MacInTouch Amazon link...

privacy/data abuse and vulnerabilities

Channels
Security
Wired said:
Marketing Firm Exactis Leaked a Personal Info Database With 340 Million Records
You've probably never heard of the marketing and data aggregation firm Exactis. But it may well have heard of you. And now there's also a good chance that whatever information the company has about you, it recently leaked onto the public internet, available to any hacker who simply knew where to look.

Earlier this month, security researcher Vinny Troia discovered that Exactis, a data broker based in Palm Coast, Florida, had exposed a database that contained close to 340 million individual records on a publicly accessible server. The haul comprises close to 2 terabytes of data that appears to include personal information on hundreds of millions of American adults, as well as millions of businesses. While the precise number of individuals included in the data isn't clear—and the leak doesn't seem to contain credit card information or Social Security numbers—it does go into minute detail for each individual listed, including phone numbers, home addresses, email addresses, and other highly personal characteristics for every name. The categories range from interests and habits to the number, age, and gender of the person's children.
 


EFF (Electronic Frontier Foundation) said:
California Shopping Centers Are Spying for an ICE Contractor
A company that operates 46 shopping centers up and down California has been providing sensitive information collected by automated license plate readers (ALPRs) to Vigilant Solutions, a surveillance technology vendor that in turn sells location data to Immigrations & Customs Enforcement.
...
But ICE isn’t the only agency accessing the data. Vigilant Solutions shares data with as many as 1,000 law enforcement agencies nationwide. Through its sister company, Digital Recognition Network, Vigilant Solutions also sells ALPR data to financial lenders, insurance companies, and debt collectors.
 


BleepingComputer said:
Robocall Firm Exposes Hundreds of Thousands of US Voters' Records
RoboCent, a Virginia Beach-based political robocall firm, has exposed the personal details of hundreds of thousands of US voters, ...
... Diachenko found RoboCent's exposed AWS bucket by searching for the term "voters." He searched for this particular term because last year, he also found a gigantic MongoDB database exposing the voter records of over 19 million Californians.
... Diachenko says he notified the company about their exposed database, and they secured it shortly after his report. "We're a small shop (I'm the only developer) so keeping track of everything can be tough," a RoboCent employee told Diachenko.
 


If you have a Venmo account I recommend closing it ASAP. Their lack of common security is beyond unethical.

ZDNet said:
Venmo has no good reason to make user transactions public by default.
Venmo, the mobile payments app, won't say why it exposes users' data to the world whenever they make a transaction.

In case you missed it, Hang Do Thi Duc, a Berlin-based privacy researcher found that every time someone sent or received money using the PayPal-owned mobile app (which had over seven million users in 2017), the transaction was "public" by default and was broadcast on Venmo's API.
 


ZDNet said:
In case you missed it, Hang Do Thi Duc, a Berlin-based privacy researcher found that every time someone sent or received money using the PayPal-owned mobile app (which had over seven million users in 2017), the transaction was "public" by default and was broadcast on Venmo's API.
Uh, doy. That was literally one of the major distinguishing conceits of the service when it launched. I'm not sure why this article is acting like this is some kind of big surprise.
 


Uh, doy. That was literally one of the major distinguishing conceits of the service when it launched. I'm not sure why this article is acting like this is some kind of big surprise.
The reason is that Venmo is allowing anyone to view all transactions with complete data, not just a user's friends. From the Wikipedia link, emphasis mine:
Wikipedia said:
Venmo includes social networking interaction; it was created so friends could quickly split bills, whether that is for movies, dinner, rent, tickets, etc. When a user makes a transaction, the transaction details (stripped of the payment amount) are shared on the user's "news feed" and to the user's network of friends.
 


Ric Ford

MacInTouch
I think I'm going to refrain from expressing exactly what I think about this person's incredible behavior and related laws...
The Verge said:
Driver for Uber and Lyft live-streamed hundreds of riders on Twitch without their consent
An Uber and Lyft driver in St. Louis, Missouri has given around 700 rides since March 2018, and nearly all of them have been live-streamed on Twitch, without passenger consent. In a lengthy report, the St. Louis Post-Dispatch detailed the actions of Jason Gargac, a 32-year ride-hailing driver who took advantage of Missouri’s one-party consent laws to build up a Twitch following by live-streaming passengers — including children. At times, Gargac has inadvertently revealed the full names of his riders and what their homes and neighborhoods looked like on his channel, under the online handle “JustSmurf.”
 


The reason is that Venmo is allowing anyone to view all transactions with complete data, not just a user's friends. From the Wikipedia link, emphasis mine:
That is not anything new. If you read further down the same Wikipedia article, you'll find:
Venmo includes three social feeds: a public feed, a friends feed, and a private feed. By default, all Venmo transactions are shared publicly. Anyone who opens the app to the public feed, including people who do not themselves use Venmo, can see these publicly shared posts. The privacy settings can be changed so that all posts are either shared only with a user's Venmo contacts, or even kept private. If posts are shared only with contacts, they still appear in a friends feed, whereas private transactions are only visible to the two parties involved in the transaction. If two users involved in a single transaction have differing privacy settings, Venmo applies the most restrictive level. Users can override their overall preference for any individual transaction, including after the transaction has been made.
I checked, and the data revealed via the API is the exact same as what appears in the "feeds", so it's not exactly "complete [transaction] data." This is how it's been since the service started, so this is not something new. The social sharing is one of the core differentiating features of the service, so it should not come as a surprise to any of the users.

So again, my reaction is, well, duh. I'm struggling to figure out what's new about this "revelation", and the best I can come up with is in this article where they say, "the public-facing online data can easily be scraped and aggregated". And again, I say, well, duh. If there's a bunch of public data, of course it's easy to scrape it all up and run it through big data analytics. And, of course, they aren't even the first ones to do this.

As to the service and privacy practices itself, well, it's obvious why Venmo makes public the default setting. If it were all private by default, there would be no significant social component, because only a small percentage of users would take the initiative to change the default settings. It's just like Twitter. It's public by default and it's grown into a huge platform. If everything on Twitter started off as Protected or DM's by default (the equivalent of friends and private, respectively, on Venmo), there would be no platform. Now, obviously the oft-banal content of Twitter is much different from financial transaction content on Venmo. If I used Venmo, I would not make any of my data public. But it's obvious why Venmo has chosen that.
 


The New York Times said:
Banks and Retailers Are Tracking How You Type, Swipe and Tap
... The way you press, scroll and type on a phone screen or keyboard can be as unique as your fingerprints or facial features. To fight fraud, a growing number of banks and merchants are tracking visitors’ physical movements as they use websites and apps.

Some use the technology only to weed out automated attacks and suspicious transactions, but others are going significantly further, amassing tens of millions of profiles that can identify customers by how they touch, hold and tap their devices.

The data collection is invisible to those being watched. Using sensors in your phone or code on websites, companies can gather thousands of data points, known as “behavioral biometrics,” to help prove whether a digital user is actually the person she claims to be.
 


Bloomberg said:
Google and Mastercard Cut a Secret Ad Deal to Track Retail Sales
For the past year, select Google advertisers have had access to a potent new tool to track whether the ads they ran online led to a sale at a physical store in the U.S. That insight came thanks in part to a stockpile of Mastercard transactions that Google paid for.

But most of the two billion Mastercard holders aren’t aware of this behind-the-scenes tracking. That’s because the companies never told the public about the arrangement.
 


Huffington Post said:
India's Biometric Database Is Creating A Perfect Surveillance State — And U.S. Tech Companies Are On Board
Big U.S. technology companies are involved in the construction of one of the most intrusive citizen surveillance programs in history.

For the past nine years, India has been building the world’s biggest biometric database by collecting the fingerprints, iris scans and photos of nearly 1.3 billion people. For U.S. tech companies like Microsoft, Amazon and Facebook, the project, called Aadhaar (which means “proof” or “basis” in Hindi), could be a gold mine.

... Aadhaar has become deeply controversial, and the subject of a major Supreme Court of India case that will decide the future of the program as early as this month. ... Practical errors in the system have caused millions of poor Indians to lose out on aid.
 


Emphasis mine:
engadget said:
US carriers create single sign-on service that could end passwords
Project Verify may let you ditch your password manager for good.
It'd be difficult for a hacker to spoof all of the methods that Project Verify uses to establish your identity, so it seems somewhat secure. However, if someone were to steal your phone and were able to unlock the device, they could cause all kinds of chaos.
... But if the apps stick with the core version of Project Verify's login process and someone accesses your device, every service you use could be compromised.
No thanks, I'll keep using 1Password.
 


The New York Times said:
Your Apps Know Where You Were Last Night, and They’re Not Keeping It Secret
At least 75 companies receive anonymous, precise location data from apps whose users enable location services to get local news and weather or other information, The Times found. Several of those businesses claim to track up to 200 million mobile devices in the United States — about half those in use last year. The database reviewed by The Times — a sample of information gathered in 2017 and held by one company — reveals people’s travels in startling detail, accurate to within a few yards and in some cases updated more than 14,000 times a day.

These companies sell, use or analyze the data to cater to advertisers, retail outlets and even hedge funds seeking insights into consumer behavior. It’s a hot market, with sales of location-targeted advertising reaching an estimated $21 billion this year. IBM has gotten into the industry, with its purchase of the Weather Channel’s apps. The social network Foursquare remade itself as a location marketing company. Prominent investors in location start-ups include Goldman Sachs and Peter Thiel, the PayPal co-founder.
 



This is one of the reasons I force-quit apps the moment I am done using them.
Turning [off] Settings > General > Background App Refresh should accomplish the same thing and save you a lot of time and battery life by not having to re-launch those apps all the time.
Is there an iOS equivalent to Little Snitch to block outgoing connections?
No, it would violate current Apple rules for iOS apps, and I doubt they will ever relax them. Best hope would be that Apple integrates a similar capability into iOS, but I suspect most users would be overwhelmed trying to figure out what all contact approval alerts mean. It would also allow the user to break apps that legitimately need location data and don't sell it.
 




The Washington Post said: Alexa has been eavesdropping on you this whole time. Turns out that Apple and Google are not totally innocent either, although Apple seems to come off best.
Alexa has been eavesdropping on you this whole time
Would you let a stranger eavesdrop in your home and keep the recordings? For most people, the answer is, “Are you crazy?”

Yet that’s essentially what Amazon has been doing to millions of us with its assistant Alexa in microphone-equipped Echo speakers. And it’s hardly alone: Bugging our homes is Silicon Valley’s next frontier.

... Saving our voices is not just an Amazon phenomenon. Apple, which is much more privacy-minded in other aspects of the smart home, also keeps copies of conversations with Siri. Apple says voice data is assigned a “random identifier and is not linked to individuals” — but exactly how anonymous can a recording of your voice be? I don’t understand why Apple doesn’t give us the ability to say not to store our recordings.

... Why do tech companies want to hold on to information from our homes? Sometimes they do it just because there’s little stopping them — and they hope it might be useful in the future.

Ask the companies why, and the answer usually involves AI.

“Any data that is saved is used to improve Siri,” Apple said.
 


The Washington Post said: Alexa has been eavesdropping on you this whole time.
Encouraging - and interesting - that the Post, owned as it is by Jeff Bezos, Amazon founder, ran this story.

Some time ago I was trying to figure out why my household was pushing against the stupid Cox Cable usage cap. Disregarding that such caps exist, that was a lot of data!

Netflix binge watching seemed the main, but not only, culprit. At least Netflix provided a user accessible history. Amazon Prime did not. Called Amazon. Passed through several layers, finally reaching a supervisor, apparently in India. She was able to give me details about usage, when, what, how much. It's all there... surely somewhere on AWS....
 


I use the NPR app in iOS/iPadOS to listen to a local NPR station
the Mac App Store showed at least two English-language FM radio apps (myTuner and OneRadio).
Years ago I was using the Pocket Casts podcatcher on both iOS and Android. There was lengthy interruption of content updates I investigated; it turned out to be a break in the Pocket Casts link back to the app developer's servers in Australia.

That was one of the most eye-opening inquiries I've ever done.

Why would a developer route connections to an RSS feed in the USA to their server in Australia, then back to users of their application? Rather simple, not only was the developer thus able to curate what podcast links it provided, it controlled them and could monitor listener behavior.

I dropped Pocket Casts for a podcatcher that didn't leave me dependent on the status of the developer's server and the USA > Australia < USA internet just to connect to podcast feeds in the USA, and which let me directly enter RSS information in the podcatcher to have direct access to content.

This is another one of those "privacy" vs. "convenience" issues. I try for privacy, where possible, which leads me to prefer the "open internet" over apps. While tracking is an issue for users of the "open internet," it's all but impossible to install an "app" without revealing identity.

NPR acquired Pocket Casts in 2018.
podcasthotdog said:
Why NPR Acquired Pocket Casts
First, we’ve seen a general move for companies in the podcast space to become ‘full stack’. That is, to expand to operate in each part of the value chain: creation, publishing, monetization and playback. ...Second, being able to insert whatever data reporting they want into the player means they will have a much clearer picture of how ads are performing and can provide that data back to the larger advertisers who are more interested in brand awareness than direct response ads. NPR has an initiative called Remote Audio Data
 


While the TechSpot article linked below fits in the increasingly popular "De-Googlification" meme, it is also useful as the most comprehensive list of privacy focused web services I've seen.
TechSpot said:
The complete list of alternatives to all Google products
Parallel universe for the super security conscious
Tom's Hardware has recently (October, 2019) reviewed three cloud storage services, including privacy and security aspects.
Before assuming adopting use of privacy focused services increases your privacy, give some consideration to what your operating system is gathering and phoning home. Android, ChromeOS, Windows 10, all do it. So does Apple, as we discussed back in June.
 


Amazon disclaimer:
As an Amazon Associate I earn from qualifying purchases.

Latest posts