Privacy Roundup #0187 • February 2022
February 2022 saw regulators challenge the ad-tech consent machine, governments retreat from face scanning, and a run of state-backed hacks and donor leaks that turned ordinary records into political weapons.
1. Belgian regulator rules the ad industry's consent framework breaks the GDPR
On 2 February the Belgian data protection authority found that IAB Europe's Transparency and Consent Framework, the pop-up system behind much of the web's targeted advertising, did not gather valid consent. It ordered the framework overhauled and imposed a fine, casting doubt over the legal basis for real-time bidding across Europe.
2. FBI confirms it tested NSO Group's Pegasus spyware for use in the United States
The bureau acknowledged that it had bought and tested a version of NSO's Pegasus, a tool called Phantom that was designed to extract data from American phone numbers. Officials said the software was used for evaluation only, but the admission deepened concern about commercial spyware reaching domestic law enforcement.
3. News Corp discloses a persistent cyberattack tied to China
On 4 February News Corp revealed that intruders had spent two years inside its networks, reading the emails and documents of journalists at outlets including The Wall Street Journal. Investigators at Mandiant attributed the espionage to actors working in China's interests, with a focus on reporters covering China.
4. Morley Companies breach exposes data on more than half a million people
The business services firm began notifying victims that a ransomware attack had exposed the personal and health records of about 521,000 employees, contractors and clients. The intrusion was discovered the previous August, yet those affected only learned of it as letters went out in early February.
5. Meta warns it may pull Facebook and Instagram from Europe over data transfers
In its annual filing, Meta said that without a fresh legal mechanism for sending European user data to the United States it might be unable to offer its main services in the region. European lawmakers responded that the bloc would not weaken its data protection standards under such pressure.
6. IRS abandons mandatory facial recognition for online tax accounts
After an outcry from lawmakers and privacy advocates, the Treasury directed the tax agency to drop its plan to make taxpayers verify their identity through ID.me's face-scanning service. Critics had warned the requirement would exclude people without suitable devices and expose sensitive biometric data to misuse.
7. Vodafone Portugal knocked offline by a deliberate cyberattack
A malicious attack on the night of 7 February disrupted Vodafone Portugal's mobile, fixed and television services across the country. The company said it found no evidence that customer data had been accessed, but the scale of the outage pointed to a serious intrusion.
8. Senate committee advances the anti-encryption EARN IT Act
The Senate Judiciary Committee voted to move forward the EARN IT Act, which campaigners warned would pressure firms to abandon strong encryption and scan private messages. The bill allows a provider's use of encryption to be treated as evidence against it, undermining secure communication.
9. France's CNIL rules that Google Analytics breaks EU data law
On 10 February the French regulator concluded that sending Google Analytics data to the United States exposed Europeans to American surveillance and so violated the GDPR. The decision, following a similar Austrian ruling, gave website operators a month to stop the transfers or switch tools.
10. Apple updates AirTags to curb stalking and unwanted tracking
Apple announced changes to its tracking devices after reports that people were planting AirTags to follow others without consent. The update added warnings during setup, louder alert tones and clearer notifications, though campaigners said the trackers still posed a danger to victims.
11. Hackers leak the donor records of Canada's Freedom Convoy
A breach of the Christian crowdfunding site GiveSendGo exposed the names, email addresses and locations of roughly 90,000 people who had funded the convoy protests. The leak revealed donations from government email addresses and members of far-right groups, turning private giving into public exposure.
12. Amnesty maps how face recognition reinforces racist policing in New York
Amnesty International published research showing that New York neighbourhoods with more non-white residents were blanketed with more facial-recognition-capable cameras. The analysis, built on crowdsourced mapping of 25,500 cameras, argued the technology amplified discriminatory stop-and-frisk policing.
13. Court lets biometric lawsuits against Clearview AI proceed
A federal judge rejected Clearview AI's First Amendment defence and allowed lawsuits over its faceprinting to move forward under Illinois biometric privacy law. The ruling held that the state's interest in protecting people from face surveillance outweighed the company's claims.
14. San Francisco police searched rape survivors' DNA to find suspects
Reports revealed that the city's police had stored DNA from sexual assault victims in a database used to investigate unrelated crimes, then charged a survivor using her own sample. Campaigners warned the practice would deter victims from reporting and was far from unique to San Francisco.
15. Red Cross blames state-backed hackers for breach of vulnerable people's data
The International Committee of the Red Cross said attackers with the resources of a state had exploited an unpatched flaw to reach records on more than 515,000 vulnerable people. Those affected included missing persons, detainees and families separated by conflict and disaster.
16. Google plans to bring its Privacy Sandbox to Android
Google said it would phase out the cross-app advertising identifier on Android over two years and replace it with Privacy Sandbox tools. The move echoed Apple's tracking restrictions, though Google framed it as preserving the advertising business while limiting data sharing.
17. Suisse Secrets leak exposes the hidden clients of a Swiss bank
A whistleblower handed journalists details of more than 30,000 Credit Suisse accounts holding over 100 billion francs, the largest leak ever from a major Swiss bank. Reporting by dozens of outlets revealed accounts linked to corrupt officials, criminals and alleged human rights abusers.
18. EFF urges the FTC to investigate a sprawling stalkerware network
The EFF asked the regulator to act after a TechCrunch investigation found that a fleet of near-identical spyware apps was harvesting the private data of at least 400,000 people. The apps shared a security flaw that exposed the very victims they were secretly tracking.
19. Nvidia confirms a breach as the Lapsus$ gang leaks company data
The chipmaker said attackers had stolen proprietary information after an intrusion claimed by the Lapsus$ group, which began leaking the haul online. The exposed material included employee credentials and password hashes, many of which were swiftly cracked.
20. Destructive wiper malware hits Ukraine as Russia invades
Researchers identified HermeticWiper, malware built to render computers unusable, striking Ukrainian organisations hours before the invasion began. Officials warned the destructive code could spill over to other countries, raising the prospect of wider collateral damage.
Enjoyed this post?
Well, you could share the post with others, follow me with RSS Feeds and/or send me a comment via email.
Tags
Category:
Year: