Is too much consumer protection a bad thing? facebook thinks so

The Australian Competition and Consumer Commission (ACCC), the American Federal Trade Commission’s Bureau of Consumer Protection equivalent in Australia, has recently released the final report of their Digital Platforms Inquiry, which “looks specifically at the impact of digital platforms on: consumers, businesses using platforms to advertise to and reach customers, and news media businesses that also use the platforms to disseminate their content.” As a result of this, the ACCC has recommended 23 changes to the current standard for consumer protection. One recommendation that did not sit well with Facebook was the 16th, which would require users to consent anytime their personal information is collected, used, or shared.

Facebook, which is often the center of attention when it comes to violations of their users’ privacy rights, has recently stated that the ACCC’s approach at this issue is a “backwards” approach to this issue, and that as a result, Australia would fall behind the rest of the world. While their intentions to make users aware of what data is being collected about them, is this really the best method to do so?

This issue raises the question of ‘is there such thing as too much protection?’ Are the privacy benefits of requiring alerts from this entities worth the loss of convenience and usability, or should users take the loss for better privacy?

Links:

ACCC Digital Platforms Inquiry

“Facebook boss hits out at ‘backwards’ ACCC privacy policies”

Header Image

By Patrick Swanson-Green, October 21, 2019

F.T.C. Fines Facebook $5 Billion Dollars Over Privacy violations

Back in July of 2019, the Federal trade commission fined Facebook $5 billion for its consumers’ privacy “mishaps,” the largest civil penalty ever imposed on a company. The order covers Facebook-owned WhatsApp and Instagram, as well as Facebook’s social platform.

Facebook makes a large portion of its profits by serving up targeted ads based on users’ personal information. Many consumers are hesitant about sharing certain data, so Facebook calms that concern by promising that people can control the privacy of their information through the platform’s privacy settings.

The FTC sued Facebook back in 2012 for making misleading promises about the extent to which consumers could keep their personal information private. For example, Facebook told users they could select settings to make information available just to “friends.” But despite that promise, Facebook allowed apps used by those friends to access consumers’ information, a decision that put money in Facebook’s pocket. The 2012 FTC order put penalties in place if Facebook made misleading statements in the future about consumers’ control over the privacy of their personal information.

Facebook violated the order again by giving companies access to information that consumers said they didn’t want to share. The FTC also alleges Facebook made other misleading statements about how it used facial recognition, consumers’ cell phone numbers, and other personal data.

That $5 billion fine is a big deal, of course: it’s the biggest fine in FTC history, even though it is still too small for a company at Facebook scale; Facebook had $15 billion in revenue last quarter alone, and $22 billion in profit last year. The largest FTC fine in the history of the country represents basically a month of Facebook’s revenue and it ended up increasing the price of Facebook’s stock as well as Mark Zuckerberg’s net worth.

In addition to the fine, Facebook agreed to more comprehensive oversight of how it handles user data, The F.T.C ordered Facebook to create an independent committee of Facebook’s board of directors to oversee privacy decisions and requires an independent third-party assessor to evaluate the effectiveness of Facebook’s privacy program. Mark Zuckerberg also must certify every quarter that Facebook is in compliance with the new privacy program. 

None of these conditions, in my opinion, will prevent Facebook from collecting and sharing data, and they certainly won’t affect Facebook’s insanely lucrative ad business, which relies upon that data.

I think this decision is best summarized by Lindsey Barrett a staff attorney/fellow at Georgetown law and the co-founder of Georgetown Privacy center:

“violate the law once, then violate it again after you’re under a consent order at a mammoth scale, then violate it so many times that we all lose track of what’s happening, & you’ll get a proportionately modest fine & get to continue breaking things”

– Bader A

FBI uses NSA surveillance data to conduct investigations

Earlier this week, a FISA court ruling from October 2018 was declassified. In it, there are details about the FBI using information gathered by the NSA’s mass surveillance tools to conduct investigations on U.S. citizens without warrants.

At this point, it is common knowledge that the NSA practices mass surveillance on American citizens. This is attributed to whistleblower Edward Snowden, who leaked documents to the press about tools and techniques that the NSA uses to conduct “bulk data collection.” However, until now, little has been shown to demonstrate how other agencies, like the FBI and the CIA, may use that information to do the same.

 

 

Searching through this data is known as “backdoor searching,” and the declassified document states that the FBI conducted over three million of these searches on “U.S. persons.” The main issue is that these searches were not legally justified. According to the FISA court ruling, the FBI did not base their backdoor searching on potential criminal investigation; or any other genuine justification. This further validates the claim that these agencies are attempting to create a kind of “permanent record” on the American citizens.

After  9/11, policy within the FBI has been altered in such a way that obtaining a warrant to investigate a U.S. citizen is unnecessary so long as the person of interest is suspected of being a “potential national security threat.” This stipulation has been used vaguely and can have a broad range of application.

While maintaining security through secrecy is a noble goal for the NSA, the information that they gather must be used justly and fairly if their practices are to be accepted by the American people.

– Jared Albert

LinkedIn vs hiQ Labs

HiQ Labs is a company that focuses on talent management using data science and machine learning. They use data to help companies understand when someone may be looking to quit, how much time and money should be put into employee training and what candidates would qualify for new positions. Where do they get the data that leads to these conclusions though? HiQ Labs uses a web scraper to download profiles off LinkedIn and use that data from their site to use for their own financial gain.

LinkedIn’s Claim

In May of 2017, LinkedIn sent a letter to hiQ Labs informing them that their actions were illegal and violated the LinkedIn User Agreement. It also stated that “LinkedIn has earned its members’ trust by acting vigilantly to keep their data secure. HiQ’s actions and products violate this trust”. In response to this, LinkedIn blocked hiQ from accessing their data because of the user agreement violation.

While LinkedIn may have thought this was a violation of their user agreement, hiQ Labs was now suffering a major blow to their company which that this was fair use of the data because it was free and open to the public. Because of this, hiQ labs filed a lawsuit against LinkedIn claiming that they violated anti-trust laws. On August 14, 2017, The U.S. District Court of San Francisco ruled in the favor of hiQ Labs and forced LinkedIn to return access of their site to hiQ Labs.

The Outcome

Obviously LinkedIn was not happy with this decision and appealed the decision on March 15, 2018. Unfortunately the appeal made by LinkedIn was ruled against them yet again by the U.S. Court of Appeals leading to a victory for hiQ and their web scrapping bots.

“LinkedIn has no protected property interest in the data contributed by its users, as the users retain ownership over their profiles” –  Judge Marsha Berzon

This decision was rather shocking to LinkedIn especially because they should have the right to block a user for violating their User Agreement even if it isn’t breaking the law.

Pubic Opinions

Many people in not only the cyber security community but they LinkedIn community as well are disturbed by the outcome of this case. This could open the doors to legally allow data scraping with more malicious intents. The court is claiming that the information on LinkedIn’s site is owned by the users not by LinkedIn and that the users of LinkedIn intend to have their information accessed by the public. While this is true, it is still LinkedIn’s responsibility to protect its users data and not allow it to be accessed in the wrong ways.

Links

https://pbs.twimg.com/media/EEQJ1cyVAAA7oIC.png:large

Scraping public website data does not violate CFAA, judge rules

https://law.justia.com/cases/federal/appellate-courts/ca9/17-16783/17-16783-2019-09-09.html

https://www.eff.org/deeplinks/2019/09/victory-ruling-hiq-v-linkedin-protects-scraping-public-data

Written by Austin Rose October 7th, 2019

Binance Cryptocurrency Exchange Hack

Binance is a global cryptocurrency exchange platform that provides trading for more than 100 different cryptocurrencies. Additionally, Binance boasts various features through its service to streamline and make the trading and purchasing of cryptocurrency easier for its users. Alongside functional enhancements, Binance offers users a secure experience via its Know Your Customer (KYC) security measure where, in order to gain access and be able to use the service, users have to submit an image of themselves presenting credentials in order to verify their identity. 

The Attack 

On August 7th 2019, hackers used a variety of techniques to gain access to Biances servers and user information, bypassing the various security measures in place. In the end, the hackers managed to acquire a huge portion of the firm’s KYC data; the current extent of compromised accounts is still unknown. The specifics of how the attacker bypassed a majority of Binance’s systems are still unknown as the company is still conducting its own investigation and has yet to give a statement as to how the accounts were compromised. 

Aftermath

After the breach, the hacker started demanding a total of 300 Bitcoins (worth around $3.5 million) from the company in exchange for withholding the personal KYC data of the compromised users. However, the validity of the KYC hack was brought into question when the hacker started to leak photos online and the photos lacked the distinct watermark that Binance puts on users verification photos. In response to the leaks, Binance claims that the images released thus far are from when the company was using a third-party service provider to process its KYC verifications. Furthermore, throughout the past few months, the stance of Binance has changed on whether or not the hack actually happened. Initially, the CEO himself took to Twitter to tell individuals to ignore the leak. However, as time progressed, more evidence surfaced to support the validity of the hack with some of the already released photos matching information of affected users while other times the information did not match. Furthermore, Binance itself has started to accept the legitimacy of the hack and resolve it as there exists overlap with the leaked images and those processed by the third-party vendor. 

Overall, the scope of the hack is still a mystery as Binance itself isn’t clear as to how many users’ KYC data were affected as a result of the hack. However, the ramifications of the compromised KYC data could be enormous as the information could be used in various ways to bypass two-factor authentication measures, create fake IDs and passports, and commit a variety of scams. Although, for the moment the hacker responsible only seems interested in the Bitcoin ransom as they are ransoming off the information to Binance, but there is no telling what the compromised information of Binance’s user base could be used for if the ransom is not paid.

On the financial side, the company came out and declared that it will cover the losses by offering lifetime premium to all affected users and hasn’t taken a major hit in terms of trading and sales. Additionally, in response to the hack, Binance is offering a reward of 25 Bitcoins to any person who can supply them with pertinent information that can lead to the arrest of the hacker/hackers behind the incident.

Links

https://cointelegraph.com/news/binance-kyc-breach-did-it-happen-and-if-so-whos-to-blame

https://cointelegraph.com/news/binance-offers-lifetime-vip-membership-to-kyc-leak-victims

https://www.binance.com/en/blog/371631019142385664/Update–Action-Response-ThirdParty-Vendor-KYC-Matter

Written by Nick Perri October 7th, 2019

A blog featuring student posts about current topics in Cyber Security

%d bloggers like this: