3 min read

ICYMI: July 20 - July 26

ICYMI: July 20 - July 26

ICYMI is posted every Monday recapping privacy news over the last week from around the web.

An Instagram bug showed a ‘camera on’ indicator for iOS 14 devices even when users weren’t taking photos

In the latest instance of iOS 14’s beta mode tattling on unexpected app behavior, some users reported that they were seeing the green “camera on” indicator while using Instagram when they were just scrolling through their feeds, not taking a photo or video.
An Instagram spokesperson said in an email to The Verge that the behavior was a bug and that it’s being fixed.

There sure been a lot of privacy invasive bugs ever since iOS 14 came out. Weird.

Google Promises Privacy With Virus App but Can Still Collect Location Data

But for the apps to work on smartphones with Google’s Android operating system — the most popular in the world — users must first turn on the device location setting, which enables GPS and may allow Google to determine their locations.
[...] Apple, which does not require iPhone users of the virus apps to turn on location, declined to comment on Google’s location practices.

It's not like Google has a history of this kind of behavior or anything.

Trinity study slams 'troubling' Google privacy on tracker app

"We found the public health authority component of these apps generally shares little data and is quite private.

"However, on Android devices we found the Google component of the apps is far from private and continuously shares a great deal of data with Google servers.

"This data includes the phone IMEI, hardware serial number, SIM serial number, handset phone number, the wifi MAC address and approximate phone location.
[...] However, Google executives admit the requirement to have an Android phone's location setting switched on, in order for the Bluetooth setting to work properly, might be considered "confusing".

You'd think Google would chill out on the data collection when trying to help society push through a pandemic.

Bitwarden 2020 Security Audit is Complete

In the interest of providing full disclosure, below you will find the executive summary that was compiled from the team at Insight Risk Consulting along with an internal report containing a summary of each issue, impact analysis, and the actions taken/planned by Bitwarden regarding the identified issues. We are happy to report that no major issues were identified during this audit. One moderate issue has been patched in the latest Bitwarden server update.

One of the best password managers, Bitwarden, has completed their second independent audit since they launched in 2016. Most companies never have an audit done at all and here we have one compeleting them on a two year cadence.

Here's their 2018 audit for those interested. PDF

TikTok and the privacy perils of China’s first international social media platform

How much user data does TikTok collect?
As with just about every social media platform, the answer is: “a lot.” According to its privacy policy, even if you just download and open the app but never create an account, TikTok will collect your:
IP address
Browsing history (i.e., the content you viewed on TikTok)
Mobile carrier
Location data if you are using a mobile device (including GPS coordinates and WiFi and mobile cell data)
Info on the device you used to access TikTok (for Android devices, this includes your IMEI number, which is essentially your device’s fingerprint so it can be identified, and potentially your IMSI number, which is used to track users from one phone to another)

To open an account, you must enter a phone number or email and your date of birth. Once you have created an account, TikTok asks your permission for access to your social media accounts (like Twitter, Instagram, Facebook, etc.), your phone’s contact list, and GPS data.

Once you start using the app, TikTok logs details about:
Every video you upload
How long you watch videos
Which videos you like
Which videos you share
Any messages you exchange in the app
Finally, if you buy coins, the in-app currency you can use to support your favorite video creators, TikTok will store your payment information.
According to TikTok, if you delete your account, the company will delete your account data, videos, and information within 30 days. This claim is impossible to independently verify, as is the case with most social media companies.

TikTok’s data collection is extreme, even for a social media platform that collects its users’ data to serve them with targeted ads. And TikTok explicitly states in its privacy policy that it shares your browsing data and email address with third parties so that it can serve you with targeted advertising.

An eye opening post about Tik Tok and the extreme invasiveness of the platform.