Data Digest № 019
Google’s GDPR Secret Uncovered
The evidence provided by Dr. Johnny Ryan, which has now been submitted to an investigation by the Irish Data Protection Commission, found six different sites pushing his “identifier”, which contained the phrase “google_push” after just one hour of browsing on Google Chrome. Google hid the practice in two ways: first, Google creates a blank page that the user never sees for third parties to spy on the user. Second, this activity is invisible even when the user consults their browsing log. If further analysis proves a systematic practice by Google, this investigation could constitute one of the largest leakages of personal data ever recorded. The fact that Google places the data protection of its real-time bidding system (RTB) into the hands of thousands of companies it operates with is a shockingly frail and vulnerable security system.
Brave uncovers Google’s GDPR workaround
Facebook Breach Of Users’ Phone Numbers Found Online
The latest security lapse from Facebook has exposed a server that contained 419 million individual records over several databases. The incident made millions of users’ phone numbers vulnerable to attack simply by their Facebook IDs. This put them at significant risk of spam calls and SIM swapping attacks, that rely on tricking cell carriers into giving a person’s phone number to an attacker. With the phone number, the attacker can force-reset a password on any internet account that’s associated with the number. Some records included the user’s name, gender and country location. The breach was found by Sanyam Jain, a security researcher and member of the GDI Foundation, who contacted TechCrunch when he couldn’t find the owner of the database. A Facebook spokesperson said that they “have seen no evidence that the Facebook accounts were compromised”, however, questions pertaining to why, when and where the data was scraped remain unanswered. This is just one of many huge data exposure attacks that Facebook has been involved in recently. It represents a larger emerging security problem in the way that we store, share and protect our data online. Time and time again, large corporations have shown that they can’t be relied on to protect the personal data we share with them, even if it could result in identity theft or other seriously harmful outcomes for the user. The only real solution to this evermore central problem can only be solved with us moving to a decentralized Web 3 infrastructure, where individuals keep their own data securely in their own Datawallets.
A huge database of Facebook users’ phone numbers found online – TechCrunch
YouTube Fined $170 Million For Collecting Children’s Personal Data
The Federal Trade Commision (FTC) has fined Google a depressingly low $170 million to “settle” allegations that YouTube harvested millions of children’s personal data, essentially encouraging further privacy violations. Considering the revenue of $136.8bn last year from Google’s parent company Alphabet, the levied find is a mere slap on the wrist, if that. Katharina Kopp, the deputy director of the Center for Digital Democracy said in a statement, “A small amount like this would effectively reward Google for engaging in massive and illegal data collection without any regard to children’s safety,”. The small settlement fine holds little accountability for the extremely lucrative and jeopardizing actions of YouTube, violating the privacy and safety of children. Even with the settlement fine, YouTube is still significantly profiting off their lawbreaking activity. Even with new privacy regulations, if corporations aren’t receiving painful fines, it seems they will not stop their current behavior of maximizing their profits no matter the cost. Google and Facebook were also notably absent from the recent statement by the Business Roundtable that maximizing shareholder value should not be the only goal of a corporation.
YouTube fined $170m for collecting children's personal data
Facebook Releases Face Recognition Opt-In
On Tuesday, Facebook announced the release of its new Face Recognition privacy setting making facial recognition opt-in rather than opt-out, which should roll out globally in the next few weeks. If you opt-in for Face Recognition, Facebook will notify you if someone uploads a photo of you, even if you haven’t been tagged. You can then tag yourself, remain untagged or report the photo if you want it taken off Facebook. The new setting will replace Tag Suggestions, however, it also is more explicit in that facial recognition is taking place as photos are uploaded to Facebook. In the past, Facebook got into legal trouble for not disclosing their facial recognition practices. Facebook lost a federal appeal in August following the collection and storing of biometric data without user consent. In the face of a hefty fine for billions of dollars, their pursuit of more transparency feels much less courageous. The change to opt-in is a step in the right direction nonetheless.
Facebook will no longer scan user faces by default
Mental Health Data Sold To Advertisers
A report from Privacy International about the data exploitation by online mental health services found that a staggering 76.04% of the mental health web pages contained third-party trackers for advertising and marketing purposes. The study revealed the health services that attract people at their most vulnerable, are selling on their health information as a commodity rather than protecting their confidentiality. Of the 75%+ web pages analyzed that embed marketing trackers (some of which engage in RTB), to depression tests that shared answers with third parties, the report shows that many mental health websites don’t take the privacy of their visitors as seriously as they should. Especially, given that health data is classified as special category data, which is strictly regulated under Europe’s GDPR and requires explicit consent from the user. Privacy International found that Google trackers were almost impossible to escape from, active on over 87.8% of the web pages in France, 84.09% in Germany and 92.16% in the UK. Facebook came second in the most invasive third-party trackers with 48.78% of all French web pages analyzed sharing data with Facebook; 22.73% for Germany; and 49.02 % for the UK. And Amazon came third, with a strong presence in the mental health web pages analyzed. With RTB subject to multiple complaints in Europe, this new information on the usage of sensitive mental health data that is being sucked up into bid requests and put about at insecure scale — where it could pose a serious risk to individuals’ rights and freedoms — should create more urgency with regulators.
Mental health websites in Europe found sharing user data for ads – TechCrunch
More Facescan Privacy Issues
Another convincing deepfake app goes viral prompting immediate privacy backlash
What I'm Reading:
The World’s First Ambassador to the Tech Industry (Published 2019)
19 million Canadians have had their data breached in eight months
Consent removed from Australia's proposed data-sharing legislation | ZDNet
Google is helping to power a US immigration cloud project, new documents show
SerafinGDPR Data DigestConsumer PrivacyIndustry Trends Data Misuse