July 12: A Day to Defend Net Neutrality

Online privacy, Protest, Regulation

In protest of the FCC’s plans to scrap net neutrality protections, many non-profits, companies and websites are banding together to host a day of action on July 12, 2017. Among the companies joining in this progressive movement: Amazon, Vimeo, GitHub, Netflix, Etsy, Twitter, and Spotify. What will the day of protest entail?

-a Twitter Brigade, tweeting net neutrality news through July 12

-30-second video bumper for online video content

-website alerts, like the one below (I’m going to try this one on my page!)


The point is to show what the internet would look like without the neutrality of browsing protected.

Without net neutrality, internet service providers will be free to steer you to their selected content, making slow lanes for companies that can’t pay up. A big company could get fast navigation through their website, but it can take more time to load a small non-profit’s page.

Support net neutrality on July 12! Join here.

Website Login Fingerprinting

Advertising, Online privacy

INRIA, the French computer science institute (which has a fantastic privacy research group), has released an online test to show you your web browsing fingerprint. Their Browser Extension and Login-Leak Experiment demonstrates how you can be tracked by the browser extensions you have installed, as well as the sites you remain logged in to. These stale logins can be used to target your online ads, or even serve you higher prices in online shopping.

I failed this test completely – my logins are apparently very unique:


And, I remain logged into way more sites than I thought! eBay and Yahoo? It’s possible that some of these are false login detections, as the group is still working out the kinks.


You can take the test here: https://extensions.inrialpes.fr/

Checkups like these are good reminders of the data we are leaking out without thinking about: where we visit, what we type, and where we click. Little beacons are ready at the collect.

Snapchat’s New Snap Map–How It Shares Location

Exposure, Online privacy, Smartphones, Social Media

Last week, the social media application Snapchat released a new location sharing feature: Snap Map. Snaps can be added to the “Our Story” map, which is public, and is intended to show snaps related to world events. Snap locations can also be shared with friends. Location sharing is opt-in, as the app defaults users to “Ghost Mode,” meaning that location is not shared. However, Snapchat gives the impression in its introductory video that location is shared when a user posts a story. In reality, if a user is not in Ghost Mode, location is shared to the map (visible to the users’ friends) each time the app is opened. This results in the routine sharing of users’ home locations. It is inherently risky for those who frequently open Snapchat on the go, thereby leaking breadcrumbs of their daily trajectories.

Some additional details: While only mutual friends can see each other on the Snap Map, Snapchat is clearly collecting all of this data on user locations. The company claims to delete the location data after a short period of time, but does not specify the duration of this time period. If a user does not open the app for 8 hours, the last shared location disappears from the map.

Source: The Verge

Canada’s Supreme Court Strikes Down Clause of Facebook’s Terms of Use

Advertising, Exposure, Legislation, Online privacy, Social Media

A class action suit has been brought against Facebook in Canada. A Vancouver woman initially sued Facebook for featuring her name and photos in “Sponsored Stories” advertising, after she “liked” various company pages. The class action suit covers an estimated 1.8 million residents of British Columbia who had their names or photos used in Facebook’s Sponsored Stories. The suit encountered an initial hurdle in that Facebook’s terms of use include a clause of forum selection and “choice-of-law,” meaning that all disputes against the company must be reviewed in California, where it is headquartered. In a 4-3 decision, the Canada Supreme Court found that the clause is not enforceable in Canada. The ruling clears the way for the privacy case to now be tried in B.C. to evaluate the merits of the claim. The original suit seeks damages from Facebook for violation of the B.C. Privacy Act.

Source: CTV News

EU Proposes to Ban “Backdoors” in Encryption

Encryption, Legislation, Online privacy, Regulation, Smartphones

The European Commission has drafted amendments to the 2002 ePrivacy regulations that would ban the creation of backdoors for reading encrypted communications. This is a win for privacy in light of widespread calls by law enforcement and governments to establish access to end-to-end encrypted (E2EE) messages, most recently by the UK (for Signal and WhatsApp, which use E2EE).

The draft proposal, which would outlaw backdoor encryption, states:

Member states shall not impose any obligations on electronic communications service providers that would result in the weakening of the security and encryption of their networks and services.


…when encryption of electronic communications data is used, decryption, reverse engineering or monitoring of such communications shall be prohibited…

The proposed amendments are more in line with the new General Data Protection Regulation (GDPR), but will have to pass through the European parliament and European council to go into effect.

Source: The Guardian

California Broadband Internet Privacy Act, AB 375, Introduced

Advertising, Legislation, Online privacy, Regulation

As a response to the repeal of FCC broadband privacy rules in April 2017, CA Assemblymember Ed Chau (D-Monterey Park) has introduced the California Broadband Internet Privacy Act, or AB 375. This bill is modeled after the FCC’s regulations and includes an “Ask Me First” principle, requiring Internet Service Providers (ISPs) to only use, sell, or share identifiable customer data if the customer opts in. Such information includes internet browsing history, downloaded applications, and time spent on each site. AB 375 would also prohibit any ISP practices that would require customers to pay more for their privacy or penalize those who did not consent to share their data. Eighteen other states, including Oregon, have already introduced similar bills to protect internet data privacy following the Congressional repeal of the FCC rules. At least 25 consumer, privacy, and labor advocacy groups are endorsing this bill, including the ACLU of CA, EFF, and the Privacy Rights Clearinghouse.

Sources: The Recorder, Consumer Federation of California

Targeted Voter Profiling in Kenya

Advertising, Online privacy, Politics, Surveillance

Privacy International is condemning Kenyan President Uhuru Kenyatta’s party for its hiring of Western data firm Cambridge Analytica to sway his re-election bid. The firm is also tied to the election of Donald Trump and Brexit. Cambridge Analytica occupies an entire floor of a building owned by Kenyatta’s coalition, and it ties data such as income, health status, political opinions, websites visited, and hobbies to individual-level voter registration records. Cambridge Analytica also creates psychometric profiles, essentially a quantification of personality: i.e. how neurotic or extroverted someone is. These data are used to target political advertising to the individual, possibly resulting in psychological manipulation or campaigns of misinformation (fake news?). Privacy International argues that this individual profiling is especially dangerous in Kenya, where ethnicity remains extremely political. Kenya also has no data protection laws, or rules governing how data are collected, stored, and accessed, leaving this voter database, and those in it, vulnerable. Privacy International is asking Cambridge Analytica to provide information on their risk assessment of mass data profiling in Kenya and how it will protect data privacy.

Sources: Privacy International, Snopes

Enforcement of the EU Global Data Protection Regulation (GDPR) < 1 Year Away: Are Marketers Prepared?

Advertising, Online privacy, Regulation

Short answer: No

The GDPR requires that companies obtain explicit and informed permission before collecting personal data from EU residents. This includes IP addresses and cookies. While it is already in effect, it doesn’t hit the enforcement stage until May 25, 2018. A study of 250 businesses conducted by the Data & Marketing Association finds that half of companies will still not be prepared to comply by next year’s deadline.

Among the adjustments that companies have to make are deleting or updating non-compliant databases of personal information and ceasing use of “clickwrap” forms (lengthy terms of service that people click through quickly), as well as pre-checked consent boxes. Any business that collects information from EU residents, even businesses based abroad, must comply with the GDPR terms. And, the repercussions will be hefty: €20 million or 4% of global turnover, whichever is higher.

Source: DigiDay

MIT Study Finds Students Will Give Away Friends’ Emails for Pizza

Exposure, Online privacy, Surveys

If you were asked to provide the email addresses of your closest friends in exchange for a free pizza to share with them, would you do it?

Would you give their real emails?

A study of 3,108 MIT students (Athey, Catalini, and Tucker 2017) found that 98% were willing to give up the email addresses to get the pizza, and 94% were still willing to do so for no incentive. Within these high percentages, there is some evidence of masking. The collected email addresses were checked for validity against a MIT directory to tell whether or not they were fake. In the group that did not receive a pizza incentive (at first), 6% provided fake email addresses. To count as deliberate masking, all the addresses the students provided had to be mismatches with the database, in order to rule out any inadvertent typos. The researchers found that when students are offered the pizza incentive, there is a 54% reduction in the probability that they will provide all fake email addresses. There were no significant differences in the results by gender, technology preferences, year of study, or even stated privacy preferences. Even those who were considered “privacy-sensitive” by their reported privacy concerns did not respond differently to the pizza incentive than the rest of their peers. This is solid continued evidence of the privacy paradox: that our privacy behaviors contradict our privacy attitudes.

Coats Backtracks on Promise to Provide Number of Americans Tracked by NSA

Legislation, Online privacy, Politics, Smartphones, Surveillance

Director of National Intelligence Dan Coats promised at his confirmation hearing to obtain and reveal the number of Americans affected by NSA surveillance. At a hearing this week before the Senate Intelligence Committee, Coats reversed course on this, claiming that it is infeasible to provide such an estimate. He argued that revealing this statistic would potentially violate privacy by verifying subject identities [I don’t follow…]. Section 702 of the Foreign Intelligence Surveillance Act (FISA), which is used to justify “upstream” mass collection of email and phone call data, is set to expire this year. The Trump administration is looking to make this surveillance statute permanent. In a strange twist, NSA Director Mike Rogers argued this week that Section 702 surveillance allowed the NSA to generate “insights” on Russian interference with the 2016 election [what are those insights?].

Sources: ZDNet, Washington Examiner