Category Archives: Privacy

Is too much consumer protection a bad thing? facebook thinks so

The Australian Competition and Consumer Commission (ACCC), the American Federal Trade Commission’s Bureau of Consumer Protection equivalent in Australia, has recently released the final report of their Digital Platforms Inquiry, which “looks specifically at the impact of digital platforms on: consumers, businesses using platforms to advertise to and reach customers, and news media businesses that also use the platforms to disseminate their content.” As a result of this, the ACCC has recommended 23 changes to the current standard for consumer protection. One recommendation that did not sit well with Facebook was the 16th, which would require users to consent anytime their personal information is collected, used, or shared.

Facebook, which is often the center of attention when it comes to violations of their users’ privacy rights, has recently stated that the ACCC’s approach at this issue is a “backwards” approach to this issue, and that as a result, Australia would fall behind the rest of the world. While their intentions to make users aware of what data is being collected about them, is this really the best method to do so?

This issue raises the question of ‘is there such thing as too much protection?’ Are the privacy benefits of requiring alerts from this entities worth the loss of convenience and usability, or should users take the loss for better privacy?

Links:

ACCC Digital Platforms Inquiry

“Facebook boss hits out at ‘backwards’ ACCC privacy policies”

Header Image

By Patrick Swanson-Green, October 21, 2019

F.T.C. Fines Facebook $5 Billion Dollars Over Privacy violations

Back in July of 2019, the Federal trade commission fined Facebook $5 billion for its consumers’ privacy “mishaps,” the largest civil penalty ever imposed on a company. The order covers Facebook-owned WhatsApp and Instagram, as well as Facebook’s social platform.

Facebook makes a large portion of its profits by serving up targeted ads based on users’ personal information. Many consumers are hesitant about sharing certain data, so Facebook calms that concern by promising that people can control the privacy of their information through the platform’s privacy settings.

The FTC sued Facebook back in 2012 for making misleading promises about the extent to which consumers could keep their personal information private. For example, Facebook told users they could select settings to make information available just to “friends.” But despite that promise, Facebook allowed apps used by those friends to access consumers’ information, a decision that put money in Facebook’s pocket. The 2012 FTC order put penalties in place if Facebook made misleading statements in the future about consumers’ control over the privacy of their personal information.

Facebook violated the order again by giving companies access to information that consumers said they didn’t want to share. The FTC also alleges Facebook made other misleading statements about how it used facial recognition, consumers’ cell phone numbers, and other personal data.

That $5 billion fine is a big deal, of course: it’s the biggest fine in FTC history, even though it is still too small for a company at Facebook scale; Facebook had $15 billion in revenue last quarter alone, and $22 billion in profit last year. The largest FTC fine in the history of the country represents basically a month of Facebook’s revenue and it ended up increasing the price of Facebook’s stock as well as Mark Zuckerberg’s net worth.

In addition to the fine, Facebook agreed to more comprehensive oversight of how it handles user data, The F.T.C ordered Facebook to create an independent committee of Facebook’s board of directors to oversee privacy decisions and requires an independent third-party assessor to evaluate the effectiveness of Facebook’s privacy program. Mark Zuckerberg also must certify every quarter that Facebook is in compliance with the new privacy program. 

None of these conditions, in my opinion, will prevent Facebook from collecting and sharing data, and they certainly won’t affect Facebook’s insanely lucrative ad business, which relies upon that data.

I think this decision is best summarized by Lindsey Barrett a staff attorney/fellow at Georgetown law and the co-founder of Georgetown Privacy center:

“violate the law once, then violate it again after you’re under a consent order at a mammoth scale, then violate it so many times that we all lose track of what’s happening, & you’ll get a proportionately modest fine & get to continue breaking things”

– Bader A

FBI uses NSA surveillance data to conduct investigations

Earlier this week, a FISA court ruling from October 2018 was declassified. In it, there are details about the FBI using information gathered by the NSA’s mass surveillance tools to conduct investigations on U.S. citizens without warrants.

At this point, it is common knowledge that the NSA practices mass surveillance on American citizens. This is attributed to whistleblower Edward Snowden, who leaked documents to the press about tools and techniques that the NSA uses to conduct “bulk data collection.” However, until now, little has been shown to demonstrate how other agencies, like the FBI and the CIA, may use that information to do the same.

 

 

Searching through this data is known as “backdoor searching,” and the declassified document states that the FBI conducted over three million of these searches on “U.S. persons.” The main issue is that these searches were not legally justified. According to the FISA court ruling, the FBI did not base their backdoor searching on potential criminal investigation; or any other genuine justification. This further validates the claim that these agencies are attempting to create a kind of “permanent record” on the American citizens.

After  9/11, policy within the FBI has been altered in such a way that obtaining a warrant to investigate a U.S. citizen is unnecessary so long as the person of interest is suspected of being a “potential national security threat.” This stipulation has been used vaguely and can have a broad range of application.

While maintaining security through secrecy is a noble goal for the NSA, the information that they gather must be used justly and fairly if their practices are to be accepted by the American people.

– Jared Albert

the supreme court determining how bad a hack has to be to sue

In December of 2018 and January of 2019, the high court had conferences regarding two cases that were looking for the same decision of the Supreme Court, a response to the question how bad does a hack have to be for a victim to sue?

FCA US LLC, et al., Petitioners v. Brian Flynn, et al.

The first case in question is FCA US LLC, et al., Petitioners v. Brian Flynn, et al. The petition was filed September 26, 2018, however this case came about July 21, 2015 after a Wired article by Andy Greenberg including a video of their demonstration of the Jeep Cherokees vulnerability was published. The author is shown going down a highway driving normally in the Jeep Cherokee, then hackers that Wired hired decide to turn the AC on, display a picture on the dashboards digital screen, turn on music and turn it up extremely loud, but most notably kill the cars engine entirely. An 18-wheeler barrels past, honking at the dangerously slow vehicle which only made Greenberg all the more uneasy about the situation. There was nothing the driver could do to change it, despite any fiddling with the dials to try and rectify the situation, and this panic is clear to see as he begs for the hackers to turn the engine back on while they laugh in the safety an entirely different location. They were able to do this through a function in the Jeep called Uconnect, a computer in the dashboard display (called the headunit) that has internet connection. This was a huge issue for Chrysler to deal with, despite them sending out USBs to fix the mistake to 1.4 million owners of the vehicles, people still were very weary and pointed the finger at the cars being “excessively vulnerable” then seeking compensation for the risk. There was no evidence of the vulnerability being exploited maliciously, and that is a big stake Chrysler held in their petition.

Zappos.com, Inc. v. Stevens.

The second case is Zappos.com, Inc. v. Stevens. from an online retail service Zappos.com when they experienced a malicious breach of their database in January 2012. This database contained sensitive information of their clients that included names, account numbers, contact information (ie email addressed and billing addresses), and possibly their credit card information from more than 24 million of Zappos customers. Again, the company found nothing signifying the use of the information in tactics such as impersonation, but the clients claim they experienced otherwise, saying they used the information to hack into their other accounts.

The Conclusion of the Petitions

Each cases petition ended up being denied in the end, the case regarding Chrysler was denied at the first conference on January 4, 2019, however the Zappos petition consideration was dragged out across two conferences, finally being denied on March 27, 2019.

The Questions

There are several central questions that these cases both bring up, the first being what exactly is the relationship between obtaining and utilizing information from hacks? Neither company found evidence of the vulnerabilities being used in a way that compromised any users’ safety or confidentiality, but could we then judge these cases on the premise of the fact that there was a vulnerability in the first place? The issue with that is that nothing in cyber security is 100% safe from being breached, so anything that is put out will have vulnerabilities that can be exposed, but is it a problem unless the vulnerability is found out and used maliciously? Then we have to wonder about the victims, is it just to have the court decide if a victim has suffered enough to do something about their losses? It just becomes a never ending cycle of ethical and practical questions regarding these topics and what should be put in place to rectify the gray area, or if anything could get rid of gray areas. This emphasizes the difficulty that comes with cyber security as a whole, the subjectivity and uncertainty of so many things that comes with it. The word “concrete” comes up often with the official case documents, but there is very little regarding cyber security that can be wholly defined as concrete, especially as something intangible that you cannot exactly put numbers on damages the way you can a car crash or a fire regarding the monetary standpoint.

What I Think

My main thoughts are first how lucky it is that these cases did not end up going to the Supreme Court, on behalf of big companies and my personal ethical beliefs. The companies are fortunate because the court could have easily swayed far more in favor of the masses that are being put at risk in so many ways because of security vulnerabilities, when the lines are more defined of damages they will likely end up having to throw millions of dollars at settlements. But the companies are the ones who would be losing the least out of most of these situations as they always do, so I’m much more on the side of the masses as someone who would have my information stolen from a database which may be protected by old white men who are using computers that are over half my age (I am 19, for reference). Users should not have to fear their private information being access by those without clearance, especially with some of the questions that are in background checks and such regarding extremely personal matters. I am fully aware that this is not a perfect world and that asking for privacy online is like putting a flyer of information on a wall and begging nobody to look at it, but it’s still really terrible that that’s how things are… Sometimes. But the thing is that I cannot even fathom any pity for companies with the amount of money and power they have. I feel the people who owned Jeep Cherokees were very justified in their concern and request for compensation because they are wondering “what if” situations, but there is nothing that cannot be hacked so I understand why the request is unreasonable on a security standpoint so it is very hard. Overall, I just feel that something run by the government (the Supreme Court) cannot be the one defining how much damage is enough. The word “enough” alone feels like a default invalidation of the victims of the situations in question, and with cyberspace being a forever changing beast that, realistically, cannot be quantified is a catch 22 of sorts. There is no one solution we can come to for it so for now I think it is best to deal with things on a case-to-case basis.

Sources

All information and quotes came from the following sources.

Written by Faith Cronister on September 29, 2019

HSBC Data Breach

Today, HSBC Bank disclosed that they had a data breach between the dates of October 4th and October 14th. The amount of people affected by this breach is undisclosed, but only Americans have had their data compromised. The kinds of information that was leaked may include: full name, mailing address, phone number, email address, date of birth, account numbers, account types, account balances, transaction history, payee account information, and statement history.

To rectify this, HSBC has said that they are going to enhance their authentication processes for their online banking and will offer affected customers a year long subscription to a “credit monitoring and suspicious activity alerting product”. These gifts and claims sort of fall flat, as they do not have good history with their security. According to Wired, they weren’t using “up to date encryption standards for online banking” and according to a Swansea University researcher, they were ranked in the bottom five of banks based on “the technical measures used by their respective websites” as of me writing this.

The way the breach occurred hasn’t been stated yet, but Ilia Kolochenko, the CEO and founder of High-Tech Bridge, has said that “as it would appear that only US customers have been affected, that could point to the breach occurring by way of an authorized third-party or careless employee”.

This breach definitely results from these accusations that Wired and the Swansea University researcher said, as potential hackers could have seen this informations and decided to attack them next, as they had reported lower levels of security as opposed to other targets.

– Jacob Peverly

Sources: