5 min read

ICYMI: Aug 16 - Aug 22

ICYMI: Aug 16 - Aug 22

ICYMI is posted every Monday recapping privacy news over the last week from around the web.

Illinois Bought Invasive Phone Location Data From Banned Broker Safegraph

The Illinois Department of Transportation (IDOT) purchased access to precise geolocation data about over 40% of the state’s population from Safegraph, the controversial data broker recently banned from Google’s app store. The details of this transaction are described in publicly-available documents obtained by EFF.

In an agreement signed in January 2019, IDOT paid $49,500 for access to two years’ worth of raw location data. The dataset consisted of over 50 million “pings” per day from over 5 million monthly-active users. Each data point contained precise latitude and longitude, a timestamp, a device type, and a so-called “anonymized” device identifier.

Another reminder that location should always be turned off when not in use and denied on any applications and services where it's not mandatory for it to work (e.g. mapping/GPS apps).

Remember, there's no such thing as anonymized data.

Senators challenge TikTok’s ‘alarming’ plan to collect users’ voice and face biometrics

In a letter sent earlier this month addressed to TikTok CEO Shou Zi Chew, Sens. Amy Klobuchar (D-MN) and John Thune, (R-SD) say they are “alarmed” by the recent change to TikTok’s privacy policy, which allows the company to “automatically collect biometric data, including certain physical and behavioral characteristics from video content posted by its users.”

TechCrunch first reported details of the new privacy policy back in June, when TikTok said it will seek “required permissions” to collect “faceprints and voiceprints” where required by law, but failed to elaborate on whether it’s considering federal law, states laws or both (only a handful of U.S. states have biometric privacy laws, including Illinois, Washington, California, Texas and New York).

That's some awfully invasive data for an app where you just watch video shorts. Good to see conversation has started about the legitimacy of collecting this type of information.

No need to swap data for drinks, says privacy body

"I think it's too easy to upload an app and straight away put your name, email address, payment details in, without actually understanding fully where that information may be shared and why it's being used," said Suzanne Gordon, director of data protection at the ICO.

"Ultimately this is your data, it's your personal information and you need to be confident when you're handing it over and the reasons why."
"Customers need to understand they do have a choice. We're now coming out of the pandemic and there's the ability to order on the app or in the more traditional way," said Ms Gordon.

"I think it is very easy for people just to see the end product, and because they want that, they really don't question the amount of data that they are being asked for," she added.

The last line sums up the core issue with data collection and privacy.  People just want what they want with no regard for privacy or anything else, really.

Chase bank accidentally leaked customer info to other customers

Personal details of Chase bank customers including statements, transaction list, names, and account numbers were potentially exposed to other Chase banking members.

The issue is believed to have lasted between May 24th and July 14th this year, and impacted both online banking and Chase Mobile app customers who shared similar information.

There's a new breach almost every day exposing virtually everything about us and there's no real way to stop the exposure for some of these things.

Google says geofence warrants make up one-quarter of all US demands

The figures, published Thursday, reveal that Google has received thousands of geofence warrants each quarter since 2018, and at times accounted for about one-quarter of all U.S. warrants that Google receives. The data shows that the vast majority of geofence warrants are obtained by local and state authorities, with federal law enforcement accounting for just 4% of all geofence warrants served on the technology giant.

According to the data, Google received 982 geofence warrants in 2018, 8,396 in 2019 and 11,554 in 2020. But the figures only provide a small glimpse into the volume of warrants received and did not break down how often it pushes back on overly broad requests.

These are becoming more common each year. Make sure you don't happen to be in the wrong place at the wrong time.

China passes sweeping data privacy law, stinging tech stocks again

The Personal Information Protection Law — which was approved Friday by the Standing Committee of the National People's Congress, and which will take effect November 1 — prohibits "illegally collecting, using, processing, transmitting, disclosing and trading people's personal information," according to state-run Xinhua News Agency.

You know big tech isn't in the game to serve its users when their stock falls on the news of China curtailing data collection and surviellance.

T-Mobile data breach just got worse — now at 54 million customers

The hacker said that the stolen database contains the data for approximately 100 million T-Mobile customers. The exposed data can include customers' IMSI, IMEI, phone numbers, customer names, security PINs, Social Security numbers, driver's license numbers, and date of birth.

The hackers said the database was stolen approximately two weeks ago and contains customer data from as far back as 2004.
On August 17th, T-Mobile first disclosed a summary of their investigation into their hacked servers and said that the personal information of 48.6 million individuals was exposed during the attack.

Today, T-Mobile has updated its advisory to include an additional 6 million customers or prospective customers affected by the attack.

As it stands today, the attack affected 54.6 million individuals, which is broken down below.
13.1 million current T-Mobile postpaid customer accounts that included first and last names, date of birth, SSN, and driver’s license/ID information.
40 million former or prospective T-Mobile customers, including first and last names, date of birth, SSN, and driver’s license/ID information.
667,000 accounts of former T- Mobile customers exposing customer names, phone numbers, addresses and dates of birth compromised.
850,000 active T-Mobile prepaid customer names, phone numbers and account PINs were exposed.
52,000 names related to current Metro by T-Mobile accounts may have been included.

This is why prepaid service with an alias name is critical.  It's not a matter of if your information is going to be leaked anymore, it's a matter of when. Take a look over here if you want to know more about how you should set up your cell service.

Exclusive: Hacker Selling Private Data Allegedly from 70 Million AT&T Customers

Hot on the heels of a massive data breach with T Mobile earlier this week, AT&T now appears to be in the spotlight. A well-known threat actor in the underground hacking scene is claiming to have private data from 70 million AT&T customers.
While we cannot yet confirm the data is from AT&T customers, everything we examined appears to be valid. Here is the data that is available in this leak:
Phone number
Physical address
Email address
Social security number
Date of birth

Nobody is safe from their data being exposed.  Again, check out this post on how you should set up cell service.