DatawalletDatawallet

Data Digest № 019

Data Digest ¦ September 8th, 2019, 11:00 pm

Welcome to the 19th edition of the Data Digest, where I sum up the most important happenings in the data industry. This week: Google’s GDPR workaround is revealed, huge Facebook and Youtube data mishaps, Facebook turns on opt-in for facial recognition, mental health data is sold to advertisers, more face-scan privacy policy issues, and more. Enjoy!

Google’s GDPR Secret Uncovered

This week, Dr. Johnny Ryan (Chief Policy & Industry Relations Officer at Brave), uncovered a “surreptitious mechanism” with Google’s “DoubleClick/Authorized Buyers” ad system ― found to be active on 8.4+ million websites. The evidence reveals that Google not only allowed parties to use “Google identifiers”, but also allowed those parties to further match their identifiers with each other in order to define data subjects. This system broadcasts personal data of its visitors to over 2000 companies, “hundreds of billions of times a day”. The data includes a user’s inferred religious, sexual and political characteristics, everything they’re reading, watching, searching for and listening to, plus their location. Circumventing the GDPR, Google’s suspicious activities have undermined their own privacy policy, and have raised accusations that the company is exploiting user’s personal information without control over its safety or whereabouts. Once this information has been broadcast there is no control over who has access or what happens to it.

The evidence provided by Dr. Johnny Ryan, which has now been submitted to an investigation by the Irish Data Protection Commission, found six different sites pushing his “identifier”, which contained the phrase “google_push” after just one hour of browsing on Google Chrome. Google hid the practice in two ways: first, Google creates a blank page that the user never sees for third parties to spy on the user. Second, this activity is invisible even when the user consults their browsing log. If further analysis proves a systematic practice by Google, this investigation could constitute one of the largest leakages of personal data ever recorded. The fact that Google places the data protection of its real-time bidding system (RTB) into the hands of thousands of companies it operates with is a shockingly frail and vulnerable security system.

Brave uncovers Google’s GDPR workaround

Brave presents new RTB evidence, and has uncovered a mechanism by which Google appears to be circumventing its purported GDPR privacy protections.
brave.com

Facebook Breach Of Users’ Phone Numbers Found Online

The latest security lapse from Facebook has exposed a server that contained 419 million individual records over several databases. The incident made millions of users’ phone numbers vulnerable to attack simply by their Facebook IDs. This put them at significant risk of spam calls and SIM swapping attacks, that rely on tricking cell carriers into giving a person’s phone number to an attacker. With the phone number, the attacker can force-reset a password on any internet account that’s associated with the number. Some records included the user’s name, gender and country location. The breach was found by Sanyam Jain, a security researcher and member of the GDI Foundation, who contacted TechCrunch when he couldn’t find the owner of the database. A Facebook spokesperson said that they “have seen no evidence that the Facebook accounts were compromised”, however, questions pertaining to why, when and where the data was scraped remain unanswered. This is just one of many huge data exposure attacks that Facebook has been involved in recently. It represents a larger emerging security problem in the way that we store, share and protect our data online. Time and time again, large corporations have shown that they can’t be relied on to protect the personal data we share with them, even if it could result in identity theft or other seriously harmful outcomes for the user. The only real solution to this evermore central problem can only be solved with us moving to a decentralized Web 3 infrastructure, where individuals keep their own data securely in their own Datawallets.

A huge database of Facebook users’ phone numbers found online – TechCrunch

Hundreds of millions of phone numbers linked to Facebook accounts have been found online. The exposed server contained more than 419 million records over several databases on users across geographies, including 133 million records on U.S.-based Facebook users, 18 million records of users in the U.K…
techcrunch.com

YouTube Fined $170 Million For Collecting Children’s Personal Data

The Federal Trade Commision (FTC) has fined Google a depressingly low $170 million to “settle” allegations that YouTube harvested millions of children’s personal data, essentially encouraging further privacy violations. Considering the revenue of $136.8bn last year from Google’s parent company Alphabet, the levied find is a mere slap on the wrist, if that. Katharina Kopp, the deputy director of the Center for Digital Democracy said in a statement, “A small amount like this would effectively reward Google for engaging in massive and illegal data collection without any regard to children’s safety,”. The small settlement fine holds little accountability for the extremely lucrative and jeopardizing actions of YouTube, violating the privacy and safety of children. Even with the settlement fine, YouTube is still significantly profiting off their lawbreaking activity. Even with new privacy regulations, if corporations aren’t receiving painful fines, it seems they will not stop their current behavior of maximizing their profits no matter the cost. Google and Facebook were also notably absent from the recent statement by the Business Roundtable that maximizing shareholder value should not be the only goal of a corporation.

YouTube fined $170m for collecting children's personal data

FTC has fined Google $136m and company will pay an additional $34m to New York state to resolve similar allegations
www.theguardian.com

Facebook Releases Face Recognition Opt-In

On Tuesday, Facebook announced the release of its new Face Recognition privacy setting making facial recognition opt-in rather than opt-out, which should roll out globally in the next few weeks. If you opt-in for Face Recognition, Facebook will notify you if someone uploads a photo of you, even if you haven’t been tagged. You can then tag yourself, remain untagged or report the photo if you want it taken off Facebook. The new setting will replace Tag Suggestions, however, it also is more explicit in that facial recognition is taking place as photos are uploaded to Facebook. In the past, Facebook got into legal trouble for not disclosing their facial recognition practices. Facebook lost a federal appeal in August following the collection and storing of biometric data without user consent. In the face of a hefty fine for billions of dollars, their pursuit of more transparency feels much less courageous. The change to opt-in is a step in the right direction nonetheless.

Facebook will no longer scan user faces by default

It will roll out the Face Recognition privacy setting globally over the next several weeks
www.theverge.com

Mental Health Data Sold To Advertisers

report from Privacy International about the data exploitation by online mental health services found that a staggering 76.04% of the mental health web pages contained third-party trackers for advertising and marketing purposes. The study revealed the health services that attract people at their most vulnerable, are selling on their health information as a commodity rather than protecting their confidentiality. Of the 75%+ web pages analyzed that embed marketing trackers (some of which engage in RTB), to depression tests that shared answers with third parties, the report shows that many mental health websites don’t take the privacy of their visitors as seriously as they should. Especially, given that health data is classified as special category data, which is strictly regulated under Europe’s GDPR and requires explicit consent from the user. Privacy International found that Google trackers were almost impossible to escape from, active on over 87.8% of the web pages in France, 84.09% in Germany and 92.16% in the UK. Facebook came second in the most invasive third-party trackers with 48.78% of all French web pages analyzed sharing data with Facebook; 22.73% for Germany; and 49.02 % for the UK. And Amazon came third, with a strong presence in the mental health web pages analyzed. With RTB subject to multiple complaints in Europe, this new information on the usage of sensitive mental health data that is being sucked up into bid requests and put about at insecure scale — where it could pose a serious risk to individuals’ rights and freedoms — should create more urgency with regulators.

Mental health websites in Europe found sharing user data for ads – TechCrunch

Research by a privacy rights advocacy group has found popular mental health websites in the EU are sharing users’ sensitive personal data with advertisers. Europeans going online to seek support with mental health issues are having sensitive health data tracked and passed to third parties, ac…
techcrunch.com

More Facescan Privacy Issues

Privacy policy concerns over the viral deep-fake face-swapping app Zao in China have blown up since last Friday. According to The Verge, the app “generated an almost-immediate backlash from users, who bombarded its App Store listing with thousands of negative reviews.” The privacy policy stated that Zao would receive a “free, irrevocable, permanent, transferable, and relicense-able” license to all user-generated content (reminiscent of the FaceApp privacy policy misstep we mention in Data Digest № 012). The uproar and that even WeChat restricted the app on their platform, forced the company to rethink their privacy stance, stating that they won’t use photos or videos other than for app improvements without consent. They also claim that they will erase the data from their servers when users delete the app. It’s encouraging to see that such exploitative terms will no longer be tolerated by users, and that people are becoming more mindful to clear examples of data exploitation. Controlling your data no longer has to be a one-sided policy on the terms and conditions of a company’s service.

Another convincing deepfake app goes viral prompting immediate privacy backlash

Insert your face into TV shows or movies with just a single photograph
www.theverge.com

What I'm Reading:

The World’s First Ambassador to the Tech Industry

Denmark appointed him to approach Silicon Valley as if it were a global superpower. His challenges show how smaller countries struggle to influence giant corporations.
www.nytimes.com

19 million Canadians have had their data breached in eight months

An estimated 19 million Canadians have been affected by data breaches between November 2018 and June 2019, according to numbers obtained by 'Attention Control with Kevin Newman,' a new podcast that launched Monday.
www.ctvnews.ca

Consent removed from Australia's proposed data-sharing legislation | ZDNet

The National Data Commissioner won't be able to prevent data from being shared, rather they are tasked with capabilities to 'encourage' data custodians and accredited users to 'safely and respectfully share personal information'.
www.zdnet.com

Google is helping to power a US immigration cloud project, new documents show

US Citizenship and Immigration Services has a contract for Google services.
www.theverge.com

Best,

Serafin

Get the Data Digest in your inbox