Data Digest № 023
Welcome to the 23rd edition of the Data Digest, where I summarize the most important events in the data industry. This week: I spoke on CNBC about data privacy and control in light of Twitter “inadvertently” misusing personal information for advertising, the draft rules for the CCPA were finally released by California’s AG, the personal data of 92 million Brazilians was auctioned underground, Russian meddling in the 2016 election spread further than previously thought, Brexit predicted to hinder UK’s data sharing, NSA violates American privacy rights, and more. Enjoy!
Last week, I had the honor of being interviewed on CNBC’s “Squawk Alley” again, this time live from their NYSE studio. We talked about what we do at Datawallet, the Twitter 2FA data misuse, and more. Check out the interview below
Twitter “Inadvertently” Misused Personal Info For Advertising
On Tuesday, Twitter admitted to “inadvertently” using phone numbers and email addresses from users provided solely for 2FA protection to deliver targeted ads. The news felt particularly exploitative as, unlike most top-ranking sites, Twitter requires users to provide phone numbers in order to be eligible for 2FA protection (even if using an authenticator app or similar), and deletion of a phone number immediately results in the withdrawal of your account from Twitter 2FA. Security and privacy advocates were enraged further by the fact that Twitter was subsequently using those email addresses and phone numbers to match users to marketing lists provided by advertisers. In a seemingly indifferent response to the data breach, Twitter wrote in a blog post, “When an advertiser uploaded their marketing list, we may have matched people on Twitter to their list based on the email or phone number the Twitter account holder provided for safety and security purposes.”
They conveniently failed to mention how many users were affected or the duration of the improper targeting. Nevertheless, Twitter now claims that they “have addressed the issue that allowed this to occur and are no longer using phone numbers or email addresses collected for safety or security purposes for advertising.” In my interview with CNBC, I mention that Datawallet could have helped, and here’s how: when a company wants to give their customers Datawallets, we always start by analyzing their entire data infrastructure and mapping data objects to the respective use cases. We only operate in jurisdictions that either have existing or upcoming data privacy regulation, such that the wilful (or accidental) omission of any existing data objects or use cases has immediate legal recourse. Therefore, our clients’ interests and ours are aligned in unearthing every possible data field, correctly identifying corresponding use cases, and transparently showcasing them for the user to control in their respective Datawallet. Unless a small group of Twitter employees willfully channeled this data into a clandestine environment outside of the normal Twitter ecosystem, and therefore consciously and unlawfully tried to hide this from their customers’ views, our data exploration and mapping procedures would have found that this data was used for the use case of retargeting, and it subsequently would have shown up in Twitter customers’ Datawallets. If anyone from Twitter reads this, feel free to get in touch with us. We’d love to help you prevent these things from happening in the future.
Twitter under fire for profiting from millions of UK users' data sold to advertisers
California AG Releases Draft CCPA Implementation Regulations
Last Thursday, California’s Attorney General Xavier Becerra released the draft rules for the California Consumer Privacy Act (CCPA). Notable findings included:
Companies are required to provide notice to the consumers for each category, commercial purpose, and category of third parties, for personal information collected. These must be provided at the time of data collection and include clear guidance on how to opt-out of the sale of data.
Handling Consumer Requests:
Companies are required to confirm receipt of consumer requests to know or delete within 10 days, reconfirm requests to delete PI, and maintain records on handling consumer requests for at least two years.
Special Rules Regarding Minors:
Minors under the age of 13 must opt-in to the sale of their PI with consent from a parent or guardian. Companies must establish a method for verifying the identity of a parent or guardian. Minors under 16 years of age require expressive opt-in.
Service providers shall not use personal information they collect from a business or consumer in connection with its provision of services to another person or entity under the CCPA.
Most Impacted Industries:
The Department of Justice (DOJ) implicated that the most impacted industries are likely to be trade, professional, scientific and technical services, and health care and social assistance.
The DOJ estimated compliance will cost businesses between $467 million and $16.5 billion between 2020 and 2030.
Permissions For New Use Cases:
Companies that intend to use a customer’s data for a use case not yet disclosed at the previous point of collection must inform and obtain expressive consent from the consumer for the proposed use case.
Notice of Financial Incentive:
A notice of financial incentive must include a good-faith estimate of the value of the consumer’s data, as well as the method used to calculate that value.
The draft rules from California’s AG are certainly not a light interpretation of the CCPA and companies will require action now in order to stay compliant with them. Datawallet provides the perfect end-to-end solution to the CCPA, which empowers users, builds trust, and seamlessly integrates into companies’ existing tech stack.
For a quick overview of all the draft regulations, see our latest blog post below.
California AG Releases Draft CCPA Implementation Regulations
Personal Data of 92 Million Brazilians Auctioned on an Underground Forum
A massive data breach has hit Brazil with data of 92 million employed taxpayers, nearly half of the population, affected. However, the source remains a mystery and no public announcements of data breaches have been made as of late that correspond to the breached information. BleepingComputer, a resource site for answering computer, security, and technical questions, have uncovered research that indicates the information could have been stolen from the Department of Federal Revenue of Brazil, and confirmed the information was in an SQL database of about 16GB. Furthermore, they confirmed that accurate information about known individuals could be looked up. The database includes names, birth dates, driver’s licenses, phone numbers, business registration information, phone numbers, license plate numbers, dates of death, family relations and home provinces.
Citizen Data of 92 Million Brazilians Offered for Sale on Underground Forum - CPO Magazine
Report Reveals the Scope of Russian Meddling in the 2016 Election
On the 8th of October, the Senate Intelligence Committee released a report detailing Russia’s manipulation of social media in the 2016 U.S. election. The Russian interference efforts are reported to have included Instagram, Reddit, Tumblr, LinkedIn, Medium and Pinterest. The report entails a 20 page description breaking down the Internet Research Agency’s (IRA) activity by platform, showcasing the manipulation that went beyond Facebook, Google, YouTube and Twitter, which faced the most scrutiny for serving as a vehicle for Russian meddling. “The use of Instagram by the IRA, and Instagram’s centrality as a channel for disseminating disinformation and societally divisive content, has escaped much of the media and public attention that has focused on other social media platforms,” the report said. “IRA activity and engagement with Americans through Instagram accounts dramatically eclipsed the comparable interaction achieved through Facebook pages.” According to the Senate Intelligence Committee, the IRA’s meddling on Instagram began as early as 2015, whereby a troll farm garnered 3.3 million followers and 187 million engagements.
The report also reveals that the IRA used Reddit as a tool to discover how public engagement differed with disinformation, prior to their influence campaigns across other social media channels. Medium and Pinterest “publicly acknowledged the discovery of IRA influence operative activity on their platforms”, while Tumblr indicated that “IRA influence operatives used the platform to interact with 11.7 million unique U.S. users, and nearly 30 million unique users globally.” It was evident that foreign influence on LinkedIn was limited however, “the platform and its users are a significant target for foreign intelligence services” because of the personal information they make easily available.
Bipartisan Senate report calls for sweeping effort to prevent Russian interference in 2020 election
Brexit Is Likely To Hinder the UK’s Data Sharing Processes
The Washington Post warned that “a no deal (Brexit) would tip companies into a legal limbo and prompt a last-minute flurry of costly compliance work”. In August, academics at the University College London claimed that many firms would not be prepared for a no deal departure. An agreement could take years to draw up between Britain and the EU. Meanwhile, the threat of potential lawsuits from activists due to improper data transfers between companies will be extremely high, increasing the urgency for companies to implement a proactive and consumer-centric compliance strategy. Needless to say, we at Datawallet would love to help.
The Washington Post: Breaking News, World, US, DC News and Analysis
Court Rules a Violation to American’s Privacy Rights by the NSA
A report by The Verge revealed a court ruling that the FBI had made tens of thousands of “unauthorized, warrantless searches on American citizens”, intended for use primarily by the National Security Agency. The program, called Section 702, was part of an aggressive expansion of US spy programs following 9/11. It gave FBI agents the ability to search data including phone numbers, emails and other identifying data. The only limitation on the program was that data collected could solely be used to identify evidence of a crime or as part of an investigation into a foreign target, with the aim to monitor terrorism suspects and threats. It’s reported that the FBI also vetted American sources while using the database, including, friends, family and coworkers. The court deemed this as a violation of the Fourth Amendment, protecting people from unreasonable search and seizure, as none of the searches had warrants attached.
FBI violated Americans’ privacy by abusing access to NSA surveillance data, court rules
1 Million New Zealanders Health Data Exposed in Data Breach
Another trove of personal health data from 1 million New Zealanders has been uncovered. The data from patients dates back to 2002 from the greater Wellington, Wairarapa and Manawatu regions. The list of those affected exceeds the total population of the areas because the breach includes data from people who are deceased or have moved. Security expert Jonathan Devaux said “unfortunately, there did not seem to be protections placed on the data itself, which means the personal data was left in clear text form. It’s a good thing that no payment info, tax numbers, passport numbers, nor driver’s license numbers were on the server.”
Health, personal data of 1 million New Zealanders exposed in series of intrusions | SC Media
What I'm Reading:
Court says FCC’s ‘unhinged’ net neutrality repeal can’t stop state laws – TechCrunch
NYC seeks to curb facial recognition technology in homes and businesses
'Protecting rioters': China warns Apple over app that tracks Hong Kong police
Online Trust Audit – 2020 U.S. Presidential Campaigns | Internet Society
SerafinData Digest Industry Trends CCPA Data Misuse Regulatory Updates Data Breaches Consumer Privacy