5 min read

ICYMI: Aug 31 - Sept 6

ICYMI: Aug 31 - Sept 6

ICYMI is posted every Monday recapping privacy news over the last week from around the web.

Mozilla research: Browsing histories are unique enough to reliably identify users

Their findings show that most users have unique web browsing habits that allow online advertisers to create accurate profiles.

These profiles can then be used to track and re-identify users across different sets of user data that contain even small samples of a user's browsing history.
In total, the Mozilla team said it collected data about 35 million website visits to 660,000 unique domains. And this access to better quality data was immediately reflected in the study's findings.

Mozilla said that 99% of the browsing profiles they collected for the study were unique to each user.

This uniqueness allowed Mozilla researchers to easily re-identify users during the second week of the study.

Here's a link to the paper itself: PDF

Inside Amazon’s Secret Program to Spy On Workers’ Private Facebook Groups

According to the files left online, Amazon corporate employees are getting regular reports about the social media posts of its Flex drivers on nominally private pages, and are using these reports to diagnose problems as well as monitor, for example, drivers "planning for any strike or protest against Amazon." The reports have the full names and posts of drivers who post anything noteworthy in one of dozens of closed driver Facebook pages, intended for use by Flex Drivers. Here is an example of a report that was redacted by Motherboard.

Among the files left online is a document called “social media monitoring” that lists closed Amazon Flex Driver Facebook groups and websites across the world, as well as open Flex driver Subreddits, and the Twitter keyword "Amazon Flex." Forty three of the Facebook groups are run by drivers in different cities in the United States.

Social media is never as private as we think.  Be careful what you say online.

Apple to Delay iOS Change Roiling Mobile Ad Market

Just last week, Facebook and other major publishers heavily criticized Apple over the upcoming privacy changes in iOS 14 that are expected to cut down on mobile ad revenue. Now a new report from The Information says that Apple is planning to delay the new app and website tracking feature.

Update: Apple has confirmed the delay to The Information’s Alex Heath, including the detail that it plans to launch the privacy feature “early next year” along with a brief statement on why it made the decision. Here’s Apple’s full statement via Alex:

“We want to give developers the time they need to make the necessary changes, and as a result, the requirement to use this tracking permission will go into effect early next year.”

Easily one of the most important features in the iOS 14 update is being delayed to 2021. Really disappointing.

Feds can’t ask Google for every phone in a 100-meter radius, court says

Federal courts in the Chicago area have three times rejected government applications for warrants to force Google to produce a list of smartphones near two particular commercial establishments during one of three 45-minute intervals. The most recent ruling was handed down last week and was recently made public.

The decisions are significant because Google has reported massive growth in law enforcement use of such "geofence" searches. Google says there was a 1,500-percent increase between 2017 and 2018 and a further 600-percent jump from 2018 to 2019. That's a hundredfold increase in two years. Google received 180 geofence search requests a week during 2019, according to CNet.

Some good news.  This is the first step to stopping this practice all together

Threema Goes Open Source, Welcomes New Partner

Within the next months, the Threema apps will become fully open source, supporting reproducible builds.

Reproducible builds are a big deal for transparency and privacy.  Really great news for one of the best privacy focused messaging platforms available.

Online marketing company exposes 38+ million US citizen records

The publicly available Amazon S3 bucket contained 5,302 files, including:

700 statement of work documents for targeted email and direct mail advertising campaigns stored in PDF files

59 CSV and XLS files that contained 38,765,297 records of US citizens in total, of which 23,511,441 records were unique

The user record files were created based on locations and ZIP codes that the marketing company’s campaigns were targeting and contained full names, addresses, zip codes, emails, and phone numbers of people based in the US.

Aside from the statement of work documents and user records, the bucket contained thousands of files for various marketing materials, such as banner advertisements, newsletters, and promotional flyers.
[...] Even though the files in the unsecured Amazon S3 bucket do not contain deeply sensitive personal information such as social security or credit card numbers, cybercriminals can use the personal details in the database for a variety of malicious purposes:

Scammers can use the names, email addresses, and phone numbers of the exposed people for a wide variety of fraudulent schemes

Simple contact details can be enough for spammers and phishers to launch targeted attacks against 38+ million exposed Americans from multiple angles, such as robocalls, text messages, emails, and social engineering campaigns

Determined cybercriminals can combine the data found in this bucket with other data breaches to build profiles of potential targets for identity theft

These types of leaks and breaches happen on almost a weekly basis with our information free flowing into the waiting arms of the internet around us.  First part talks about the breach and the second quote block lists a few of the privacy implications of your information being out in the open.

Court rules NSA phone snooping illegal — after 7-year delay

The National Security Agency program that swept up details on billions of Americans' phone calls was illegal and possibly unconstitutional, a federal appeals court ruled Wednesday.

The NSA ended mass phone data collection back in 2015 and shut down the system that anaylzed all of our data in 2019. This may be a day late but not quite a dollar short. Getting it on record that it's illegal and potentially unconstituational is stil a win.

Private Intel Firm Buys Location Data to Track People to their 'Doorstep'

A threat intelligence firm called HYAS, a private company that tries to prevent or investigates hacks against its clients, is buying location data harvested from ordinary apps installed on peoples' phones around the world, and using it to unmask hackers. The company is a business, not a law enforcement agency, and claims to be able to track people to their "doorstep."
[...] On its website, HYAS claims to have some Fortune 25 companies, large tech firms, as well as law enforcement and intelligence agencies as clients.

Fortune 25 companies, tech firms, and law enforcement. You couldn't ask for a better group of companies to have a bunch of your personal information.

Want to join the discussion?  Check out this post, and others, over at the CupWire subreddit and leave a comment.