Topic: Privacy
Apple Joins Group of Companies Supporting Google in Foreign Email Privacy Case – Mac Rumors (Mar 14, 2017)
Given the way other big tech companies had weighed in on the related Microsoft case over the past few years, it was a little odd that more hadn’t sprung to Google’s defense in this one, but it’s good to see that they are now doing so. These cases have far-reaching consequences not just for user privacy but for the ability of US companies to do business in overseas markets, and those companies need to defend themselves vigorously. The final outcome of both cases is therefore worth watching closely.
via Mac Rumors
Google’s Allo app can reveal to your friends what you’ve searched – Recode (Mar 14, 2017)
Now that I’ve finally got around to writing this up, it appears Google has patched the specific issue highlighted in this piece, but it’s still worth talking about for a couple of different reasons. For one, anytime you bring a virtual assistant into an existing conversation between two or more human beings, there’s a tension between the bot knowing as much as possible about each participant and using that to be helpful on the one hand, and avoiding exposing personal information about the participants on the other. Google appears to have screwed that up here in a way that could have been damaging or embarrassing for users, though it has now been patched. Secondly, this kind of thing can only happen when you collect and keep enormous amounts of data on your users in the first place – a company that neither collects nor retains such data in a profile could never expose it. It’s clear that Google didn’t intentionally do so here, but it was able to do so anyway because of its business model. Competitors such as Apple might argue that not collecting such data, or keeping it secured on a device rather than in the cloud, would make it impossible for a cloud service to share it with others. We’re going to have to work through lots more of these scenarios in the years to come, and the competition between companies that strictly preserve privacy and those that use personal data to improve services will be a critical facet of that evolution.
via Recode
Apple hires Jonathan Zdziarski, an active forensics consultant & security researcher in the iOS community – 9to5Mac (Mar 14, 2017)
Zdziarski was in the news a lot a year ago, when Apple was fighting the FBI over the iPhone used by the San Bernardino shooter, because he was frequently quoted and cited as an expert who backed Apple’s stance. As such, it’s not altogether surprising that he should end up at Apple – he’s been both one of its staunchest supporters around some security and privacy issues and someone who has discovered vulnerabilities in its code. On the one hand, that makes him a useful person to have inside the company – this hire feels a lot like Apple’s hire of Anand Shimpi, another prominent outside expert who was brought inside – but Apple will lose the benefit of having a vocal independent advocate on these issues. It’s also interesting to note Zdziarski’s comments about his hiring and why he’s joining Apple – he cites its privacy stance, which is of course closely tied to security concerns, as a strong motivating factor.
via 9to5Mac
Zuckerberg manifesto removes reference to Facebook monitoring ‘private channels’ – Business Insider (Feb 17, 2017)
Kudos to Mashable, which first noticed that one paragraph in a 6,000-word manifesto had been changed from the original to the final version (I covered the manifesto itself yesterday). And kudos, too, to Business Insider for following up with Facebook to find out why it was removed. The official explanation is that the paragraph talked too specifically about a capability Facebook hasn’t finalized yet, but it’s at least as likely that Facebook worried it would cause major privacy concerns. The paragraph in question talked about using AI to detect terrorists in private channels, which rather flies in the face of Facebook’s commitment to encryption and protecting privacy. As with much else in the letter, I think it was likely intended to be mostly aspirational rather than specific, but the original paragraph was rather tone deaf about how such an idea would be received even in such high-level terms.
via Business Insider
Vizio to Pay Fines Over Unlawful Tracking and Selling of User Data (Feb 7, 2017)
It turns out Vizio has been collecting extremely granular data on users of its smart TVs, and then matching its IP data with offline data about individuals and households (essentially everything short of actual names). And it’s done all this without making users properly aware that this was what it was doing. The data related to everything consumers watched on the TVs, whether the content came through Vizio’s own smart TV apps or merely through one of its inputs from another box or antenna. Something I’d forgotten was that Vizio filed an S-1 in preparation to go public back in 2015 – it never actually went public because Chinese player LeEco decided to acquire them (a deal due to close shortly). Aside from talking about how many TVs the company sells, the S-1 makes a big deal of of the “up to 100 billion viewing data points daily” it collects from 8 million TVs, and touts its InScape data services, which package up this data for advertisers, although it says this data is “anonymized”, which feels like an alternative fact at this point. The risk factors in the filing even mention possible regulatory threats to such data gathering, so it’s probably fair to say that Vizio shared more information with its potential investors about the data it was collecting than it did with end users. To settle the case, Vizio has to pay a total of $3.7m in fines to the FTC and the state of New Jersey (whose AG brought the suit with the FTC), discontinue the practice, and disclose it to consumers. I can’t wait to see how it manages that last point – imagine turning on your Vizio TV one day and seeing a message pop up about the fact that it’s been tracking your every pixel for the last several years. Assuming that’s done right, it could be the most damaging part of it this for Vizio, which made over $3 billion in revenue in its most recently reported financial years. Meanwhile, yet another headache for LeEco to manage.
Court Rules Google Has to Hand Over Data in Contradiction to Recent Microsoft Ruling – The Register (Feb 4, 2017)
The recent ruling in the ongoing case involving Microsoft and customer data stored outside the US had at least temporarily provided some reassurance that the big tech companies’ stance on this issue would be upheld in court. However, a new court in a different part of the US has now ruled the other way, though its rationale for ruling differently is that Google manages its data and data centers differently from Microsoft. This is a blow to the big tech companies who’ve fought to keep their overseas data centers (and the data held there on non-US customers) off limits for US law enforcement, but the Microsoft case was likely to go to the Supreme Court anyway. Hopefully, the court will rule in such a way that provides clarity not just in the Microsoft case but more broadly on this question.
via Register
Hacker Dumps iOS Cracking Tools Allegedly Stolen from Cellebrite – Motherboard (Feb 2, 2017)
Given that Apple argued precisely that security backdoors almost always make their way into the hands of evildoers, this news is great validation of Apple’s refusal to cooperate with the FBI early last year, even if it’s a private firm rather than the government that’s been hacked in this case. Indeed, that seems to have been the hacker’s motivation in this case. It’s also worrying from an Apple perspective that a provider like Cellebrite should have had such lax security that a hacker could breach its systems and access these tools, assuming the claims being made here are in fact legitimate.
via Motherboard
Introducing the New Privacy Basics – Facebook (Jan 26, 2017)
Facebook’s busy week for news continues. This update to Facebook’s privacy mini site is timed to coincide with Data Privacy Day later this week, but it’s a useful reminder of how far Facebook has come on privacy. Facebook has always had two distinct privacy issues. One is the same that affects all ad-based companies: gathering lots of information about users and using it to target advertising. The other, however, has always been more Facebook-specific, which is that users have often been unaware of how broadly their content was being shared with other users and potentially the general public. It’s come a long way on both points, but especially the latter one. The new Privacy Basics site has lots of information about how to exercise more control over how posts get shared and with whom, and Facebook has done a nice job here. The fact that there are 32 separate interactive guides is perhaps unintentionally funny – protecting your privacy on the service can still be a complex proposition – but at least Facebook is now effective at walking users through some of that complexity. And in general it now does much better at being transparent and reminding users about how they’re sharing, and most importantly seems to have stopped deliberately or merely carelessly getting users to share more broadly than they intend to.
via Facebook
Microsoft victory in overseas email seizure case is upheld – Reuters (Jan 24, 2017)
This was one of those rare cases where many of the big tech companies banded together to support one of their number on an issue of concern to all of them. The case concerns data held by Microsoft in a data center in Ireland but requested by US authorities investigating a crime (there’s a good summary of the case here). Microsoft and its pals have argued that this data should not be subject to US law enforcement requests because it resides outside the US, even though Microsoft is a US-headquartered company. Were the government’s argument to be upheld, data held anywhere by a US-based company could be obtained by the authorities in the US, regardless of whether the user has any ties to the US, which could dramatically impact tech companies’ ability to operate in overseas jurisdictions. That’s precisely why Microsoft has had the support of Apple, Amazon, and others, because the effects of upholding the government’s arguments here would be significant. This is a victory not just for Microsoft but the sector as a whole, and I would hope that the Supreme Court either refuses to hear the case or upholds the current verdict.
via Reuters
Google Privacy-Policy Change Faces New Scrutiny in EU – WSJ (Jan 24, 2017)
Europe continues to be the locus of a lot of regulatory effort aimed at paring back perceived privacy invasions by big US online advertising companies, notably Facebook and Google. In this case, Oracle is part of a coalition that seeks controls on Google’s tracking of user data, and the focus of the current complaint is the change Google made to its terms and conditions last June, pursuant to which it now combines data on its users across its various services and DoubleClick. No action has been taken yet by European regulators, so this is only a complaint by one of Google’s biggest foes at this point, but this area has proven a thorny one for Facebook already, and could yet become one for Google too.
via WSJ
Your real-world purchases will soon determine what ads you see on Snapchat – Mashable (Jan 19, 2017)
Here’s further evidence that Snap is evolving Snapchat’s advertising targeting capabilities, something it badly needs to do to ramp up ad spending ahead of a potential IPO. But that also means going back on some of the commitments Evan Spiegel has made in the past to avoid “creepy” targeting. The reality is that Snapchat has captured a nice little share of ad spending purely on the basis of having a great target market for a certain generation at a general level, but if it wants to capture more targeted advertising, it needs to provide the tools that Facebook, Google, and others already provide. That means buying in data from Oracle (as in this deal, and further to a previous deal with Oracle for measuring ROI) or other data collection houses (as Facebook already does) in order both to target advertising and to capture information about subsequent purchases to prove an ROI. Though Snapchat’s target market is generally more open to ad-based business models and the attendant privacy implications, there’s a point at which even millennials will balk, and Snap has to be careful not to cross that line.
via Your real-world purchases will soon determine what ads you see on Snapchat – Mashable
WhatsApp ‘enterprise’ platform for businesses already in app – Business Insider (Jan 12, 2017)
The reporting here is based on a Twitter account that claims to be looking into WhatsApp’s code to find hints about what the app’s future business features might look like. Facebook has already said it wants to take WhatsApp in a similar direction to Messenger, with more hooks for businesses to communicate with users manually and through bots, and these would appear to be early signs of that happening in practice. WhatsApp is a challenging property for Facebook in this respect, because it has always eschewed advertising, and anything that smacks of that direction will likely be poorly received by its users, so Facebook is going to have to tread even more carefully than usual as it pursues this strategy. On the other hand, Facebook didn’t spend $22 billion to buy WhatsApp just to shut off its only revenue stream – this was always inevitable.
via WhatsApp ‘enterprise’ platform for businesses already in app – Business Insider
Apple’s CareKit apps get enhanced security option – Mashable (Jan 11, 2017)
From the beginning, Apple has been extremely careful with its HealthKit developer tools, making some really granular choices about how data is shared (my favorite example is that developers can’t even query whether or not there is insulin data, because its presence would suggest diabetes). Now, CareKit is getting end-to-end encryption for better HIPAA compliance, through a partnership between Apple and a third party (here’s the official Apple announcement). We’re going to see lots more partnership work by Apple to solve some of the thornier problems relating to both HIPAA and FDA compliance as it gets deeper into healthcare.
via Apple’s CareKit apps get enhanced security option – Mashable
Microsoft tries to soothe regulators and critics with new privacy controls | ZDNet (Jan 10, 2017)
Microsoft has been rapped over the knuckles by regulators and attacked by privacy advocates over its data collection in Windows 10. Over-collection of data combined with lack of notification for users have to be the most common twosome in privacy abuses among tech companies. Tech companies often collect far too much data by default, and then fail to inform users what’s being collected or why. This change is a positive one, but I’d hope that Microsoft (and others) will learn from the backlash here and do better from the outset in future releases of Windows and other products.
via Microsoft tries to soothe regulators and critics with new privacy controls | ZDNet
Europe proposes expanding telco data privacy rules to WhatsApp, Facebook et al | TechCrunch (Jan 10, 2017)
Europe continues to take a harder line on privacy for online services, and is also finally caving to long-term pressure from telecoms operators to force online communications providers to comply with a more consistent regulatory framework. Both individual European countries and the EU have come down on Facebook recently for its attempted integration with WhatsApp following the merger, and the region is likely to continue to be more challenging for online providers operating there. This, in turn, may provide a small advantage for those providers that collect less user data and offer more protections by default.
via Europe proposes expanding telco data privacy rules to WhatsApp, Facebook et al | TechCrunch
The Verge 2016 tech report card: Apple – The Verge (Dec 29, 2016)
I’ve seen lots of this sort of thing as we approach the end of the year – quite a number of Apple observers seem to see 2016 as an off year for the company. And yet so much depends on how you few key innovations – yes, the Watch changed relatively little, but those features will please runners, swimmers and wheelchair users, and the price drops that accompanied them created new markets. The same can be said for many of the other changes. Apple news continues to be something of a Rohrschach test for observers.
via The Verge 2016 tech report card: Apple – The Verge
Yahoo’s Data Breaches Unlikely to Derail Verizon Deal – Bloomberg (Dec 27, 2016)
This is an interesting take on the repeated Yahoo breaches and the implications, and it goes along with my gut sense that people have very short memories when it comes to security and privacy breaches. There’s lots of outrage in the short term, but it blows over very quickly, as any Google Trends search relating to a major breach will tell you. The hits keep coming with Yahoo, but ultimately I expect Verizon’s acquisition will still go through.
via Yahoo’s Data Breaches Unlikely to Derail Verizon Deal – Bloomberg
Facebook Doesn’t Tell Users Everything It Really Knows About Them – ProPublica (Dec 27, 2016)
The headline doesn’t do the focus of the article justice – the point the article makes is that Facebook buys in offline data sources to supplement the data it collects itself, to create a fuller picture of its users when it comes to targeting ads. It isn’t transparent with its users about this, however, which some consumer advocacy groups find bothersome. The fact is, this data is gathered and used pervasively throughout the consumer marketing industry, but it’s a different flavor of data gathering and targeting from what we’re used to with Facebook.
via Facebook Doesn’t Tell Users Everything It Really Knows About Them – ProPublica
Amazon Echo and the Hot Tub Murder — The Information (Dec 27, 2016)
This is one of those nightmare stories that appears to validate lots of people’s concerns about having always-listening devices in the home. As always, the real story is less concerning – Amazon’s Echo doesn’t store everything it hears, just what follows the Alexa prompt. More broadly, however, home automation gear and the data it creates has been used in this case, and will be used in others – a good reminder that if you use services that create and store data, that data may become available to others too, whether hackers or law enforcement.
via Amazon Echo and the Hot Tub Murder — The Information
Uber explains why app appears to continue tracking your location; other apps affected too | 9to5Mac (Dec 23, 2016)
There was something of a fuss when Uber was found to have changed its location settings in its iOS app to always share the user’s location. It now appears the explanation is benign – it’s the app’s Maps extension that’s to blame. But the fact that the issue blew up at all is an indication of skepticism about Uber’s privacy protections, especially given repeated stories about employees accessing user data in illegitimate ways.
via Uber explains why app appears to continue tracking your location; other apps affected too | 9to5Mac