Privacy Roundup #0133 • August 2017
August 2017 paired landmark wins for privacy as a right with a steady drumbeat of breaches, leaks and state surveillance overreach.
1. India's Supreme Court declares privacy a fundamental right
A nine-judge bench ruled unanimously that the right to privacy is intrinsic to the right to life and personal liberty under the Indian constitution. The judgment overruled decades of contrary precedent and reshaped the legal fight over the Aadhaar identity scheme.
2. DreamHost fights a DOJ demand for 1.3 million visitor IP addresses
The Department of Justice served a warrant seeking the IP addresses of everyone who had visited an anti-Trump protest website hosted by DreamHost. The host resisted the demand as a sweeping intrusion that would chill free association and free speech.
3. Uber settles with the FTC over deceptive privacy claims
The Federal Trade Commission announced that Uber had agreed to settle allegations it misrepresented how it monitored employee access to rider data and how well it secured that data. The deal commits Uber to a comprehensive privacy programme and twenty years of independent audits.
4. A spambot leaks 711 million email addresses
Security researchers uncovered an open server holding the Onliner spambot's haul of 711 million email addresses, the largest single dataset Have I Been Pwned had loaded to date. The records were being used to spread the Ursnif banking trojan to Windows machines.
5. FBI arrests WannaCry researcher Marcus Hutchins
Marcus Hutchins, who had stopped the WannaCry outbreak months earlier, was arrested by the FBI as he prepared to fly home from the Def Con conference. He faced charges of creating and selling the Kronos banking trojan, accusations that alarmed the security research community.
6. Instagram bug exposes contact details of high-profile users
Attackers exploited a bug in an Instagram programming interface to harvest the email addresses and phone numbers of verified accounts. Instagram fixed the flaw and warned all verified users, though some of the stolen contact details were already being sold.
7. Disney sued over apps that allegedly track children
A class action alleged that dozens of Disney mobile games embedded tracking software that profiled children without parental consent. The suit named third parties including Unity, Upsight and Kochava and accused them of breaching the Children's Online Privacy Protection Act.
8. WikiLeaks reveals the CIA ExpressLane biometric exfiltration tool
WikiLeaks published documents on ExpressLane, a covert CIA tool used to siphon data from the biometric collection systems of partner agencies. It was installed under the cover of a software upgrade so that liaison officers would not realise their records were being stolen.
9. WikiLeaks publishes the CIA CouchPotato video capture tool
A further Vault 7 release detailed CouchPotato, a CIA tool that quietly captures remote video streams from IP surveillance cameras using RTSP and H.264 formats. The tool could save full footage or grab still frames whenever the picture changed significantly.
10. ICO fines TalkTalk over third-party access to customer data
The Information Commissioner's Office fined TalkTalk £100,000 after a contractor's staff gained unauthorised access to the records of tens of thousands of customers through a poorly secured portal. The penalty took the telecoms firm's total fines for data protection failures to half a million pounds.
11. Tech firms line up to build Trump's extreme vetting system
Reporting revealed that IBM, Booz Allen Hamilton, Deloitte and others had met with ICE to bid on an automated immigrant vetting tool. The system would scrape government databases and the public internet to provide continuous surveillance of foreign visitors throughout their stay.
12. Four million Time Warner Cable records exposed on open cloud storage
Researchers found unsecured Amazon storage buckets operated by vendor BroadSoft that left around four million Time Warner Cable customer records public. The exposed data included usernames, account numbers and transaction details spanning several years.
13. WikiLeaks discloses the CIA Angelfire implant framework
The final Vault 7 release of the month detailed Angelfire, a framework of components used to load and run a persistent implant on Windows machines. The documents added to a year of revelations about the agency's hacking arsenal.
14. Court orders DreamHost to comply with a narrowed warrant
A District of Columbia judge ordered DreamHost to hand over a reduced set of records while requiring the government to name who would access the data and to file a plan minimising unrelated material. The ruling trimmed but did not eliminate the demand for visitor information.
15. EFF calls for an end to biometric border screening
The Electronic Frontier Foundation urged the Department of Homeland Security to abandon its growing use of facial recognition on travellers at airports. It warned that the programme swept up citizens as well as foreigners, misidentified people of colour more often, and created fresh risks of breach and misuse.
16. Misconfigured cloud storage exposes 1.8 million Chicago voter records
A backup left in a public Amazon storage bucket by voting machine vendor ES&S exposed the records of around 1.8 million Chicago voters. The data included names, addresses, dates of birth and partial social security numbers before the bucket was secured.
17. Aetna mailing reveals customers' HIV status through envelope windows
Aetna sent letters to around 12,000 people in which the wording about filling HIV prescriptions was visible through the clear window of the envelope. Recipients said relatives had learnt their status from the exposed mail, and the insurer admitted the breach was unacceptable.
18. EFF sets out five state actions to defend digital civil liberties
After Congress rolled back federal broadband privacy rules, EFF pointed Californians to five pending state bills they could support. The measures covered broadband privacy, police surveillance transparency and limits on sharing data for immigration enforcement.
19. WikiLeaks reveals the CIA Dumbo tool for disabling webcams and microphones
A Vault 7 release detailed Dumbo, a Windows utility that field agents could run from a USB drive to detect and shut down webcams, microphones and network adapters on a target machine. The tool could also corrupt any video that surveillance cameras had already recorded, helping agents cover their tracks during physical operations.
20. Internet Society warns the DreamHost case sets a costly precedent
The Internet Society argued that the government's broad demand for visitor data risked eroding the trust that underpins the open web. It cautioned that forcing hosts to expose every visitor would discourage people from reading and associating freely online.
Enjoyed this post?
Well, you could share the post with others, follow me with RSS Feeds and/or send me a comment via email.
Tags
Category:
Year: