z3r0trust Privacy Newsletter #7–21
*Note: This article was originally published by the author on July 31, 2021. The intersection of technology, privacy, cybersecurity, policy, and legislation masterfully curated into a concise monthly privacy newsletter worth reading.
“Privacy means people know what they’re signing up for, in plain language, and repeatedly. I believe people are smart. Some people want to share more than other people do. Ask them.” — Steve Jobs, Entrepreneur
Greetings to my fellow digital privacy paranoids. In the July 2021 z3r0trust Privacy Newsletter, I cover some of the most recent data breaches and also a couple of privacy legislation tidbits including potential federal privacy law. Whoa! I know right? But don’t get your hopes up. I explain why below. Strap in, it’s going to be a wild ride (as usual).
This Month in the World of Digital Privacy
Whether data is scraped from an Application Programming Interface (API) or a website is hacked which results in a data breach, the result for the victims is the same. Their private data is exposed. Sometimes this fact is lost on cybersecurity professionals who get wrapped up in the details of how a particular network system intrusion was perpetrated rather than the end result which is often even more important than how it was carried out.
500 million LinkedIn users were the victims of an April data-scraping incident in which some of their LinkedIn user data appeared on RaidForums, a popular hacker forum (Seals, 2021). LinkedIn contends that it may have not been a data breach and is merely old data breach records re-released. They are investigating the incident but there are clearly more user records posted than previous data breaches totaling over 200 million records (Seals, 2021).
Data breaches whether perpetrated by API scraping or some other type of website compromise method make it much easier for cybercriminals to steal victims’ identities and potentially compromise other website accounts the victims’ might have used the same password for. That’s why it is important to watch out for spear-phishing emails targeting you specifically, never reuse passwords on other sites, change passwords if you suspect they may have been compromised, and just generally search for signs of your personally identifiable information (PII) becoming exposed online.
Google discovered and ousted nine Android apps, some with millions of downloads, from its Google Play app store that tricked users into entering their Facebook login credentials by promising users that by logging into Facebook the in-app ads would be disabled (Goodin, 2021). Always consider whether downloading an app onto your mobile device is really worth the risk it presents. You, as the user, don’t really know what the code will do and if you notice that it requests access to your microphone, camera, files, and/or other website accounts then ask yourself if that is really a safe app? The answer is no. These nine apps were essentially Remote Access Trojans (RATs) for cybercriminals to compromise you and your device.
Remember also that apps can and must be updated from time-to-time, which means that the version you originally downloaded can be updated and modified to do something completely different than it was intended or perhaps the app gets acquired by another company that isn’t quite as privacy-focused as you would like… Mobile device apps are risky, exercise caution.
Even after users perform a factory device reset, security researchers from Northeastern University discovered that Amazon’s Echo Dots (smart speaker) and possibly other undisclosed Amazon devices do not fully delete personal content from the devices (Goodin, 2021). This is due to the fact that the devices operate using NAND (“not and”)-based flash memory. It remains possible to retrieve sensitive user data like WiFi credentials, previous logon credentials, physical location address, that was merely invalidated instead of fully wiped to prevent premature chip degradation (Goodin, 2021). Also of interest was the fact that researchers found that the device owners failed to perform a factory reset on 61% of the 86 used Echo Dot devices they purchased on eBay or elsewhere (Goodin, 2021).
Any electronic device that has some type of built-in digital memory storage should be purged, destroyed, or wiped before disposing of it or selling it. Otherwise, there is some measure of risk that someone who knows how to forensically retrieve data from the device will get a hold of your personal data, however small those chances may be. Get in the habit of properly sanitizing all of your digital devices before disposing of them and consider whether selling your devices is worth potentially having your personal data compromised.
The hits just keep coming for Amazon who was hit with a 746 million euros ($887 million) fine by the Luxembourg privacy regulator for failing to comply with EU GDPR personal data requirements (Shead, 2021). Amazon intends to appeal claiming that there was not any kind of data breach or that it violated the EU GDPR. EU privacy regulators are able to fine any company operating in the EU as much as 4% of their annual global sales (Shead, 2021).
The heath industry loan provider company, ClearBalance, suffered a data breach as a result of a phishing attack that led to the compromise of 209,719 patients earlier this year in March 2021 (SC Staff, 2021). The breach went unnoticed by ClearBalance for a month because, well, of course, it did…
“The compromised data varied by patient and could involve names, tax identification, Social Security numbers, dates of birth, government-issued IDs, contact information, health account numbers and balances, dates of service, ClearBalance loan numbers, and other highly sensitive information. All patients will receive two years of credit monitoring and identity theft protection services.”
Privacy Lawsuits & Legislation
Two U.S. Senators, Roger Wicker (R-Miss) and Marsha Blackburn, (R-Tenn) have introduced a Federal data privacy bill called the Setting an American Framework to Ensure Data Access, Transparency, and Accountability (SAFE DATA) Act (US Senate, 2021). As with any proposed bill, however, it remains unlikely that it will pass both the Senate and the House to then be signed by the President and actually become law.
The U.S. continues to see privacy bills introduced at state and federal levels but it hasn’t passed any new substantial federal privacy laws in decades. Who has these politicians in their pockets? My personal prediction is that this bill will not pass because lobbyists from big Tech will lobby against it. The bottom line, it hurts their ability to make profits. Never mind our personal privacy…Apparently, only we care about that.
California’s new Attorney General, Rob Bonta, is being pressured by the ad industry to withdraw the “Global Privacy Control” mandate which is essentially a universal opt-out tool developed by privacy advocates that allows CA residents to exercise greater control over their private data by learning what private data companies have collected about them, have it deleted, and opt-out of the sale of said data (Davis, 2021). The ad industry is apparently concerned that consumers will be confused somehow and want consumers to have to opt out of these data collection practices on a site-by-site basis instead of being able to do so universally (Davis, 2021). The ad industry apparently doesn’t like the Brave browser which automatically sends the “do not sell” signal by default when visiting websites and has many questions about it.
Privacy Control of the Month
SI-19(4) De-Identification from the NIST Special Publication 800–53 revision 5. Although not contained with one of the families of privacy controls, the de-identification of direct identifiers from datasets is important and directly relates to the obfuscation of private data for systems processing PII.
Featured Privacy Tech Tools & Tips
The Pine64 or “PinePhone” is described as “A Linux-only smartphone developed in cooperation with the community for the community.” It’s an alternative to iPhones, Androids, Google phones, Blackberries, among others that cater towards privacy-focused individuals that are tech-savvy enough to be able to use alternative privacy-oriented apps rather than mainstream ones that spy on you or give away your private information.
If you own and use Amazon Echo and Ring camera devices then Amazon has decided for you that your neighbors and passersby should be able to share the internet bandwidth that you pay for. The new technology, dubbed ‘Sidewalk’, shares “a small fraction” of your internet bandwidth with other devices in the area making your private home Wi-Fi network into a sort of public mesh network (Crist, 2021). While the engineering of the Sidewalk service appears upon initial investigation to be designed with privacy and security in mind, Amazon opted all device owners into it instead of making it opt-out.
Opting all device owners in by default is a problem because Amazon has no right to invade and share your home’s personal Wi-Fi network bandwidth that you pay for whether it’s fractions or not. The audacity of such a move from Amazon tells you everything you need to know about that company. They don’t give a f*** about your personal privacy or internet security. From a pure privacy standpoint, I recommend you disable this feature ASAP and get rid of any Amazon devices like the Echo or Ring camera. There are plenty of other IoT alternatives made by more ethical companies. I previously covered how Amazon shares Ring camera video footage feeds from cities all over the U.S. with law enforcement agencies so you may really want to think about switching out your home security cameras to a different brand like Wyze or a similar product.
Ad tech companies, big tech companies, governments at all levels, law enforcement agencies, and even Bob the community librarian are all doing whatever they can to maximize the personal data collection of people using all manner of modern technology from CCTV surveillance cameras, to facial recognition systems powered with AI software, email and internet browser tracking, GPS tracking via smartphone, apps usage… The list goes on and on. At what point as human beings from any country in this world do we stop and ask ourselves when enough is enough? Or have we already gone way past the point of no return?
Never Trust. Always Verify. Think Like An Adversary.
Additional Privacy Resources
*Privacy-related articles also published by the author can be found here.
Crist, R. (2021, July 2). Amazon Sidewalk is now live. Here’s what to know before sharing your home’s bandwidth. Retrieved from https://www.cnet.com/home/smart-home/amazon-sidewalk-officially-here-what-to-know-about-sharing-home-bandwidth-community-finding/
Davis, W. (2021, July 28). Ad Industry Urges California To Retract ‘Global Privacy Control’ Mandate. Retrieved from https://www.mediapost.com/publications/article/365501/ad-industry-urges-california-to-retract-global-pr.html
Goodin, D. (2021, July 2). Apps with 5.8 million Google Play downloads stole users’ Facebook passwords. Retrieved from https://arstechnica.com/gadgets/2021/07/google-boots-google-play-apps-for-stealing-users-facebook-passwords/
Goodin, D. (2021, July 5). Echo Dots Store a Wealth of Data — Even After You Reset Them. Retrieved from https://www.wired.com/story/amazon-echo-dots-store-user-data-even-after-reset/
SC Staff. (2021, July 16). Phishing attack on loan provider ClearBalance breaches data of 200K patients. Retrieved from https://www.scmagazine.com/analysis/breach/phishing-attack-on-loan-provider-clearbalance-breaches-data-of-200k-patients
Seals, T. (2021, June 28). Data for 700M LinkedIn Users Posted for Sale in Cyber-Underground. Retrieved from https://threatpost.com/data-700m-linkedin-users-cyber-underground/167362/
Shead, S. (2021, July 30). Amazon hit with $887 million fine by European privacy watchdog. Retrieved from https://www.cnbc.com/2021/07/30/amazon-hit-with-fine-by-eu-privacy-watchdog-.html
U.S. Senate. (2021, July 28). Wicker, Blackburn Introduce Federal Data Privacy Legislation. Retrieved from https://www.commerce.senate.gov/2021/7/wicker-blackburn-introduce-federal-data-privacy-legislation