Category Archives: Web

LinkedIn vs hiQ Labs

HiQ Labs is a company that focuses on talent management using data science and machine learning. They use data to help companies understand when someone may be looking to quit, how much time and money should be put into employee training and what candidates would qualify for new positions. Where do they get the data that leads to these conclusions though? HiQ Labs uses a web scraper to download profiles off LinkedIn and use that data from their site to use for their own financial gain.

LinkedIn’s Claim

In May of 2017, LinkedIn sent a letter to hiQ Labs informing them that their actions were illegal and violated the LinkedIn User Agreement. It also stated that “LinkedIn has earned its members’ trust by acting vigilantly to keep their data secure. HiQ’s actions and products violate this trust”. In response to this, LinkedIn blocked hiQ from accessing their data because of the user agreement violation.

While LinkedIn may have thought this was a violation of their user agreement, hiQ Labs was now suffering a major blow to their company which that this was fair use of the data because it was free and open to the public. Because of this, hiQ labs filed a lawsuit against LinkedIn claiming that they violated anti-trust laws. On August 14, 2017, The U.S. District Court of San Francisco ruled in the favor of hiQ Labs and forced LinkedIn to return access of their site to hiQ Labs.

The Outcome

Obviously LinkedIn was not happy with this decision and appealed the decision on March 15, 2018. Unfortunately the appeal made by LinkedIn was ruled against them yet again by the U.S. Court of Appeals leading to a victory for hiQ and their web scrapping bots.

“LinkedIn has no protected property interest in the data contributed by its users, as the users retain ownership over their profiles” –  Judge Marsha Berzon

This decision was rather shocking to LinkedIn especially because they should have the right to block a user for violating their User Agreement even if it isn’t breaking the law.

Pubic Opinions

Many people in not only the cyber security community but they LinkedIn community as well are disturbed by the outcome of this case. This could open the doors to legally allow data scraping with more malicious intents. The court is claiming that the information on LinkedIn’s site is owned by the users not by LinkedIn and that the users of LinkedIn intend to have their information accessed by the public. While this is true, it is still LinkedIn’s responsibility to protect its users data and not allow it to be accessed in the wrong ways.

Links

https://pbs.twimg.com/media/EEQJ1cyVAAA7oIC.png:large

Scraping public website data does not violate CFAA, judge rules

https://law.justia.com/cases/federal/appellate-courts/ca9/17-16783/17-16783-2019-09-09.html

https://www.eff.org/deeplinks/2019/09/victory-ruling-hiq-v-linkedin-protects-scraping-public-data

Written by Austin Rose October 7th, 2019

KIK VS. The sec

The Creation of KIN

KIK, the company who created the KIK messenger app, ran an initial coin offering (ICO) in September of 2017. An ICO is a type of funding using cryptocurrencies. The cryptocurrency in question was KIK’s own creation, KIN. KIK promised investors that this currency would show massive growth over the next few years and that it would be integrated within the KIK app itself. They also hoped that the token would become common-place in the cryptocurrency world. KIK’s ICO was a massive success, raising almost $100M.

The SEC’s Claim

After KIK’s success, the U.S. Securities and Exchange Commision (SEC) issued nine subpoenas against the company in early 2018. The SEC claimed that KIK violated sections 5(a) and 5(c) of the 1993 Securities Act, which states:

“SEC. 5. (a) Unless a registration statement is in effect as to a security, it shall be unlawful for any person, directly or indirectly— 

(1) to make use of any means or instruments of transportation or communication in interstate commerce or of the mails to sell such security through the use or medium of any prospectus or otherwise; or 

(2) to carry or cause to be carried through the mails or in interstate commerce, by any means or instruments of transportation, any such security for the purpose of sale or for delivery after sale. 

(c) It shall be unlawful for any person, directly or indirectly, to make use of any means or instruments of transportation or communication in interstate commerce or of the mails to offer to sell or offer to buy through the use or medium of any prospectus or otherwise any security, unless a registration statement has been filed as to such security, or while the registration statement is the subject of a refusal order or stop order or (prior to the effective date of the registration statement) any public proceeding or examination under section 8.”

SEC is claiming that KIK did not properly register their currency, KIN, with the proper authorities and thus, the currency should be shut down. KIK responded with a 30 page letter stating that the crimes SEC is accusing them of are too vague and lack merit. KIK also states that they are prepared to fight in court and are confident in their success.

KIK’s Response

As of October 1st, 2019, KIK has spent nearly $6M in defense of KIN. A fundraiser known as the “Defend Crypto Fund” was created by KIK and has raised nearly $1.6M to help manage their costs. KIK has also announced that they will be shutting down their flagship app KIK to focus entirely on KIN and the case pending. KIK also plans on laying off up to 80% of their current staff, leaving only 20 of their best employees.

Public’s Response

Many are criticizing the closure of the KIK app, claiming that it will be the downfall of the KIN cryptocurrency, and thus the legal battle will be for nothing. Others believe that KIN is a strong enough currency on its own, thanks to the successful ICO. It is my personal belief that KIK has little chance of winning this case. It is obvious they are quickly running out of steam with the closure of their KIK app, and laying off more than half of their staff. I also believe that this case will set the precedent on how cryptocurrency is viewed and treated by the law.

Links

https://cointelegraph.com/news/kik-closes-messenger-and-lays-off-staff-to-continue-sec-lawsuit-fight

https://cointelegraph.com/news/sec-sues-kik-for-conducting-allegedly-unregistered-100-million-ico-in-2017

https://cointelegraph.com/news/kik-ico-ends-strongly-with-nearly-100-mln-raised

https://cointelegraph.com/news/social-media-platform-kik-promises-to-challenge-proposed-sec-enforcement-against-its-ico

https://cointelegraph.com/news/kik-ceo-says-firm-spent-5-million-on-negotiations-with-us-sec-report

https://www.sec.gov/news/press-release/2019-87

https://legcounsel.house.gov/Comps/Securities%20Act%20Of%201933.pdf

https://www.kin.org/wells_response.pdf

Written by Hannah Grape October 3rd, 2019

HSBC Data Breach

Today, HSBC Bank disclosed that they had a data breach between the dates of October 4th and October 14th. The amount of people affected by this breach is undisclosed, but only Americans have had their data compromised. The kinds of information that was leaked may include: full name, mailing address, phone number, email address, date of birth, account numbers, account types, account balances, transaction history, payee account information, and statement history.

To rectify this, HSBC has said that they are going to enhance their authentication processes for their online banking and will offer affected customers a year long subscription to a “credit monitoring and suspicious activity alerting product”. These gifts and claims sort of fall flat, as they do not have good history with their security. According to Wired, they weren’t using “up to date encryption standards for online banking” and according to a Swansea University researcher, they were ranked in the bottom five of banks based on “the technical measures used by their respective websites” as of me writing this.

The way the breach occurred hasn’t been stated yet, but Ilia Kolochenko, the CEO and founder of High-Tech Bridge, has said that “as it would appear that only US customers have been affected, that could point to the breach occurring by way of an authorized third-party or careless employee”.

This breach definitely results from these accusations that Wired and the Swansea University researcher said, as potential hackers could have seen this informations and decided to attack them next, as they had reported lower levels of security as opposed to other targets.

– Jacob Peverly

Sources:

Healthcare.gov data breach: 75k affected

health-care-sign-up

Last week (as of writing) the Centers for Medicare & Medicaid Services announced a large data breach regarding Healthcare.gov’s Federally Facilitated Exchanges. The specific part of the  exchanges that was breached is supposed to provide customers access with access to healthcare agents and brokers to assist in their applications for coverage.

“Our number one priority is the safety and security of the Americans we serve. We will continue to work around the clock to help those potentially impacted and ensure the protection of consumer information,” said CMS Administrator Seema Verma. “I want to make clear to the public that HealthCare.gov and the Marketplace Call Center are still available, and open enrollment will not be negatively impacted. We are working to identify the individuals potentially impacted as quickly as possible so that we can notify them and provide resources such as credit protection.”

The breach seems to be a result of compromised agent/broker account, which CMS has done away with. The scope as reported by CMS is believed to be around 75,000 users, but the Office of the Inspector General has reported that no banking, federal tax, or personal health records were lost in the breach. CMS reported the breach to the FBI and are currently complying with the federal investigators regarding this event.

The strange activity began on October 13th and CMS identified it as a breach and reported it on October 16th. The offending accounts were disabled, and as an extra precaution they disabled the part of the FFE that allowed for agent/broker interaction with customers. As that tool is only one of multiple options for enrollment, Healthcare.gov remains open and operational while CMS works to fix the issues that led to a breach.

 

-Henry Ballentine

Apple User Data Site

Apple has recently released the initial version of a new website that will allow their users to check what personal information has been collected by Apple. This comes after an interview with Tim Cook in March where he said: “We’ve never believed that these detailed profiles of people that have incredibly deep personal information that is patched together from several sources should exist”. This website would add an unprecedented level of transparency for a company of this size. Despite this transparency and their apparent aversion to not making their customers products Apple still collects a wide variety of user information ranging from calendars and contacts to entire documents and photos. The website has already been tested in the EU to make sure it passed all of the privacy regulations that are present there. Their intentions do seem pure at least for right now. As part of the recently released iOS 12, Apple added features which help block targeted ads based on shopping or search history. Apple has continued to be very active in trying to push regulations regarding privacy across the globe. Even though they are making it harder for other companies to get personal information and allowing you to see your own they are continuing to collect and store that same information.

-Evan Schimberg