Advanced Search
Content Type: Examples
In 2018, the Chinese Communist Party's anti-corruption watchdog in southeastern Hefei in the Anhul province claimed in a social media post that its branch in a neighbouring city had retrieved deleted messages from a suspect's WeChat account. Tencent, WeChat's operator, denied that the company stored or performed data analytics on users' chat histories, and said that histories and messages were only stored on users' own phones and computers. The watchdog went on to question numerous suspects;…
Content Type: Examples
In what appears to be an extension of China's tracking of its Muslim citizens, 3,300 of the 11,500 Chinese pilgrims joining the 2018 hajj to Mecca were outfitted with GPS trackers. When photos were shown of the first group preparing to depart wearing trackers around their necks, the state-run Chinese Islamic Association claimed it was to make the trip safer for them. Each device reportedly contains a QR code connected to an app that reveals the wearer's picture, passport number, address, and…
Content Type: Examples
In 2018 genetic testing companies such as Ancestry and 23andMe agreed on guidelines for sharing users' DNA data and handling police requests. The guidelines, which include easy-to-read privacy policies, were inspired by two incidents: one in which local investigators used the GEDmatch DNA comparison service to identify a suspect in the Golden State Killer case, and the other 23andMe's announcement that in return for a $300 million investment it would grant GlaxoSmithKline access to "de-…
Content Type: Examples
In internet scans conducted between August 2016 and August 2018, Canada's Citizen Lab identified a total of 45 countries in which operators of Israel-based NSO Group's Pegasus spyware may be conducting surveillance operations. Pegasus is mobile phone spyware that targets are coerced into installing via a carefully constructed phishing attack; clicking on the exploit link installs the spyware without the user's knowledge or permission and bypasses the phone's security protections to send the…
Content Type: Examples
In 2018 a report from the Royal United Services Institute found that UK police were testing automated facial recognition, crime location prediction, and decision-making systems but offering little transparency in evaluating them. An automated facial recognition system trialled by the South Wales Police incorrectly identified 2,279 of 2,470 potential matches. In London, where the Metropolitan Police used facial recognition systems at the Notting Hill Carnival, in 2017 the system was wrong 98% of…
Content Type: Examples
In September 2018 the UK's Information Commissioner found that it was likely that during 2017 a number of migrant rough sleepers were reported to the Home Office enforcement teams by the homelessness charity St. Mungo's. The finding followed a complaint from the Public Interest Law Unit. The charity claimed it passed on these details when people wanted to return home. The Home Office halted its policy of deporting migrant rough sleepers in December 2017 and the government was to pay hundreds of…
Content Type: Examples
Following a 2016 hack including names, emails, adresses, and phone numbers of 57 millions Uber users and drivers, the company has paid 100,000 USD to hackers hoping that the data collected would be deleted. This decision was in line with Uber's strategy to try to keep the breach quiet while limiting potential abuses. The company said that they believe the data had not been used without being able to provide any proof. The hack itself was conducted through a GitHub private repositories that the…
Content Type: Impact Case Study
What Happened
On 5 June 2013, The Guardian published the first in a series of documents disclosed by Edward Snowden, a whistleblower who had worked with the NSA. The documents revealed wide-ranging mass surveillance programs conducted by the USA’s National Security Agency (NSA) and the UK’s Government Communications Headquarters (GCHQ), which capture the communications and data of hundreds of millions of people around the world. In addition to revealing the mass surveillance programs of the…
Content Type: Advocacy
Since 2014 the Indonesian Ministry of Communication and Informatics (MOCI) has been proposing that the Parliament passes a comprehensive data protection law. A first draft data protection law was issued by the Government for public comment in 2015 but no progress was made, and then in early 2018, the Indonesian Government issued a new draft personal data protection law.
While these renewed efforts have positive intentions, a number of concerns ought to be addressed with the aim of…
Content Type: Advocacy
In September 2018, the National Executive sent the proposed Data Protection Bill to the National Congress. The proposed law was directed to the Senate and it will be considered by two commissions: the Commission of Constitutional Affairs (Comision de Asuntos Constitucionales) and the Commission of Rights and Guarantees (Comision de Derechos y Garantías).
Privacy International welcomes the continued efforts by Argentina to provide protections for the right to privacy, already enshrined in the…
Content Type: Examples
At the end of September 2018, the sales intelligence company and data aggregator Apollo notified its customers that over the summer Vinny Troia, the founder of Night Lion Security, had discovered that Apollo's database of 212 million contact listings and 9 billion data points relating to companies and organisations was freely accessible via the web. Apollo noted that it collects a lot of its information from public sources around the web; however, it scrapes Twitter and LinkedIn profiles for…
Content Type: Examples
In 2014, a team of four Swedish and Polish researchers began scraping every comment and interaction from 160 public Facebook pages. By two years later, they had collected one of the largest sets of user data ever assembled from the social network; it enabled them to track the behaviour of 368 million members. Techniques like those the researchers used have been used by scholars around the world for a decade to compile hundreds of Facebook data sets of all sizes. Many have been used for research…
Content Type: Examples
In July 2018, attackers broke into the SingHealth Singaporean government health database and stole names, addresses, and various other details of 1.5 million people who visited clinics between May 1, 2015 and July 4, 2018; however, the attackers did not gain access to most medical records with the exception of outpatient prescription medication data relating to about 160,000 patients including Singapore Prime Minister Lee Hsien Loong and several ministers. The government said none of the…
Content Type: Examples
In June 2018, security researchers found that Google's smart speaker and home assistant, Google Home, and its Chromecast streaming device could be made to leak highly accurate location information because they failed to require authentication from other machines on their local network. The attack worked by requesting a list of nearby wireless networks from the Google device and sending that list on to Google's geolocation lookup service, whose map of wireless network names around the world is…
Content Type: Examples
In July 2018, a hacker attack exposed the personal data of millions of Spanish subscribers Telefónica's Movistar service. The data included identity and payment information, phone and national ID numbers, banks, and calling data. The cause was a basic programming error known as an "enumeration bug" that allowed anyone logged into one account to alter the ID number inside the URL and view others' data. It was not clear that the data had been exploited. However, Telefónica CEO suggested that the…
Content Type: Examples
In June 2018, security researcher Vinny Troia discovered that the Florida-based data broker Exactis had exposed a comprehensive database containing nearly 340 million individual records on a publicly accessible server. The 2TB of data appeared to include detailed information on millions of businesses as well as hundreds of millions of American adults that included as many as 400 highly personal characteristics, including number, age, and gender of children, as well as phone numbers and home and…
Content Type: Examples
Between May 18 and May 22, a bug in Facebook's system changed the settings on 14 million users' accounts so that newly posted updates they thought were private might have been made public instead. The company attributed the error to a mistake made in redesigning how the public parts of user profiles are displayed. After Facebook found the bug, it was another five days before all privacy settings were correctly restored.
https://www.washingtonpost.com/news/the-switch/wp/2018/…
Content Type: Examples
In July 2018, the leader of a private Facebook group for women with the BRCA gene, which is associated with high breast cancer risk, discovered that a Chrome plug-in was allowing marketers to harvest group members' names and other information. The group was concerned that exposure might lead to other privacy violations and discrimination from insurers. The company shut down the extension and closed the loophole. The case is of particular concern because the US Heath Insurance Portability and…
Content Type: Examples
As part of an ongoing hacker vendetta against surveillance apps installed by abusive partners, in July 2018 a hacker targeted SpyHuman, an India-based company that offers software that monitors Android devices, claiming the software should be taken off the market. Once someone gains physical access to a device and installs the software, SpyHuman's app will intercept phone calls and messages, track GPS locations, read social media messages, and even turn on the device's microphone. The collected…
Content Type: Examples
In May 2018, UK-based security researcher Robert Wiggins discovered that the mobile app TeenSafe, marketed as a secure app for iOS and Android, was storing data it collected on servers hosted on Amazon's cloud without a password and openly accessible. The app lets parents monitor their children's text messages, location, browsing history, and apps, as well as who they called and when, and does not require parents to obtain their children's consent. The insecurely stored 10,200 records included…
Content Type: Examples
The US Securities and Exchange Commission announced in April 2018 that it would fine Altaba, formerly known as Yahoo, $35 million for failing to disclose its massive 2014 data breach. Yahoo did not notify the hundreds of millions of customers until the end of 2016, when it was closing its acquisition by Verizon, even though the SEC found that the company knew within days that Russian hackers had stolen their user names, email addresses, phone numbers, birth dates, encrypted passwords, and the…
Content Type: Examples
In July 2018, researchers at the London-based security and mobile commerce firm Upstream Systems found that millions of cheap smartphones sold in developing countries lacking privacy protections come with pre-installed apps that harvest users' data for the purpose of targeting advertising and that can only be removed with difficulty. One such app, which Singtech includes on the thousands of smartphones it sells in Myanmar and Cambodia, as well as others sold in Brazil or made by Indian and…
Content Type: Examples
In November 2016, the security contractor Krytowire discovered that cheap Chinese Android phones often include pre-installed software that monitors users' locations, messaging, and contacts, and sends the gathered information to China every 72 hours. Shanghai Adups Technology Company, the Chinese firm responsible for the software, said its code had been installed on more than 700 million phones, cars, and other devices without informing users, but that it was not intended for American phones.…
Content Type: Examples
By July 2018, ten-year-old Twitter had become such a frequent data resource for social scientists that estimates were that anyone who tweeted publicly on the service was part of a dataset somewhere. The ease and low cost of using Twitter have enabled studies such as analysing bot behaviour during the 2016 US presidential election; studying how people around the globe cope with crises; and tracking geographic health differences. Between 2007 and 2012, scientists collected and analysed at least…
Content Type: Examples
In July 2018, a group of researchers at Northwestern University published the results of two years of studying the collaboration behaviour of tens of thousands of scientists. A controversy rapidly sprang up about the method they used: they had been given access to project folder-related data by the cloud storage company Dropbox. The data was aggregated and anonymised before being handed to researchers. However, customers' consent was not asked; instead, Dropbox relied on their acceptance of its…
Content Type: Examples
In September 2018, the GuardianApp group of security researchers discovered that dozens of popular news, weather, and fitness iPhone apps that require access to location data sell the data they collect to companies engaged in businesses such as ad targeting. The group found apps such as ASKfm, NOAA Weather Radar, and Photobucket collecting location information and that the data is being sent to companies such as Reveal, Sense360, Cuebiq, Teemo, Mobiquity, and Fysical, who said customers can opt…
Content Type: Examples
In its May 2018 quarterly filing with the Securities and Exchange Commission, Equifax provided its most detailed analysis to date of the company's 2017 data breach. In the US, nearly 147 million people had their names, dates of birth, and/or Social Security numbers stolen; address information was taken for 99 million. In addition, 209,000 payment cards and expiration dates and 97,500 tax IDs were stolen. Besides the information stored in its databases, the attackers access thousands of images…
Content Type: Examples
In March 2018, Trever Feden, the CEO of a property management startup, exposed a flaw in the gay-dating app Grindr that opened access to the location data and other information about its more than 3 million daily users. A website Faden set up allowed Grindr users to see who was blocking them after entering their Grindr name and password. Providing that information, however, also gave Faden access to user data that is not accessible via user profiles, including unread messages, email addresses,…
Content Type: Examples
In April 2018, a researcher at Norway's SINTEF found that the gay-daring app Grindr was sending its 3.6 million users' HIV status and last tested date along with their GPS data, phone ID, and email to two app-optimising companies, Apptimize and Localytics. SINTEF also found that the company was sharing precise GPS position and other information such as "tribe", sexuality, relationship status, and ethnicity with third-party advertising companies, sometimes unencrypted. Grindr said it pays…
Content Type: Examples
In September 2018, security researcher Patrick Wardle found that Adware Doctor, the top-selling paid utilities app in the US Mac App Store, was exfiltrating the browser history of anyone who downloaded it and sending it to a developer. Adware Doctor is intended to protect browsers against adware. A month after Wardle notified Apple, the app remained in the store; it and the same developer's AdBlock Master were removed shortly after TechCrunch published his findings.
https://www.macrumors.com/…