Google Expels 20 Surveillance Apps from Play Store

Advertising, Smartphones, Surveillance

Last week, Google banned 20 Android apps from its Play Store for their extraction of users’ emails, texts, location, and calls. The apps “rooted” devices with older Android operating systems, meaning they were able to bypass newer security protections. The expelled apps generally advertised as cleanup tech for unwanted files or as backup utilities. It is suspected that the apps were developed by  Equus Technologies, a cyber arms company, and had been installed on 100 phones. Google is calling these apps “Lipizzan.” The same day Google announced the banning of these apps, antivirus company Sophos disclosed two Android apps surreptitiously collecting text messages: an app store shortcut and a skin care magazine. These have been downloaded up to 500,000 times.

ArsTechnica

Website Login Fingerprinting

Advertising, Online privacy

INRIA, the French computer science institute (which has a fantastic privacy research group), has released an online test to show you your web browsing fingerprint. Their Browser Extension and Login-Leak Experiment demonstrates how you can be tracked by the browser extensions you have installed, as well as the sites you remain logged in to. These stale logins can be used to target your online ads, or even serve you higher prices in online shopping.

I failed this test completely – my logins are apparently very unique:

ident

And, I remain logged into way more sites than I thought! eBay and Yahoo? It’s possible that some of these are false login detections, as the group is still working out the kinks.

ident2

You can take the test here: https://extensions.inrialpes.fr/

Checkups like these are good reminders of the data we are leaking out without thinking about: where we visit, what we type, and where we click. Little beacons are ready at the collect.

Canada’s Supreme Court Strikes Down Clause of Facebook’s Terms of Use

Advertising, Exposure, Legislation, Online privacy, Social Media

A class action suit has been brought against Facebook in Canada. A Vancouver woman initially sued Facebook for featuring her name and photos in “Sponsored Stories” advertising, after she “liked” various company pages. The class action suit covers an estimated 1.8 million residents of British Columbia who had their names or photos used in Facebook’s Sponsored Stories. The suit encountered an initial hurdle in that Facebook’s terms of use include a clause of forum selection and “choice-of-law,” meaning that all disputes against the company must be reviewed in California, where it is headquartered. In a 4-3 decision, the Canada Supreme Court found that the clause is not enforceable in Canada. The ruling clears the way for the privacy case to now be tried in B.C. to evaluate the merits of the claim. The original suit seeks damages from Facebook for violation of the B.C. Privacy Act.

Source: CTV News

California Broadband Internet Privacy Act, AB 375, Introduced

Advertising, Legislation, Online privacy, Regulation

As a response to the repeal of FCC broadband privacy rules in April 2017, CA Assemblymember Ed Chau (D-Monterey Park) has introduced the California Broadband Internet Privacy Act, or AB 375. This bill is modeled after the FCC’s regulations and includes an “Ask Me First” principle, requiring Internet Service Providers (ISPs) to only use, sell, or share identifiable customer data if the customer opts in. Such information includes internet browsing history, downloaded applications, and time spent on each site. AB 375 would also prohibit any ISP practices that would require customers to pay more for their privacy or penalize those who did not consent to share their data. Eighteen other states, including Oregon, have already introduced similar bills to protect internet data privacy following the Congressional repeal of the FCC rules. At least 25 consumer, privacy, and labor advocacy groups are endorsing this bill, including the ACLU of CA, EFF, and the Privacy Rights Clearinghouse.

Sources: The Recorder, Consumer Federation of California

Targeted Voter Profiling in Kenya

Advertising, Online privacy, Politics, Surveillance

Privacy International is condemning Kenyan President Uhuru Kenyatta’s party for its hiring of Western data firm Cambridge Analytica to sway his re-election bid. The firm is also tied to the election of Donald Trump and Brexit. Cambridge Analytica occupies an entire floor of a building owned by Kenyatta’s coalition, and it ties data such as income, health status, political opinions, websites visited, and hobbies to individual-level voter registration records. Cambridge Analytica also creates psychometric profiles, essentially a quantification of personality: i.e. how neurotic or extroverted someone is. These data are used to target political advertising to the individual, possibly resulting in psychological manipulation or campaigns of misinformation (fake news?). Privacy International argues that this individual profiling is especially dangerous in Kenya, where ethnicity remains extremely political. Kenya also has no data protection laws, or rules governing how data are collected, stored, and accessed, leaving this voter database, and those in it, vulnerable. Privacy International is asking Cambridge Analytica to provide information on their risk assessment of mass data profiling in Kenya and how it will protect data privacy.

Sources: Privacy International, Snopes

UK Grocery Store Fined £10,500 ($13,373) for Spamming Opt-Out Customers

Advertising, Regulation

Morrison’s, a UK grocery chain, has been fined by Britain’s Information Commissioner’s Office (ICO) for sending marketing emails to customers who had opted out of receiving email advertising from the store. The chain was found to have sent out 130,671 emails to opt-out customers at the end of 2016 and so has been fined £10,500 ($13,373). The emails in question asked recipients to change their marketing preferences to receive coupons and newsletters, a practice that violates the nation’s Privacy and Electronic Communication Regulations (PECR). This law contains specific rules for marketing communications, cookies, communications security, itemized billing, and customer location data. The ICO stated that enforcement of the PECR through fines will also help to prepare for corporate adherence to the EU’s General Data Protection Regulation (GDPR).

Sources: ICO, ITPro

Enforcement of the EU Global Data Protection Regulation (GDPR) < 1 Year Away: Are Marketers Prepared?

Advertising, Online privacy, Regulation

Short answer: No

The GDPR requires that companies obtain explicit and informed permission before collecting personal data from EU residents. This includes IP addresses and cookies. While it is already in effect, it doesn’t hit the enforcement stage until May 25, 2018. A study of 250 businesses conducted by the Data & Marketing Association finds that half of companies will still not be prepared to comply by next year’s deadline.

Among the adjustments that companies have to make are deleting or updating non-compliant databases of personal information and ceasing use of “clickwrap” forms (lengthy terms of service that people click through quickly), as well as pre-checked consent boxes. Any business that collects information from EU residents, even businesses based abroad, must comply with the GDPR terms. And, the repercussions will be hefty: €20 million or 4% of global turnover, whichever is higher.

Source: DigiDay

Google is Now Analyzing 70% of Credit and Debit Card Purchases

Advertising, Online privacy

Google is putting into action a system that connects your digital identity to your credit and debit card purchases in brick-and-mortar stores. Its partner companies performing the analysis reportedly have access to 70% of U.S. credit and debit card transactions. Google’s objective in this new massive data linkage is to connect its online ads to success in sales, even in offline settings. It uses what it calls “double-blind encryption” to prevent retailers from knowing Google user identities and prevent Google from knowing real-world shopper identities. Privacy rights groups are expressing deep skepticism that personal identities will be secure under this system or stand up against hacking attempts. Google will now be able to link browsing history, search terms, and location to purchase history.

Source: Washington Post

Google and Facebook Lobbying Against BROWSER Privacy Bill

Advertising, Legislation, Online privacy, Regulation

The BROWSER internet privacy bill, sponsored by House Republicans, is being lobbied against by Google and Facebook representatives. The bill would require an opt-in by internet users before location and browsing history are used for advertising. Websites and ISPs would face repercussions from the FTC if they break privacy restrictions. The Internet Association is claiming that the regulations would stifle innovation (same argument used against net neutrality) and “upend the consumer experience.” The current paradigm for targeted ads and tracking is opt-out, although we consumers cannot really opt out of tracking. The Internet Association was founded by members of Google and Facebook, and includes similar big companies such as Amazon, Dropbox, and Netflix.

Source: ArsTechnica

Republican-Led Internet Privacy Bill: BROWSER

Advertising, Legislation, Online privacy, Regulation

After taking part in rolling back privacy protections enacted by the FCC, House Republican Marsha Blackburn (Tenn.) introduced a bill containing some of the same restrictions, but this time under FTC jurisdiction. Called “Balancing the Rights of Web Surfers Equally and Responsibly” (BROWSER), the bill requires ISPs and internet companies to obtain consent before using location and browsing history for targeting ads. Compared to the recently struck down FCC rules, this constraint would apply not just to ISPs, but to companies like Facebook and Google. In addition, BROWSER would forbid any denial of service to users who do not opt-in to tracking. Co-sponsors of the bill include Brian Fitzpatrick (R-Pa.) and Bill Flores (R-Tex.).

Source: Investor’s Business Daily