Privacy Roundup #0067 • February 2012
February 2012 exposed how freely mobile apps and advertising networks helped themselves to personal data, while breaches and surveillance rows piled up around the world.
1. Path app uploaded users' entire iPhone address books without consent
A developer found that the Path social app sent every contact name, phone number and email address to its servers without asking. Path apologised, deleted the stored data and moved to an opt-in model after the outcry.
2. Hipster apologised for grabbing address book data and called for a privacy summit
Following the Path revelations, the photo app Hipster admitted it too uploaded parts of users' iPhone address books. Its chief executive apologised, promised an opt-in fix and proposed an industry meeting on application privacy.
3. VeriSign admitted it was repeatedly hacked back in 2010
VeriSign, a company central to the internet's domain name and certificate systems, disclosed through a regulatory filing that intruders had breached it repeatedly in 2010. The firm could not say what data was taken and had not told its own senior managers until September 2011.
4. Anonymous leaked a recorded FBI and Scotland Yard conference call
Anonymous published a seventeen minute recording of a call between FBI and Scotland Yard investigators discussing cases against alleged hackers. The group obtained the dial-in details from an intercepted email, and the FBI confirmed the recording was genuine and illegally obtained.
5. Hackers hit a Greek ministry site in protest at austerity and ACTA
Attackers defaced a Greek justice ministry website to protest at austerity measures and the country's signing of the Anti-Counterfeiting Trade Agreement. They threatened to target Greek media sites unless Athens withdrew from the treaty.
→ phys.org
6. EFF demanded that Megaupload users get their seized files back
After the government shut down Megaupload, the EFF warned a federal court that innocent users' lawful files were about to be deleted from the seized servers. It argued that those users deserved notice and a fair process to recover their own data.
7. Symantec confirmed its pcAnywhere source code had been leaked
Symantec verified that source code for its pcAnywhere remote access product had been posted online after an extortion attempt failed. The code came from a 2006 breach, and the company had already issued patches in anticipation of the release.
8. Researcher cracked the Google Wallet PIN on rooted Android phones
A security researcher showed that Google Wallet stored a hash of the user's PIN on the device, where it could be brute-forced in seconds on a rooted phone. The flaw exposed card details and transaction history to anyone with access to the handset.
9. Twitter admitted storing uploaded address books for eighteen months
Twitter confirmed that its mobile "Find Friends" feature uploaded users' whole address books and kept the data for eighteen months. The company said it would reword the feature to make the upload clearer to users.
10. Report revealed hackers had roamed Nortel's network for a decade
A whistleblower told the press that suspected Chinese hackers had unrestricted access to Nortel's network for around ten years. The intruders stole executive passwords and sensitive documents, and the company largely failed to act on the breach.
11. Target's data mining was shown to predict customers' pregnancies
Reporting revealed that Target assigned shoppers a pregnancy prediction score by analysing their purchases of products such as unscented lotion and supplements. One anecdote described a father learning of his teenage daughter's pregnancy from the baby coupons she received.
12. Google was caught circumventing Safari's anti-tracking settings
Research by a Stanford student showed that Google used hidden code to set tracking cookies in Safari, which blocks third-party cookies by default. Google said the behaviour was an unintended side effect and stopped using the code.
13. Microsoft accused Google of bypassing Internet Explorer privacy settings too
Microsoft said Google used a misleading P3P policy code to slip cookies past Internet Explorer's default protections. Google replied that strict compliance with the ageing standard was impractical while offering modern web features.
14. YouPorn user emails and passwords were exposed online
More than a million email addresses and plain text passwords from a YouPorn chat service were left on a publicly accessible server. Security experts warned affected users to change reused passwords across other sites.
15. The White House unveiled a Consumer Privacy Bill of Rights
The Obama administration published a privacy blueprint and called on Congress to enact a Consumer Privacy Bill of Rights covering control, transparency and security. Leading advertising firms also committed to honour Do Not Track signals in major browsers.
→ obamawhitehouse.archives.gov
16. EPIC filed an emergency appeal over Google's data consolidation
EPIC appealed to the DC Circuit after a lower court ruled it could not force the FTC to act against Google's plan to merge user data. EPIC sought a ruling before the new policy took effect on the first of March.
17. WikiLeaks began publishing emails stolen from intelligence firm Stratfor
WikiLeaks started releasing around five million internal emails taken from the private intelligence company Stratfor by Anonymous. The messages, dating back to 2004, described the firm's confidential work for corporations and government agencies.
18. Google refused EU regulators' request to pause its new privacy policy
EU data protection authorities asked Google to delay merging seventy policies into one until they had checked it against European law. Google declined, saying a pause would confuse the users it had already notified.
19. TRENDnet home security camera flaw exposed thousands of private feeds
A coding error in TRENDnet's internet cameras let anyone view live streams without a password if they knew the device address. Feeds from hundreds of homes, including children's bedrooms, were compiled and shared on online forums after the flaw became public.
20. DataSift began selling two years of archived public tweets
DataSift launched a service letting companies mine public tweets going back two years for marketing and research. Privacy advocates warned that harvesting old posts users assumed had faded away was a significant shift.
→ vator.tv
Enjoyed this post?
Well, you could share the post with others, follow me with RSS Feeds and/or send me a comment via email.
Tags
Category:
Year: