Privacy Roundup #0047 • June 2010
June 2010 was dominated by the AT&T iPad email breach and the widening Google Street View Wi-Fi scandal, as regulators on three continents and the United States Congress turned on the data giants.
1. AT&T leak exposes email addresses of 114,000 iPad owners
A flaw in an AT&T web application let the group Goatse Security harvest the email addresses of more than 114,000 iPad 3G buyers, including chief executives, politicians and military officers. The data was matched to SIM identifiers and handed to a news site before AT&T closed the hole.
2. FBI opens an investigation into the AT&T iPad breach
The FBI confirmed it had begun looking into the AT&T incident, treating the exposure as a potential cyber threat. The compromised records consisted of email addresses tied to identifiers that revealed the owners held iPad 3G devices on AT&T.
3. AT&T sends an apology to affected iPad customers
AT&T emailed the roughly 114,000 iPad owners whose addresses had leaked, stressing that only email addresses and SIM identifiers were exposed. The company disabled the feature that had auto filled addresses and warned customers to watch for phishing.
4. iPad breach researcher arrested on drug charges
Andrew Auernheimer, a member of the group that exposed the AT&T flaw, was arrested in Arkansas after an FBI search warrant tied to the breach turned up narcotics. He faced several drug possession counts rather than computer charges at this stage.
5. Schneier warns the iPad leak could expose device identities
Bruce Schneier argued that the AT&T leak mattered more than it first appeared because carriers often derive subscriber identities from the exposed SIM serial numbers. With such an identity, an attacker could in principle find a phone number, track a location or run active interception attacks.
6. Senate bill stirs fears of an internet kill switch
Senators Joe Lieberman, Susan Collins and Tom Carper introduced the Protecting Cyberspace as a National Asset Act, which critics said would let the president seize control of parts of the internet during an emergency. Civil liberties groups warned that the powers were too broad and threatened free speech.
7. Twitter settles FTC charges over lax security
Twitter agreed to settle Federal Trade Commission charges that weak security had let hackers seize administrative control twice in 2009 and read private messages. The deal barred the company from misleading users about security for twenty years and required independent audits.
8. Privacy groups send Facebook an open letter on its app gap
The Electronic Frontier Foundation, the ACLU of Northern California and others wrote to Mark Zuckerberg demanding six privacy fixes. They urged Facebook to let users control which applications reach their data, to make instant personalisation opt in and to encrypt connections by default.
9. Yahoo Mail users must opt out to keep contacts private
Yahoo planned to turn email address books into a social network in which anyone holding a user's address could receive their activity updates. The EFF warned that a contact list is not a social network and urged users to opt out before professional contacts began receiving the feed.
10. European officials say search engines still break privacy law
Europe's Article 29 working party told Google, Yahoo and Microsoft that their search log anonymisation fell short of the law. The regulators called for a maximum retention period of six months and for an external audit to verify that the data was genuinely anonymised.
11. Congress asks Apple to explain its location policy
Representatives Edward Markey and Joe Barton wrote to Apple after it changed its policy to collect and share device location data. Markey warned that Apple had to safeguard the information so that an iPhone did not become, in his phrase, an iTrack.
12. French regulator finds emails and passwords in Street View data
France's data protection authority reported that the Wi-Fi traffic captured by Google Street View cars included email content and access passwords. France was the first country to receive the data, and several others demanded copies for their own investigations.
13. Privacy International accuses Google of criminal intent
Privacy International said a technical audit showed Google had separated out and systematically stored content captured from private Wi-Fi networks. The group argued this proved the collection was deliberate and made criminal charges likely in some jurisdictions.
14. Google admits Street View Wi-Fi capture was intentional
In a letter to a House committee Google conceded that its cars had deliberately gathered Wi-Fi data, while maintaining that the practice was lawful. Lawmakers including Henry Waxman and Joe Barton pressed for answers and called for a hearing on the matter.
15. United States attorneys general launch a Street View probe
Connecticut Attorney General Richard Blumenthal announced a multistate investigation into Google's collection of data from home and business Wi-Fi networks. He called the drive by data sweeps a pernicious invasion of privacy, and more than thirty states joined the discussion.
→ phys.org
16. Brussels warns the United Kingdom to strengthen data protection
The European Commission issued a formal warning that the United Kingdom had failed to meet European data protection standards. It said the Information Commissioner lacked the power to inspect, to penalise or to vet international data transfers, and gave London two months to respond.
17. Privacy group asks the FTC to investigate Spokeo
The Center for Democracy and Technology petitioned the Federal Trade Commission to investigate the data broker Spokeo. The complaint said the site sold detailed personal profiles, including wealth and ethnicity estimates, while flouting the Fair Credit Reporting Act.
18. Behavioural advertising firm Phorm reports mounting losses
Phorm, whose deep packet inspection adverts had alarmed privacy campaigners, reported that investors had lost more than 100 million dollars since 2005. The firm said it would shift operations to Brazil even as regulators there opened proceedings against it.
19. ATM skimmer sends stolen card data by text message
Brian Krebs described a skimmer kit that texts captured card numbers and PINs to the criminal, removing the need to return to the machine. The encrypted messages let thieves cash out almost as soon as a victim used a compromised cash machine.
20. Police arrest 178 people in a card cloning crackdown
A two year investigation across fourteen countries led to the arrest of 178 people suspected of cloning credit and debit cards in a scam worth more than twenty million euros. Investigators dismantled six cloning labs and seized tens of thousands of stolen card numbers.
Enjoyed this post?
Well, you could share the post with others, follow me with RSS Feeds and/or send me a comment via email.
Tags
Category:
Year: