Monday, 27 July 2015

EPIC Files Complaint Against Uber's Approach to Privacy

Lately, Uber has been making headlines worldwide—a suspension in France, protests in South Africa, the defeat of a mayor in New York City.

The world is embroiled in a debate over the extent to which Uber should coexist with traditional taxi services and the louder the conversation becomes, the more distracted users are from the real issue: privacy.

Yes, Uber can feel like a win-win for driver and passenger alike, but its convenience comes at a cost.

Last month, the Electronic Privacy Information Center (EPIC) filed a complaint with the United States Federal Trade Commission regarding the presentation and content of Uber’s revised Privacy Policy, which went into effect July 15. The complaint criticized as deceptive a May 28 statement from Uber which claimed “users will be in control: they will be able to choose whether to share the data with Uber” when in fact, several clauses of the Privacy Policy show just how little control users have over their data. 

Uber, Privacy Policy, Android Uber permissions, data, New York City
Farewell, privacy: Uber's permissions for Android
Of note, Uber retains the right to track user location, regardless of permissions, and Android users must opt-in to all data requests in order to use the service:

  • If you permit the Uber app to access location services through the permission system used by your mobile operating system (“platform”), we may also collect the precise location of your device when the app is running in the foreground or background. We may also derive your approximate location from your IP address.

  • The iOS platform will alert you the first time the Uber app wants permission to access certain types of data and will let you consent (or not consent) to that request. Android devices will notify you of the permissions that the Uber app seeks before you first use the app, and your use of the app constitutes your consent.
 
EPIC has further taken issue with Uber’s excessive collection of data, which ranges from contacts in a user’s phone to device information to permanent log records, especially given the young company’s questionable record regarding security, which includes launch parties that share private data and a 2014 breach of drivers’ records that took 4 months to discover and another 5 months to disclose

Recent breaches from Anthem to OPM prove that hackers know where to go for data that matters. Uber’s database of 8 million users worldwide has been described as “a sitting duck for hackers” and as its records of who-went-where-when-and-with-whom-and-what balloons, it only grows more desirable.

EPIC’s request includes an investigation into Uber’s business practices, a cessation of contact information collection and the deletion of location data upon trip completion, measures that would make Uber’s database far less attractive to hackers and far less marketable for the company itself.

Because, who knows what Uber might do with all that data? Determine the best city for a one-night stand? Orchestrate a massive political campaign? Offer it to the mayor of New York? The possibilities are endless.

Thursday, 23 July 2015

Ashley Madison Breach Redefines Ethical Hacking

Hackers known as the Impact Team have compromised the personal information of 37 million members of cheating website Ashley Madison. To date, two users' personal information has been revealed.
Avid Life Media, Ashley Madison, Krebs on Security, Impact Team, data breach, hack, Dr. Eve, digital privacy, full delete
Krebs on Security revealed part of the Impact Team's message.

The Impact Team's motivation? To shut the website down.

At issue is Ashley Madison's "full delete" feature, an option that charges users to remove all evidence of their existence from the website. 

According to Krebs on Security, the Impact Team justified their actions: “Full Delete netted ALM $1.7mm in revenue in 2014. It’s also a complete lie. Users almost always pay with credit card; their purchase details are not removed as promised, and include real name and  address, which is of course the most important information the users want removed.

“Avid Life Media has been instructed to take Ashley Madison and Established Men offline permanently in all forms, or we will release all customer records, including profiles with all the customers’ secret sexual fantasies and matching credit card transactions, real names and addresses, and employee documents and emails. The other websites may stay online.”

Ashley Madison countered the claim in a July 20 acknowledgement of the hack: “Contrary to current media reports, and based on accusations posted online by a cyber criminal, the “paid-delete” option offered by AshleyMadison.com does in fact remove all information related to a member’s profile and communications activity. The process involves a hard-delete of a requesting user’s profile, including the removal of posted pictures and all messages sent to other system users’ email boxes.” 

A closer look reveals “full delete” is just the tip of Ashley Madison’s privacy shortcomings.

In a 2012 Inc. interview, Ashley Madison founder and CEO Noel Biderman referred to his website as a “sociology experiment” and to himself as the “gatekeeper” of its data: “We realized we have so much anonymous data and we could go through our data to show the true reasons men and women have affairs, what their demographics are, whether there really is a two-year itch or a seven-year-itch.”

The fact is, hacked or not, users of Ashley Madison have long been defined by their data. Ashley Madison’s media page is littered with analyses of aggregate data. For South Africa alone, which has 175,000 users, the company has published information about when men and women login, the search terms they use and the neighborhoods of Cape Town they predominate. 

Even more disconcerting, the data has not been kept in-house. South Africa’s Dr. Eve, a couples and sex therapist, made no secret of her relationship with Ashley Madison in 2014: “In the last 18 months I have been privileged to be utilizing the database of AM for my research into Cyber Infidelity.” Dr. Eve’s research resulted in Cyber Infidelity: The New Seduction, a book that terms Ashley Madison as Dr. Eve’s “new home” and features Biderman’s praise on the front cover.

Biderman once boasted, “We’ll help you meet someone and not get caught. If you want to be clandestine, we’re an intelligent choice.” His assertion now rings hollow.

The Impact Team has asked Ashley Madison to make a choice: shut down or risk users’ privacy. Given its previous treatment of user data and lack of reaction to what has been leaked so far, Ashley Madison appears to be choosing self-interest over privacy, lending a whole new meaning to “the most recognized name in infidelity.”

Friday, 17 July 2015

Airbnb’s Kindness Campaign Overlooks Unkind Privacy Policy

Airbnb, Brian Chesky, Mankind, kindness, privacy policyGo look through their windows so you can understand their views.
Sit at their tables so you can share their tastes.
Sleep in their beds so you may know their dreams.

Airbnb’s recent ad campaign purports to explore the kindness of strangers but comes across as a little, well, unsettling.

Airbnb has defended its campaign: “Kindness is the foundation of our entire community—Airbnb hosts aren’t just sharing their homes, they’re sharing part of themselves. When guests open their doors, they’re opening their hearts and minds as well.”

In the words of Airbnb co-founder Brian Chesky, “The breakthrough of Airbnb is that it does more than give you a place to sleep—it changes the way you experience the world because when we trust in the kindness of our fellow man, we discover that the world isn’t such a scary place after all.”

All this talk of kindness is enough to make you forget that Airbnb is also a successful venture capital-backed startup, valued at $25.5 billion and third to Uber and China’s Xiaomi Corp. Its ability to raise $1.5 billion in a private funding round last month was a feat that has been matched only by Uber, China’s Alibaba, and Facebook.

Airbnb’s website boasts more than 35 million guests and 1.2 million listings in more than 34,000 cities and 190 countries worldwide. Airbnb is big and is only expected to get bigger, which is perhaps why the company has chosen to focus on kindness rather than the implications of having a significant portion of the world’s population on its platform.

Nearly simultaneous with the kindness campaign, Airbnb released updated versions of its Terms of Service and Privacy Policy earlier this month, which went into effect for new users July 6 and will go into effect for existing users on August 6.

The Privacy Policy includes few changes and is hardly unique, but is a good reminder of how not private data can be when engaging with a global platform. Of note:

Airbnb collects and analyzes your information whether you are logged in or not: “Airbnb uses cookies and other similar technologies, such as mobile application identifiers, on the Platform. We may also allow our business partners to use their cookies and other tracking technologies on the Platform. As a result, when you access or use the Platform, you will provide or make available certain information to us and to our business partners. While you may disable the usage of cookies through your browser settings, we do not change our practices in response to a "Do Not Track" signal in the HTTP header from your browser or mobile application.”

“By using the Platform, you consent that Airbnb, in its sole discretion, may, either directly or through third party companies and individuals we engage to provide services to us, review, scan, analyze, and store your communications, whether done manually or through automated means.”

“We may also receive, store and process Log Data, which is information that is automatically recorded by our servers whenever you access or use the Platform, regardless of whether you are registered with Airbnb or logged in to your Airbnb account, such as your IP Address, the date and time you access or use the Platform, the hardware and software you are using, referring and exit pages and URLs, the number of clicks, pages viewed and the order of those pages, and the amount of time spent on particular pages.”

Facebook and Google are likely sharing and collecting your information as well:  We receive, store and process information that you make available to us when accessing or using our Platform and Services. Examples include when you link your account on a third party site (e.g. Facebook) to your Airbnb account, in which case we will obtain the Personal Information that you have provided to the third party site, to the extent allowed by your settings with the third party site and authorized by you.”

“Some portions of the Platform implement Google Maps/Earth mapping services, including Google Maps API(s). Your use of Google Maps/Earth is subject to Google's terms of use and Google's privacy policy, as may be amended by Google from time to time.”

Airbnb is prepared to share your information with the government: “We will use commercially reasonable efforts to notify users about law enforcement requests for their data unless providing notice is prohibited by the legal process itself, by court order we receive, or by applicable law; or based on information supplied by law enforcement, we, in our sole discretion, believe: (a) that providing notice could create a risk of injury or death to an individual or group of individuals, (b) that the case involves potential harm to minors, or (c) that harm or fraud could be directed to Airbnb, its Members, the Platform, or Services.”

Your information is Airbnb’s asset to sell: “If Airbnb undertakes or is involved in any merger, acquisition, reorganization, sale of assets or bankruptcy or insolvency event, then we may sell, transfer or share some or all of our assets, including your Personal Information. In this event, we will notify you before your Personal Information is transferred and becomes subject to a different privacy policy.”

Airbnb claims no responsibility for your privacy: “No method of transmission over the Internet, and no method of storing electronic information, can be 100% secure. So, we cannot guarantee the absolute security of your transmissions to us and of your Personal Information that we store.”

What is most significant about Airbnb’s Privacy Policy is how commonplace it has become. The websites users around the globe have come to rely upon for everyday life are collecting, analyzing, sharing and selling our Personal Information—and making a tremendous profit in the process. If Airbnb’s kindness campaign comes across as a bit unsettling, it’s because we—the data subjects—know just what it feels like to have our windows looked through, our tables sat at and our beds slept in. Kindness, to us, is the opportunity to choose whom we invite into our lives.

Wednesday, 15 July 2015

Nigeria’s Cybercrime Law Leapfrogs Freedom of Expression


Nigeria, Cybercrime Law, Goodluck Jonathan, Cybercrime Prohibition and Prevention Act, CNBC Africa
In May, outgoing Nigerian president Goodluck Jonathan signed the Cybercrime Prohibition and Prevention Act into law. The much-awaited legislation was passed by the Senate and House of Representatives in 2014, lacking only presidential approval.

The Act establishes clear punishments for offenses including unlawful access to a computer, unlawful interception of communications, unauthorized modifications of computer data, system interference, misuse of devices, computer-related forgery and fraud, and identity theft and impersonation, as well as child pornography, cyberstalking, cybersquatting, cyberterrorism, racism and xenophobia. It is expected to curb Nigeria’s current practice of losing $2.5 billion a year to cybercrime.

A July 7 conversation on CNBC Africa brought together Niyi Ajao, Executive Director of Technology at the Nigeria Inter-Bank Settlement System (NIBSS); Ayotunde Coker, Managing Director of Rack Centre; and Yemi Saka, Partner of Advisory Service at Ernst & Young West Africa to praise the benefits of the Cybercrime Act for the financial sector. Ajao argued that “the Act we have now has come at the right time.” Saka applauded the legislation as a “right first step to take;" he and Coker advocated that the next step is an education and awareness campaign, to better inform users of how passwords and personal devices can be compromised, and also to let cybercriminals know that their actions will no longer go unnoticed.

The Information Security Society of Africa-Nigeria (ISSAN) responded favorably as well: “We are delighted that Nigeria has joined the few countries in Africa and indeed, the world at large, to have a law which provides effective, unified and comprehensive legal, regulatory and institutional framework for the prohibition, detection, prosecution and punishment of cyber-crime in the country, while also ensuring the protection of computer systems and networks, electronic communications, data and computer programs, intellectual property and piracy rights.

“For sure, it is no longer business as usual for cyber criminals. From the petty criminals operating in cybercaf├ęs to the big time hackers, email scammers and other computer-based fraudsters, the law stipulates heavy penalties which the criminals should be made aware of before they embark on their ‘suicide’ mission.”

The endless stream of praise, however, has overlooked the Cybercrime Act’s undeniable willingness to compromise freedom of expression and privacy. While there remains some uncertainty as to the final iteration of the law, key clauses in the 2014 legislation include:

  • A service provider shall, at the request of the relevant authority referred to in subsection (1) of this section or any law enforcement agency:
(a)    Preserve, hold or retain any traffic data, subscriber information or related content, or
(b)   Release any information required to be kept under subsection (1) of this section (21).
  • The right to “order a service provider, through the application of technical means to collect, record, permit, or assist competent authorities with the collection or recording of content data associated with specified communications transmitted by means of a computer system” (22).
  • The Attorney-General of the Federation will “provide appropriate legal framework, guidelines and mechanism for the blocking of offensive or inappropriate web-sites” (24).
  • The Act applies “outside Nigeria, where the victim of the offence is a citizen or resident of Nigeria” (33).

Nigeria’s Cybercrime Act advocates for conformity with the African Union Conventions on Cybersecurity, which is precisely where it has gone wrong. We said it in February and we’ll say it again: the African Union’s approach to cybersecurity is too vague, gives too much power to states and infringes upon freedom of expression and privacy. Nigeria’s legislation cracks down on cybercrime by creating a surveillance state that requires service providers to collect, record and release information; enables the government to disappear that which is offensive; and even extends Nigeria’s power beyond its boundaries.

The digital age has frequently posited that Africa is unique in its capacity to leapfrog into the technological future; Nigeria’s Cybercrime Act, however, exposes the limitations of this notion. If the solution to unfettered cybercrime is to eliminate human rights, there are clearly some steps that have been overlooked.

Thursday, 9 July 2015

Google Faces Pressure to Go Global With ‘Right to Be Forgotten’


Consumer Watchdog, a consumer advocacy group, has sent a letter to the United States Federal Trade Commission, asking for Americans to share in Europe’s ‘Right to Be Forgotten.’  
 
Google, Right to Be Forgotten, US, Europe, France, CNIL, Consumer WatchdogFor over a year, Europeans have been empowered by a court ruling to ask Google to remove search engine results that link to inadequate, irrelevant, no longer relevant or excessive personal information. To date, 280,709 requests have been made to remove 1,020,941 URLS; of these, 41% have been removed. In determining which requests to honor, Google weighs personal safety against public interest. In other words, unknown victims are likely to have outdated links removed, public figures are not.

For example, Google granted a Swedish woman’s request to remove links to pages showing her address and an Italian crime victim’s request to remove links to pages discussing the crime, but denied the requests of a UK media professional who regretted content he had posted and a well-known Polish business person who wanted to disassociate himself from a lawsuit. 

Whether links are removed or not, information will continue to exist on the internet—Google merely controls what shows up in its search results. Consumer Watchdog Privacy Project Director John M. Simpson sees the Right to Be Forgotten as a return to the days of Privacy By Obscurity. In his letter, he argued, “Before the Internet if someone did something foolish when they were young—and most of us probably did—there might well be a public record of what happened. Over time, as they aged, people tended to forget whatever embarrassing things someone did in their youth…This reality that our youthful indiscretions and embarrassments and other matters no longer relevant slipped from the general public’s consciousness is Privacy By Obscurity. The Digital Age has ended that. Everything—all our digital footprints—are instantly available with a few clicks on a computer or taps on a mobile device.” 

Simpson proceeded to berate Google for claiming to respect privacy despite not offering Americans the simple protections it offers Europeans: “Google’s own experience in Europe demonstrates that Right To Be Forgotten requests can be managed in a way that is fair and not burdensome for Google.”

Had Simpson spoken with Isabelle Falque-Pierrotin of France’s National Committee on Informatics and Liberty (CNIL), he may have thought twice about making a model of Google’s behavior in Europe. On June 12, CNIL gave Google 15 days to change its delisting practices or risk facing sanctions (a fine of 150,000 Euros). At issue is Google’s practice of limiting the Right to Be Forgotten to country-specific versions of the website, which means that a request submitted in Germany could only be removed from google.de and a request submitted in the United Kingdom from google.co.uk.

CNIL states, "In accordance with the CJEU judgement, the CNIL considers that in order to be effective, delisting must be carried out on all extensions of the search engine and that the service provided by Google search constitute a single processing."

Consumer Watchdog is right to ask Google to protect America's Right to Be Forgotten, especially following the company's recent decision to remove requested links to revenge porn. However, the consumer advocacy group needs to set its sights higher than current European practice. In a globalized world with VPNs increasingly the norm, a Right to Be Forgotten on one country's version of Google is only a click away from being very much remembered.