Advanced Search
Content Type: Examples
In announcing a data breach in 2018, at first Facebook said 50 million people's data had been accessed, then 30 million - but the data accessed was more sensitive than they thought at first. After investigation, the company explained that it had identified four stages of attack with a different group of victims affected in each one. The attackers used an automated technique to move from the first small group of accounts they controlled to others, stealing access tokens of friends and friends of…
Content Type: Examples
In July 2018 the UK's Information Commissioner's Office announced it would fine Facebook £500,000, the maximum under the 1998 data protection law, for failing to safeguard its users' information and lacking transparency about how the data was harvested and used by others, specifically Cambridge Analytica. Under the new General Data Protection Regulation, Information Commissioner Elizabeth Denham said the fine would have been much higher. The inquiry that led to the fine also led the ICO to send…
Content Type: Examples
In August 2018, Facebook announced it would remove more than 5,000 ad targeting options in order to prevent discrimination. Options specifying the exclusion of people interested in "Passover", "Native American culture", or "Islam" could be used as proxies to allow advertisers to exclude ethnic and religious groups in contravention of the law. The announcement came shortly after the US Department of Housing and Urban Development filed a complaint alleging that the company had enabled…
Content Type: Examples
In July 2018, members of the Internal Security Organisation, Uganda's counterintelligence agency, raided South African telecommunications provider MTN's Uganda data centre in Mutundwe. In a letter to the police, MTN said the ISO kidnapped a data manager who worked for the contractor that ran the data centre on MTN's behalf, Huawei Technologies. Moses Keefah Musasizi was taken to the ISO head office in Nakasero and held for four hours before being forced to grant access to the data centre and…
Content Type: Examples
The internet provides employers with the opportunity to learn an unprecedented amount about prospective employees by searching social media feeds and other postings. By 2018, DeepSense was taking this a step further by analysing individual's Twitter feeds to predict their personality and employment viability. A journalist trying the service learned that he was "47% anxious", with a "low" potential for stability, and will "run out of patience with lack of achievement or direction". While the…
Content Type: Examples
In 2018 industry insiders revealed that the gambling industry was increasingly turning to data analytics and AI to personalise their services and predict and manipulate consumer response in order to keep gamblers hooked. Based on profiles assembled by examining every click, page view, and transaction and incorporating data purchased from third-party sources, gambling operators push customised ads through Google, Facebook, and other platforms. There are also plans to geolocate customers arriving…
Content Type: Examples
Although the US rejected a "National Data Center" approach in 1966, eventually instead passing the 1974 Privacy Act, in 2018 the House of Representatives proposed a national database of all 40 million recipients of benefits under the Supplemental Nutrition Assistance Program (SNAP, formerly known as "food stamps"). The proposed legislation assigned the creation of the database to the Department of Agriculture, with help from private vendors and would collect Social Security numbers, birthdates…
Content Type: Examples
Three months after the 2018 discovery that Google was working on Project Maven, a military pilot program intended to speed up analysis of drone footage by automating classification of images of people and objects, dozens of Google employees resigned in protest. Among their complaints: Google executives' decreasing transparency and attention to workers' objections; that Google's move could damage user trust; and ethical concerns over using algorithms in this potentially lethal work and Google's…
Content Type: Examples
Rising suspicion of benefits claimants in the UK led by 2018 to the Department of Work and Pensions' adoption of numerous surveillance tactics, including using social media postings, gym memberships, airport footage, and surveillance video from public buildings including supermarkets, to build cases against claimants. Rates of attempted suicide doubles for disabled claimants between 2007 and 2014, and TV programmes promoting the idea of "lazy skivers" have led to an increase in hate crimes…
Content Type: Examples
During 2018, when US president Donald Trump operated a policy under which immigration officers separated families arriving at the border without documentation, there were a number of suggestions for using genetic testing to verify family relationships in the interests of reuniting them. After congresswoman Jackie Speier (D-CA) suggested that companies like the genetic testing service 23andMe could help, the US Department of Health and Humna Services announced it would conduct its own tests. In…
Content Type: Examples
In July 2018 Walmart filed a patent on a system of sensors that would gather conversations between cashiers and customers, the rattle of bags, and other audio data to monitor employee performance. Earlier in 2018, Amazon was awarded a patent on a wristaband that would monitor and guide workers in processing items. UPS uses sensors to monitor whether its drivers are wearing seatbelts and when they open and close truck doors. All these examples, along with others such as technology that allows…
Content Type: Examples
The 2017 hack of the shipping company A.P. Møller-Maersk, which manages 800 seafaring vessels and 76 ports that handle nearly a fifth of the world's shipping capacity, required an emergency shutdown of the company's entire IT system, including its phones. Maersk was a victim of NotPetya, the most vicious cyberweapon released to date, created by a group of Russian military hackers and intended to hit the Ukraine, where it hit hospitals, power companies, airports, government agencies, banks, and…
Content Type: Examples
In 2018, the Paris prosecutor's office opened a preliminary inquiry after the lawyer Pierre Farge accused a Bercy specialist intelligence branch of the tax authorities of hacking his firm's database to access information covered by professional confidentiality. The case serves to illustrate the difficulties of launching such a challenge in France, and also the functioning of the tax administration even after the passage of a 2017 law protecting whistleblowers.
https://www.lelanceur.fr/…
Content Type: Examples
In late 2018, after apps like Strava and Polar Flow exposed the movements of staff around military bases, the US Department of Defense banned military troops and other workers at sensitive sites from using fitness trackers and other apps that could reveal their users' location. Military leaders will have discretion over whether local staff can use GPS, and the devices themselves - smartwatches, tablets, phones, and fitness trackers - are not banned.
https://www.forbes.com/sites/emmawoollacott/…
Content Type: Examples
At the 2018 DefCon security conference, a researcher from the security firm Nuix presented the discovery that body cameras from five different manufacturers shoe cameras are in use by US law enforcement are vulnerable to remote digital attacks, some of which could manipulate footage so it could not be trusted as an accurate record of events. Vulnerabilities in devices from Vievu, Patrol Eyes, Fire Cam, and CeeSc allowed Josh Mitchell to delete footage from a camera or download it, edit or…
Content Type: Examples
In 2018, documents filed in a court case showed that a few days before the 2017 inauguration of US president Donald Trump - timing that may have been a coincidence - two Romanian hackers took over 123 of the police department's 187 surveillance cameras in Washington, DC with the intention of using police computers to email ransomware to more than 179,000 accounts. The prosecution also said the alleged hackers had stolen banking credentials and passwords and could have used police computers to…
Content Type: Examples
As the use of non-cash payment mechanisms continued to increase over the course of 2018, Europe's central banks began warning that phasing out cash poses a serious threat to the financial system, as too-heavy reliance on digital payments exposes countries to the potential for catastrophic failure due to IT failures, energy blackouts, and hacker attacks. In addition, regulators warned that a cashless world alienates vulnerable members of society such as elderly and disabled people. The level of…
Content Type: Examples
A 2016 Privacy International report on Syrian state surveillance found that between 2007 and 2012 the Assad regime spent millions of dollars on building a nationwide communications monitoring system. By 2012, this surveillance capability helped the Syrian government target and murder journalists, including American Sunday Times reporter Marie Colvin and French photographer Rémi Ochlik in 2012, both covering the war. In 2018, the Colvin family filed a video of the journalists' final moments…
Content Type: Examples
Police and blackmailers in Egypt are using gay dating apps like Grindr, Hornet, and Growlr to find targets tor arrest and imprisonment while the developers who can make changes are thousands of miles away and struggle to know what to change to protect their users. In a typical story, a target finds a friendly stranger on a gay dating site, and only find out when they eventually meet that the contact has been building a debauchery case. Homosexuality is not illegal in Egypt, but the el-Sisi…
Content Type: Examples
In December 2014 researchers at Malwarebytes discovered that for two months an Adobe Flash player zero-day exploit with a ransomware payload was embedded in online ads placed by a leading advertising network. The attack ended when Adobe patched Flash to close the vulnerability on February 2, 2015. The attackers injected the malware-carrying ads onto the websites of Dailymotion, Huffington Post, Answers.com, New York Daily News, HowtoGeek.com, and others for an average of two days each. The…
Content Type: Examples
In a talk at the 2018 Wall Street Journal CEO Council Conference, Darktrace CEO Nicole Eagan gave as an example of the new opportunities afforded by the Internet of Things a case in which attackers used a thermometer in a lobby aquarium to gain a foothold in a casino's network and exfiltrate the high-roller database. Regulation will be required to set minimum security standards.
https://www.businessinsider.de/hackers-stole-a-casinos-database-through-a-thermometer-in-the-lobby-fish-tank-2018-4…
Content Type: Examples
For years, car manufacturers including Range Rover, BMW, and Volkswagen kept secret security risks in their vehicles' keyless entry systems that exposed hundreds of millions of car owners to the risk of theft from attackers using gadgets available online for £100. In March 2018, Range Rovers were fitted with preventive technology, but the manufacturers chose not to disclose that older models remained at risk. In the past Volkswagen sued to prevent a security researcher from publishing his…
Content Type: Examples
The US company Securus provides a cellphone tracking service that can locate almost any cellphone in the US within seconds by obtaining data from major carriers via a system used by marketers and other companies. In 2018, former Mississippi County, Missouri, sheriff Cory Hutcheson was charged in state and federal courts for using the service to track people's phones, including those of other police officers, without court orders. Securus, which also provides and monitors calls to inmates in…
Content Type: News & Analysis
European leaders met last week in Brussels to discuss what is supposed to be two separate issues, the next trillion euro-plus budget and migration. In truth, no such separation exists: driven by nationalists and a political mainstream unable to offer any alternative but to implement their ideas, the next budget is in fact all about migration.
This strategy contained within the budget will get the approval of Hilary Clinton, who recently told the Guardian that ‘Europe needs to get a handle on…
Content Type: Examples
In 2018, a South Carolina woman realised her FREDI video baby monitor had been hacked when the camera began panning across the room to the spot where she breastfed her son. A 2015 study conducted by Rapid7 found that baby monitors have a number of vulnerabilities that are both easily exploited and long-ago solved for modern computers. Consumers eager to avoid these problems should either avoid buying monitors with internet connections or look for manufacturers that are known to fix security…
Content Type: Examples
In June 2018, after privacy activists found security flaws in toys such as My Friend Cayla and others and the US Consumer Product Safety Commission opened an investigation into the problems of connected gadgets, Amazon, Walmart, and Target announced they would stop selling CloudPets. Made by Spiral Toys, CloudPets uses voice recordings, an internet connection, and a Bluetooth-connected app. In 2017, a hackers were able to access and hold for ransom CloudPets' database, including email addresses…
Content Type: Examples
In 2018, military security officers from the Israeli Defence Force accused Hamas of loading fake World Cup and dating apps with malware and making them available via the Israeli version of the Google Play store in order to hack the mobile phones of Israeli soldiers. The apps were capable of accessing locations, copying contacts, file, and photographs, and taking control of camera and microphone. The World Cup app offered HD live-streamed matches and updates. The IDF added that about 100…
Content Type: News & Analysis
Over one month ago, Privacy International filed complaints concerning seven data brokers, ad-tech companies, and credit referencing agencies with data protection authorities across Europe. The companies named in the complaints are Acxiom, Criteo, Equifax, Experian, Oracle, Quantcast, and Tapad.
The submissions set out the myriad of ways in which these companies fall short of what is required by data protection laws in the European Union and called on the data protection authorities to…
Content Type: Case Study
The exclusion caused by ID can have a devastating effect on people, limiting their opportunities and ability to survive.
Names have been changed.
Carolina is in a more privileged position than many other migrants, she admits that. She has a formal job, for one. She is – and has always been – in Chile legally: her previous visa has expired, and her new one is being processed. Under the law, she is permitted to stay and work in the country while this is happening. But she is finding the…
Content Type: Case Study
Photo credit: Douglas Fernandes
The exclusion caused by ID can have a devastating effect on people, limiting their opportunities and ability to survive. In September 2018, Privacy International interviewed people in Santiago, Chile who had faced problems from the Chilean ID system, known as the RUT. Names have been changed.
It was never going to be easy for Liliana, entering Chile without a visa. But, in Chile, the ID system – known as the RUT – is ubiquitous; without one, as she would…