germany is investigating the Google+ data exposure


Yesterday Google disclosed that it had inadvertently exposed Google+ users’ personal data and that up to 500,000 accounts might have been affected. But the issue, which was discovered in March, was kept under wraps — a decision Google said was made because there was no evidence that the data had been misused and no way to fully determine which users were affected. However, it appears that concerns over regulatory scrutiny and bad press may have played into that decision as well. Well now the company is being put under that magnifying glass it had been looking to avoid, as Germany’s data protection commissioner has announced an investigation into the incident.

Bloomberg reports that the official, Johannes Caspar, says his agency is looking into the matter, but at this point he has received no additional information from Google. Ireland’s privacy regulator is reportedly seeking information from the company as well. While Europe’s rigorous GDPR protections would have required a different handling of the situation and could have landed Google some hefty fines, the exposure and fix occurred prior to those regulations being put into place and Google will, therefore, likely not be punished under them.

In light of the discovery, Google has introduced new data protection measures and will shut down the consumer version of Google+ in the coming months.

Let’s block ads! (Why?)

Link to original source