A concise weekly privacy digest with expert cybersecurity insights. This article is also available in Spanish here.
“The default posture of our devices and software has been to haemorrhage our most sensitive data for anyone who cared to eavesdrop upon them.” — Cory Doctorow
This week in digital privacy, why that smart TV is actually a dumb purchase in regards to your privacy and security, Microsoft 365 added features that enable employers to track your productivity, and Facebook pays out the biggest privacy settlement in history.
IoT Devices vs. Privacy
Smart TVs and other Internet of Things (IoT) devices have become ubiquitous and they sell like hotcakes. But did you know that these “smart” devices come pre-manufactured with all kinds of spy technology built into them? It’s true. Don’t believe me, watch this 2019 FBI advisory on smart TVs. While the technology these devices provide is often convenient or entertaining, IoT devices are notorious for being designed with poor or no security such as default or hard-coded passwords that are easily exploited by hackers.
IoT devices come with tons of ad-trackers (adware) on the software that runs them, microphones, and sometimes even webcams. If you buy a smart TV or other IoT device to stream entertainment, ensure update the firmware frequently (at least quarterly), change default passwords, and connect the devices to your home guest WiFi network — not your primary home WiFi network your computers are connected to. This way, you segment your security risk.
Smartphone App Privacy
Microsoft Office 365 has essentially become a workplace surveillance tool thanks to new features for personal and organizational productivity. This is a relatively new feature that provides data analytics for all connected endpoints an organization wants to track usage of. It is unclear how many companies and organizations are paying for this Microsoft service, but there is so much to unpack here with respect to privacy violations.
Should employers track your productivity? That is their right to do so but you should have some say as an employee as to how invasive they are allowed to get with it. Using advanced technologies to track how many times you send emails, check social media, use Skype, or your screen goes inactive because you went to the bathroom or God forbid, took a break (gasp!?!), in a given day or week is super-creepy in my opinion. It is guaranteed to be abused by managers.
Many fast-food chain restaurants like McDonald's have seen their businesses transform to primarily drive-thru sales due to the pandemic. Post-COVID19, however, McDonald's plans to switch up its business model by implementing geofencing technology at its restaurants so it can prepare orders for you as you geographically approach the restaurant. However, what implications does geofencing have on our privacy?
“Imagine what can happen once we start to know, ‘oh, Brian’s coming in to the restaurant,’ and what we can do,” says Lucy Brady. “We’re quite optimistic that the benefits we’re seeing now will only continue to accelerate.”
This technology will be app-based so already we know right off the bat that a “MyMcDonald’s” app will require opt-in geolocation services from your smartphone. Once the app has that access, it can then track all of your movements even when you’re nowhere near a McDonald’s and even build a customer profile on you of what food and drink items you typically order, how frequently you visit, and which restaurants you visit. I will not be opting-in. No thanks.
Data Breaches & Privacy Exposures
The pay-to-subscribe Christian faith lifestyle app Pray.com was discovered by vpnMentor security researchers to have leaked the private data of 10 million customers from improperly secured AWS S3 buckets. Among the compromised data was Personally Identifiable Information (PII) on tens of millions of users beyond even Pray.com including user-uploaded photos, home addresses, email addresses, phone numbers, donation amounts, and marital statuses. Researchers were unable to reach Pray.com despite multiple attempts, but once AWS was notified the situation was resolved. This a classic example of an irresponsible data owner.
The Louisiana State University (LSU) Health New Orleans medical centers was the victim of a data breach affecting Health Insurance Portability and Accountability Act (HIPAA) Personal Health Information (PHI) on 20 November. It appears the attack was perpetrated by compromising an employee’s email which contained HIPAA-protected PHI and a limited amount of financial banking information, dates of birth, SSNs, dates of medical services, types of medical care received, phone numbers, home addresses, and health insurance identification numbers. The hospital system wasn’t able to provide an estimate for how many patients’ PII was affected by this breach.
Facebook settled with the state of Illinois in the largest-ever U.S. privacy class-action lawsuit and agreed to pay $650 million to some 1.57 million residents of Illinois. Facebook was found to have violated the Illinois Biometric Privacy Information Act, a new law that is also being used to sue Clearview AI who claims it has the right to scrape images of people online which it uses in its AI-powered facial recognition software.
NIST SP 800–53 (rev. 5) Privacy Control of the Week
PM-15 — Security and Privacy Groups and Associations- requires organizations to establish and institutionalize contact with selected groups and associations within the security and privacy communities:
a. To facilitate ongoing security and privacy education and training for organizational personnel;
b. To maintain currency with recommended security and privacy practices, techniques, and technologies; and
c. To share current security and privacy information, including threats, vulnerabilities, and incidents.
This control highlights the importance of staying abreast of relevant privacy legislation, news, threat, vulnerability, and incident information as well as compliance techniques, policies, and privacy issues.
Low-Tech Privacy Tips
One of the simplest low-tech privacy tips is simply to decrease your digital footprint. If you use a password manager, comb through it carefully to determine which sites you have passwords saved for that you still actually need to keep and which ones you can get rid of. Do the same thing with your email account. Go through old emails of sites you signed up for but completely forgot about and login and delete your account since you don’t need it. The last thing you need is for all of this personal information about you hosted on websites that either already have been or will soon be hacked. Get rid of it.
That’s it for this week folks, keep a low profile and be safe out there.
Trust No One. Verify Everything. Leave No Trace.