Notorious Location Tracker X-Mode Barred from Selling Data
As part of a recent series of enforcement actions, the US Federal Trade Commission (FTC) has recently barred the company X-Mode from selling sensitive location data. X-Mode has been the subject of a long series of press investigations and it was discovered in 2022 that the data broker was a contractor for the US Department of Homeland Security and the Internal Revenue Service.
A privacy study conducted by Sean O’Brien, founder of Yale Privacy Lab, in 2021 revealed that X-Mode targeted specific demographics via a variety of Muslim prayer apps long after having been nominally banned from the Apple and Google app stores. O’Brien, who is now Panquake CTO, weighed in on the recent FTC action, saying, “X-Mode and its partners have been sharing data with the US government and military for many years. These trackers are part of a domestic and global spy kit that pervades smartphone app stores. This FTC action is a great start, but I hope to see the day that all similar trackers are banned and investigated.”
In addition to its enforcement action against X-Mode, the FTC published guidelines for all location brokers and specifically stated that X-Mode must offer the ability, on request, for people to delete location data associated with them and to be informed of every entity that received their location data.
The FTC emphasized that “openly selling a person’s location data to the highest bidder can expose people to harassment, stigma, discrimination, or even physical violence”. The new guidelines include a requirement for location brokers to identify “sensitive” types of data (like location data for family planning centers, religious buildings, and domestic violence shelters) and bars them from selling this type of data.
The World's Largest Trove of Stolen Data has Surfaced
A gigantic set of stolen personal and sensitive information was recently made public due to a “misconfigured firewall” from the data breach search engine Leak-Lookup.
This includes 12 terabytes of data and over 26 billion records, making this the largest collection of breached data ever and leading to the nickname “MOAB” for “Mother Of All Breaches”. While it has been confirmed to contain a large amount of data from previous breaches, analysts are confident that records from new breaches are also contained within the larger data set.
According to cybersecurity researcher Bob Dyachenko, the consumer impact of this giant breach could be unprecedented. This is due to many people choosing to reuse usernames and passwords, making it easier for malicious actors to try the same password and email combination on multiple sites using what’s known as a “credential stuffing attack”.
EU Court Opens Door for Voluntary Credit Scores
A ruling from the European Union’s Court of Justice (CJEU) may have broad implications for credit scoring companies operating within their jurisdiction. The original complaint put before the Court questioned whether Germany’s biggest credit agency Schufa is legally allowed to issue credit scores.
The basis for the question stemmed from Article 22 in the General Data Protection Regulation (GDPR) that provides protections for people who’s data is “…subject to a decision based solely on automated processing, including profiling, which…significantly affects him or her.”
The Court found that Schufa’s credit scoring was an “automated individual decision,” and in their subsequent press release stated that Schufa’s methodology was… “prohibited in principle by the GDPR, in so far as Schufa’s clients, such as banks, attribute to it a determining role in the granting of credit.”
For individuals this ruling means that companies may not use a credit score created in the same manner as Schufa’s to decide whether someone is approved for a loan or other financial consideration.
Meta Users Pay Fee to ‘ensure privacy’
Facebook and Instagram parent company Meta is now the subject of a complaint filed with Austrian data regulators by advocacy group NOYB (None Of Your Business). The complaint maintains that Meta’s new ad-free service amounts to “paying a fee to ensure privacy” as users who don’t want targeted ads based on Meta collecting their personal data must pay €9.99 per month.
Meta has stated that their new offering of a paid subscription without advertisements is now compliant with a ruling from July of 2023 where Europe’s top court found Meta in violation of the GDPR. With this most recent complaint however, Meta’s state of compliance with the GDPR will again be questioned.
NOYB’s filing will explore whether Meta’s paid experience actually gives users agency when consenting to being tracked and data mined. Per a statement from NOYB on the matter, “Not only is the cost unacceptable, but industry numbers suggest that only 3 percent of people want to be tracked – while more than 99 percent don't exercise their choice when faced with a 'privacy fee'.”
Privacy Watchdog Refuses Investigation into Employer Accessing Personal Emails
In a recent Australian privacy case, an employee was fired after his company monitored his personal activity performed via the company-issued laptop. The employee subsequently filed a complaint against the company for violating the Australian Privacy Act by accessing his personal information and then using that information as grounds for termination.
Unfortunately for this employee, the information commissioner who bears responsibility for enforcing the Privacy Act violations determined that, in this instance, the employee did not have their rights infringed upon. This was due to the fact that a company asset (in this case the laptop) is allowed to be routinely monitored and surveilled as it is owned by the company.
In response to the refusal of the information commissioner to pursue a Privacy Act violation against the employer, David Vaile, the privacy and surveillance stream lead at the UNSW’s Allens Hub for Technology, Law and Innovation, said: “The judgment is unhelpful for settling the law on this point – a consequence of the fact that a victim can’t directly litigate their legal claim, and that, as the court confirms, at present Australians still thus don’t have a ‘right’ to privacy, only a right to complain to a regulator who can, as this judgment confirms, take advantage of a wide range of justifications to do nothing if they feel like it with minimal court oversight.”
EU Chat Control Report Favors Surveillance according to Parliament Member
A recent publication of a report from the EU Commission regarding chat control has prompted EU Parliament member Patrick Breyer to state that, “major US providers such as Meta, Google and Microsoft automatically bulk search private chats, messages and emails for suspicious content, without cause and indiscriminately.”
Breyer went further, declaring, “All in all, there is no evidence that the industry-driven mass surveillance of our private communications by US services makes a significant contribution to saving abused children or convicting abusers. To the contrary, it criminalises thousands of minors, overburdens law enforcement and opens the door to arbitrary private justice by big tech.”
According to Breyer, the report also failed to mention what one of its own Commissioners stated, namely that only 1 in 4 private photos or videos given to law enforcement from these providers is actually useful. In his opinion, the chat controls used by these US providers violates the right to privacy of EU citizens.
Police will Scan Faces of 50M British Drivers using Facial Recognition AI
Under a new law, anyone who holds a British driver’s license will be subject to facial recognition searches by law enforcement. While this significant change comes from just a single clause contained within a new criminal justice bill, privacy advocates are warning that British citizens will now be “in a permanent police lineup”.
Currently, for law enforcement to access driving license records they must provide a good cause relating to an illegal action, and the majority of this access is related to road traffic incidents.
Professor Peter Fussey, who previously reviewed Meta’s use of facial recognition tech, commented on the proposed change, saying, “This constitutes another example of how facial recognition surveillance is becoming extended without clear limits or independent oversight of its use… That police find such technologies useful or convenient is not sufficient justification to override the legal human rights protections they are also obliged to uphold.”
N. Ireland Police Data Breach caused by ‘Outdated Practices’
oor cybersecurity controls were recently found to be the cause of a massive data breach in N. Ireland. The leak disclosed over 9,500 records of police staff and contained sensitive, personally-identifying information on most. The leak was caused when a human resources employee forgot to remove a hidden tab in a spreadsheet that was subsequently shared publicly, and this has quickly become one of the worst data breaches in UK policing history.
At the request of the Policing Board, an independent report was commissioned in response to the incident and found that the breach was, “a consequence of many factors, and fundamentally a result of PSNI (Policing Service of Northern Ireland) as an organisation not seizing opportunities to better and more proactively secure and protect its data, to identify and prevent risk earlier on, or to do so in an agile and modern way.”
As a result of the breach an officer has resigned and dozens have gone on sick leave. Additionally, over 4,000 officers and staff have contacted a threat assessment group and a similar number are involved in potential legal action against the PSNI.