z3r0trust Privacy Newsletter #1–22

The intersection of technology, privacy, cybersecurity, policy, and legislation masterfully curated into a concise monthly privacy newsletter worth reading.

Image credit: Tutanota

“I’m a very private person. I like staying home and doing my stuff. I hate people invading on my privacy. I hate talking about my private life.” ~Gisele Bundchen

Greetings my fellow digital privacy paranoid netizens. If you’re reading this article then you can probably relate to the quote above. I know I can. It’s been a while since I’ve published a z3r0trust Privacy Newsletter or anything else for that matter. In short, as a writer, I just haven’t been in the proper headspace to write. I guess I am kind of elemental in that respect. All the craziness going on in the world has affected me, continues to affect me, and has kept my mind preoccupied with the day-to-day grind and survival in a new reality with the long-lasting COVID19 pandemic. Some people choose to ignore science and not get vaccinated or not take the virus seriously by refusing to take basic protective precautions all for political reasons despite ballooning death statistics, add to that the high inflation of goods and supply chain issues in the U.S., and how climate change is impacting us more and more each year... Times are definitely changing and not necessarily for the better. It’s an interesting time to be alive.

The last z3r0trust Privacy Newsletter that I published was #7–21 which was published on July 31, 2021. I won’t bother trying to pick up where I left off because it’s been quite a few months but suffice it to say that in the world of digital privacy, the war rages on. The reality is that if we don’t fight for our privacy rights, then corporations and governments feel inclined to just subsume them without permission. That is completely unacceptable and we will not tolerate it. Governments and corporations would do well to remember who allows them to exist and who buys their products and services. Within this newsletter edition, I selectively cover a few of the most recent data breaches, Facebook’s biometric data collection patents, and also a privacy-related data breach class-action lawsuit, as well as provide some privacy technology tips.

This Month in the World of Digital Privacy

Since my last newsletter, Facebook has decided to create a parent company called Meta just as Google did with its parent company Alphabet. Like Americans are going to forget who they really are. Newer generations of American kids might not bother learning about “Meta’s” sordid history though. For now, Meta is based in San Mateo, California, and Alphabet is based in Mountain View, California. Sometimes these parent companies are nothing more than a ploy to avoid paying U.S. corporate taxes like when Apple established an office in Cork, Ireland to avoid paying U.S. taxes. Time will tell whether other tech giants like Facebook and Google will move their parent company offices offshore. Apple has since relocated its headquarters to Channel Island of Jersey, a UK dependency that allows foreign companies to pay zero percent taxes (Vega, 2017).

In 2017, Apple earned $44.7 billion outside the US and paid just $1.65 billion in taxes, the BBC reported.

Seem fair to you? These tech giants establishing off-shore offices to avoid paying taxes makes me want to vomit. The fact that lawmakers haven’t closed this loophole shows you just how deeply entangled these tech companies are embedded in politics. Just remember that it's always about the money. Don’t let these companies fool you. If a service or product is free then that means you’re the product.

Facebook is pushing hard to become a huge player in the metaverse and you can bet that changing their company name won’t stop the morally bankrupt company from continuing to abuse users’ private information to increase their bottom line. In fact, Facebook has recently obtained patents to collect “…biometric data like body poses and pupil movement, and use it to sell virtual ads” in the metaverse (Irwin, 2022). The last thing anyone needs is to give more of their unique, private information to a company like Facebook, Meta, or whatever they want to call themselves. They don’t exactly have a good track record of protecting such information. It’s important to remember this.

Apple has long been touted as a privacy advocate compared to other tech giants but more and more the evidence has shown that Apple only wants to protect users’ private information so that they can be the only company to make profits from it. Not to protect it. Apple has failed to fix a bug that leaks user identities and browsing activity in real-time on its Safari 15 browser, iOS and iPadOS 15 devices (Goodin, 2022). The bug has been known since September 2021.

“It lets arbitrary websites learn what websites the user visits in different tabs or windows. This is possible because database names are typically unique and website-specific. Moreover, we observed that in some cases, websites use unique user-specific identifiers in database names. This means that authenticated users can be uniquely and precisely identified.” ~Martin Bajanik, a software engineer at FingerprintJS

Privacy Lawsuits & Legislation

Two patients filed a class-action lawsuit against Florida-based BioPlus Specialty Pharmacy over its improper handling of an October 2021 data breach affecting 350,000 customers (McKeon, 2022). BioPlus complied with HIPAA’s 60-day breach notification and posted a notification on their website on 10 December 2021 stating that the pharmaceutical company had been victim to a data breach in which customer Personally Identifiable Information (PII) including Social Security Numbers (SSNs) of current and former customers was potentially compromised (McKeon, 2022). BioPlus offered a free year of Experian credit monitoring but one plaintiff said that it wasn’t enough.

The lawsuit also told the story of another plaintiff, Connecticut resident Patricia White, whose information was entered into BioPlus Specialty Pharmacy’s systems due to a clerical error that caused her prescription information to be sent to BioPlus rather than her designated pharmacy. “Ms. White corrected the clerical error and canceled the service from BioPlus, but her information remained in Defendant’s systems, vulnerable to misuse, until the data breach occurred in November of 2021,” the lawsuit continued.

This is something I think about often whenever we have to enter our personally identifiable information (PII) or Personal Health Information (PII) into employer databases when applying for jobs or for drug-test screenings. What happens when one of those employer databases gets breached? Tons of job applicants’ PII and PHI will be exposed at no fault of their own. Chances are the job applicants didn’t even land a job with the company they applied at but now their PII and PHI are compromised and being sold on the Dark Web? That is a tragedy.

Privacy Control of the Month

Image credit: OPPO Nigeria

A basic privacy best practice for your mobile device is to disable WiFi, Bluetooth, and Near-Field Communication (NFC) features when you’re not at home on connected to your home WiFi network or another WiFi network that you trust. The same goes for Bluetooth and NFC, if you’re not actively using those services then it is best to turn them off when they’re not in use so that your device doesn’t automatically connect using these features to potentially malicious access points. For instance, have you ever checked the WiFi settings of your smartphone to learn your device auto-connected to some unknown free WiFi access point?

How about Bluetooth, you try to connect your device to your car and instead get someone’s phone conversations coming across your car speakers? It’s happened to me. Check your device settings and disable auto-connect. Turning off these features when not in use, in addition to added privacy and security benefits, also saves your device’s battery power. Even with all 3 of these protocols turned off, your smartphone or other mobile devices, can still make and receive phone calls using 5G or other communication protocols your device and telecom provider service utilizes.

Image credit: NIST SP 800–53 rev. 5; Ch. 3, privacy control PT-3; p. 231

Featured Privacy Tech Tools & Tips

Image credit: Cloudflare

Cloudflare offers a free DNS service called WARP that essentially acts as a VPN. I highly recommend using it at home and out and about on your mobile devices. WARP replaces the connection between your computer or mobile device and the internet with a modern, optimized protocol. WARP allows Cloudflare to intercept and route your DNS queries every time you visit a different website and transmits it through their Cloudflare network, depending on the services you have enabled. Cloudflare only collects limited DNS query and traffic data (not payload content) that is sent to them when the app is enabled on your device. If you read their privacy policy it states that they store the absolute minimum amount of data they believe is required to provide the service.

Cloudflare’s WARP might slow your bandwidth slightly but it shouldn’t be noticeable. Check your device’s IP address prior to turning on the WARP app from the command line: <ipconfig -all>; look at the Ethernet adapter Ethernet: IPv4 or IPv6 Address. Once the app is turned on, check your IP address on a site such as https://ipleak.net/. You’ll notice, like a VPN, that Cloudflare’s WARP has converted your public IP address, the one seen by all the websites to an 8.xxx.xxx.xxx IP address thereby providing a layer of anonymity to your browsing activity. This combined with other privacy tools such as the Brave browser and EFF’s Privacy Badger can go a long way in helping you to maintain a respectable modicum of online privacy.

With free services, you are always the product but in this case, it is less risky because you’re getting no-logging DNS query VPN services for free essentially which are being offered by a reputable web infrastructure and website security company. Does it mean you’re completely safe online? No, absolutely not. You’re never free and in the clear online. There are only different levels of anonymity online, but no such thing as completely anonymous in the modern Digital Age. We do what we can though…

Closing Thoughts

Whatever your thoughts are regarding Internet privacy, the fact remains that you alone can control the degree to which you remain private online. If you’re one of these people who doesn’t care about privacy then you’re probably posting your real name and photos of yourself and your friends or family on social media. Scrapers have scraped your personal images and likeness and you’ve been added to Facial-Recognition Software (FRS) databases without your permission. You’re probably using email accounts with your real name and you probably even have the same password across multiple websites because your privacy and security habits are interrelated.

Image credit: Techspirited

If that is your level of PrivSec (privacy & security), then I humbly encourage you to seriously consider reevaluating your online habits. Eventually, these bad, lazy habits are going to lead to your personal identity being stolen or maybe even financial losses due to fraud. Think about it, look at some of the examples of these scenarios that I’ve provided numerous times throughout this newsletter series, and be smart. It’s never too late to take proactive privacy and security measures on the Internet. I’m not here to judge anyone. I’m just a guy with a lot of experience in both the Internet privacy and security realms trying to spread user awareness. The decision is ultimately yours to make. I hope you’ll choose wisely.

***Never Trust. Always Verify. Think Like An Adversary.***

Thank you for reading! If you enjoy these articles and want to support me as a writer, you can become a Medium member. For $5 per month or $50 per year (a better deal), you receive unlimited access to Medium stories. If you use my referral link, I receive a small commission. Cheers!

Additional Privacy Resources

z3r0trust Privacy Newsletters: 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, #4–20, #5–20, #6–20, #32–20, #33–20, #8–20, #9–20, 16, 17, 45–20, 46–20, 47–20, 48–20, #1–21, #2–21, #3–21, #6–21, #7–21

*Privacy-related articles also published by the author can be found here.

Other helpful privacy info: EFFector | Atlas of Surveillance | Privacy Tools | IAPP | ACLU | PogoWasRight.org | DataBreaches.net

References

Goodin, D. (2022, January 18). Safari and iOS users: Your browsing activity is being leaked in real time. Retrieved from https://arstechnica.com/information-technology/2022/01/safari-and-ios-bug-reveals-your-browsing-activity-and-id-in-real-time/

Irwin, V. (2022, January 18). Meta is looking into eye-tracking and product placement to make money in the metaverse. Retrieved from https://www.protocol.com/bulletins/metas-tracking-you

McKeon, J. (2022, January 17). BioPlus Specialty Pharmacy Faces Lawsuit Over Healthcare Data Breach. Retrieved from https://healthitsecurity.com/news/bioplus-specialty-pharmacy-faces-lawsuit-over-healthcare-data-breach

Vega, N. (2017, November 6). Apple’s offshore move has helped save them billions in taxes. Retrieved from https://nypost.com/2017/11/06/apple-avoids-ireland-tax-rate-by-moving-operation-to-island-of-jersey/

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Ian Barwise

Ian Barwise

experienced privacy & security engineer **stepping away from blogging for an undetermined amount of time to focus elsewhere**