Online Privacy

NSA finally admits to spying on Americans by purchasing sensitive data

data brokers, Department of Defense, Government surveillance, Location Data, National Security Agency, NSA, Online Privacy, Policy / DJ Henderson / January 26, 2024

Leaving Americans in the dark —

Violating Americans’ privacy “not just unethical but illegal,” senator says.

Ashley Belanger – Jan 26, 2024 8: 36 pm UTC

The National Security Agency (NSA) has admitted to buying records from data brokers detailing which websites and apps Americans use, US Senator Ron Wyden (D-Ore.) revealed Thursday.

This news follows Wyden’s push last year that forced the FBI to admit that it was also buying Americans’ sensitive data. Now, the senator is calling on all intelligence agencies to “stop buying personal data from Americans that has been obtained illegally by data brokers.”

“The US government should not be funding and legitimizing a shady industry whose flagrant violations of Americans’ privacy are not just unethical but illegal,” Wyden said in a letter to Director of National Intelligence (DNI) Avril Haines. “To that end, I request that you adopt a policy that, going forward,” intelligence agencies “may only purchase data about Americans that meets the standard for legal data sales established by the FTC.”

Wyden suggested that the intelligence community might be helping data brokers violate an FTC order requiring that Americans are provided “clear and conspicuous” disclosures and give informed consent before their data can be sold to third parties. In the seven years that Wyden has been investigating data brokers, he said that he has not been made “aware of any company that provides such a warning to users before collecting their data.”

The FTC’s order came after reaching a settlement with a data broker called X-Mode, which admitted to selling sensitive location data without user consent and even to selling data after users revoked consent.

In his letter, Wyden referred to this order as the FTC outlining “new rules,” but that’s not exactly what happened. Instead of issuing rules, FTC settlements often serve as “common law,” signaling to marketplaces which practices violate laws like the FTC Act.

According to the FTC’s analysis of the order on its site, X-Mode violated the FTC Act by “unfairly selling sensitive data, unfairly failing to honor consumers’ privacy choices, unfairly collecting and using consumer location data, unfairly collecting and using consumer location data without consent verification, unfairly categorizing consumers based on sensitive characteristics for marketing purposes, deceptively failing to disclose use of location data, and providing the means and instrumentalities to engage in deceptive acts or practices.”

The FTC declined to comment on whether the order also applies to data purchases by intelligence agencies. In defining “location data,” the FTC order seems to carve out exceptions for any data collected outside the US and used for either “security purposes” or “national security purposes conducted by federal agencies or other federal entities.”

NSA must purge data, Wyden says

NSA officials told Wyden that not only is the intelligence agency purchasing data on Americans located in the US but that it also bought Americans’ Internet metadata.

Wyden warned that the former “can reveal sensitive, private information about a person based on where they go on the Internet, including visiting websites related to mental health resources, resources for survivors of sexual assault or domestic abuse, or visiting a telehealth provider who focuses on birth control or abortion medication.” And the latter “can be equally sensitive.”

To fix the problem, Wyden wants intelligence communities to agree to inventory and then “promptly” purge the data that they allegedly illegally collected on Americans without a warrant. Wyden said that this process has allowed agencies like the NSA and the FBI “in effect” to use “their credit card to circumvent the Fourth Amendment.”

X-Mode’s practices, the FTC said, were likely to cause “substantial injury to consumers that are not outweighed by countervailing benefits to consumers or competition and are not reasonably avoidable by consumers themselves.” Wyden’s spokesperson, Keith Chu, told Ars that “the data brokers selling Internet records to the government appear to engage in nearly identical conduct” to X-Mode.

The FTC’s order also indicates “that Americans must be told and agree to their data being sold to ‘government contractors for national security purposes’ for the practice to be allowed,” Wyden said.

DoD defends shady data broker dealings

In response to Wyden’s letter to Haines, the Under Secretary of Defense for Intelligence & Security, Ronald Moultrie, said that the Department of Defense (DoD) “adheres to high standards of privacy and civil liberties protections” when buying Americans’ location data. He also said that he was “not aware of any requirement in US law or judicial opinion” forcing the DoD to “obtain a court order in order to acquire, access, or use” commercially available information that “is equally available for purchase to foreign adversaries, US companies, and private persons as it is to the US government.”

In another response to Wyden, NSA leader General Paul Nakasone told Wyden that the “NSA takes steps to minimize the collection of US person information” and “continues to acquire only the most useful data relevant to mission requirements.” That includes some commercially available information on Americans “where one side of the communications is a US Internet Protocol address and the other is located abroad,” data which Nakasone said is “critical to protecting the US Defense Industrial Base” that sustains military weapons systems.

While the FTC has so far cracked down on a few data brokers, Wyden believes that the shady practice of selling data without Americans’ informed consent is an “industry-wide” problem in need of regulation. Rather than being a customer in this sketchy marketplace, intelligence agencies should stop funding companies allegedly guilty of what the FTC has described as “intrusive” and “unchecked” surveillance of Americans, Wyden said.

According to Moultrie, DNI Haines decides what information sources are “relevant and appropriate” to aid intelligence agencies.

But Wyden believes that Americans should have the opportunity to opt out of consenting to such invasive, secretive data collection. He said that by purchasing data from shady brokers, US intelligence agencies have helped create a world where consumers have no opportunity to consent to intrusive tracking.

“The secrecy around data purchases was amplified because intelligence agencies have sought to keep the American people in the dark,” Wyden told Haines.

NSA finally admits to spying on Americans by purchasing sensitive data Read More »

Amazon Ring stops letting police request footage in Neighbors app after outcry

Amazon, amazon ring, doorbell camera, home security, home surveillance, Online Privacy, police surveillance, Policy, racial profiling, ring doorbell camera / Mike M. / January 24, 2024

Neighborhood watch —

Warrantless access may still be granted during vaguely defined “emergencies.”

Ashley Belanger – Jan 24, 2024 9: 28 pm UTC

Amazon Ring has shut down a controversial feature in its community safety app Neighbors that has allowed police to contact homeowners and request doorbell and surveillance camera footage without a warrant for years.

In a blog, head of the Neighbors app Eric Kuhn confirmed that “public safety agencies like fire and police departments can still use the Neighbors app to share helpful safety tips, updates, and community events,” but the Request for Assistance (RFA) tool will be disabled.

“They will no longer be able to use the RFA tool to request and receive video in the app,” Kuhn wrote.

Kuhn did not explain why Neighbors chose to “sunset” the RFA tool, but privacy advocates and lawmakers have long criticized Ring for helping to expand police surveillance in communities, seemingly threatening privacy and enabling racial profiling, CNBC reported. Among the staunchest critics of Ring’s seemingly tight relationship with law enforcement is the Electronic Frontier Foundation (EFF), which has long advocated for Ring and its users to stop sharing footage with police without a warrant.

In a statement provided to Ars, EFF senior policy analyst Matthew Guariglia noted that Ring had launched the RFA tool after EFF and other organizations had criticized Ring for allowing police to privately email warrantless requests for footage in the Neighbors app. Rather than end requests through the app entirely, Ring appeared to see the RFA tool as a middle ground, providing transparency about how many requests were being made, without ending police access to community members readily sharing footage on the app.

“Now, Ring hopefully will altogether be out of the business of platforming casual and warrantless police requests for footage to its users,” Guariglia said.

Moving forward, police and public safety agencies with warrants will still be able to request footage, which Amazon documents in transparency reports published every six months. These reports show thousands of search warrant requests and even more “preservation requests,” which allow government agencies to request to preserve user information for up to 90 days, “pending the receipt of a legally valid and binding order.”

“If we are legally required to comply, we will provide information responsive to the government demand,” Ring’s website says.

Ring rebrand embraces “hope and joy”

Guariglia said that Ring sunsetting the RFA tool “is a step in the right direction,” but it has “come after years of cozy relationships with police and irresponsible handling of data” that has, for many, damaged trust in Ring.

In 2022, EFF reported that Ring admitted that “there are ’emergency’ instances when police can get warrantless access to Ring personal devices without the owner’s permission.” And last year, Ring reached a $5.8 million settlement with the Federal Trade Commission, refunding customers for what the FTC described as “compromising its customers’ privacy by allowing any employee or contractor to access consumers’ private videos and by failing to implement basic privacy and security protections, enabling hackers to take control of consumers’ accounts, cameras, and videos.”

Because of this history, Guariglia said that EFF is “still deeply skeptical about law enforcement’s and Ring’s ability to determine what is, or is not, an emergency that requires the company to hand over footage without a warrant or user consent.”

EFF recommends additional steps that Ring could take to enhance user privacy, like enabling end-to-end encryption by default and turning off default audio collection, Guariglia said.

Bloomberg noted that this change to the Neighbors app comes after a new CEO, Liz Hamren, came on board, announcing that last year “Ring was rethinking its mission statement.” Because Ring was adding indoor and backyard home monitoring and business services, the company’s initial mission statement—”to reduce crime in neighborhoods”—was no longer, as founding Ring CEO Jamie Siminoff had promoted it, “at the core” of what Ring does.

In Kuhn’s blog, barely any attention is given to ending the RFA tool. A Ring spokesperson declined to tell Ars how many users had volunteered to use the tool, so it remains unclear how popular it was.

Rather than clarifying the RFA tool controversy, Kuhn’s blog primarily focused on describing how much Ring users loved “heartwarming or silly” footage like a “bear relaxing in a pool.” Under Hamren and Kuhn’s guidance, it appears that the Neighbors app is embracing a new mission of connecting communities to find “hope and joy” in their areas by adding new features to Neighbors like Moments and Best of Ring.

By contrast, when Ring introduced the RFA tool, it said that its mission was “to make neighborhoods safer for everyone.” On a help page, Ring bragged that police had used Neighbors to recover stolen guns and medical supplies. Because of these selling points, Ring’s community safety features may still be priorities for some users. So, while Ring may be ready to move on from highlighting its partnership with law enforcement as a “core” part of its service, its users may still be used to seeing their cameras as tools that should be readily accessible to police.

As law enforcement agencies lose access to Neighbors’ RFA tool, Guariglia said that it’s important to raise awareness among Ring owners that police can’t demand access to footage without a warrant.

“This announcement will not stop police from trying to get Ring footage directly from device owners without a warrant,” Guariglia said. “Ring users should also know that when police knock on their door, they have the right to, and should, request that police get a warrant before handing over footage.”

Amazon Ring stops letting police request footage in Neighbors app after outcry Read More »

Patreon: Blocking platforms from sharing user video data is unconstitutional

corporate surveillance, facebook, Government surveillance, Meta Pixel, online advertising, Online Privacy, patreon, Policy, video privacy protection act / Mike M. / January 23, 2024

Patreon, a monetization platform for content creators, has asked a federal judge to deem unconstitutional a rarely invoked law that some privacy advocates consider one of the nation’s “strongest protections of consumer privacy against a specific form of data collection.” Such a ruling would end decades that the US spent carefully shielding the privacy of millions of Americans’ personal video viewing habits.

The Video Privacy Protection Act (VPPA) blocks businesses from sharing data with third parties on customers’ video purchases and rentals. At a minimum, the VPPA requires written consent each time a business wants to share this sensitive video data—including the title, description, and, in most cases, the subject matter.

The VPPA was passed in 1988 in response to backlash over a reporter sharing the video store rental history of a judge, Robert Bork, who had been nominated to the Supreme Court by Ronald Reagan. The report revealed that Bork apparently liked spy thrillers and British costume dramas and suggested that maybe the judge had a family member who dug John Hughes movies.

Although the videos that Bork rented “revealed nothing particularly salacious” about the judge, the intent of reporting the “Bork Tapes” was to confront the judge “with his own vulnerability to privacy harms” during a time when the Supreme Court nominee had “criticized the constitutional right to privacy” as “a loose canon in the law,” Harvard Law Review noted.

Even though no harm was caused by sharing the “Bork Tapes,” policymakers on both sides of the aisle agreed that First Amendment protections ought to safeguard the privacy of people’s viewing habits, or else risk chilling their speech by altering their viewing habits. The US government has not budged on this stance since, supporting a lawsuit filed in 2022 by Patreon users who claimed that while no harms were caused, damages are owed after Patreon allegedly violated the VPPA by sharing data on videos they watched on the platform with Facebook through Meta Pixel without users’ written consent.

“Restricting the ability of those who possess a consumer’s video purchase, rental, or request history to disclose such information directly advances the goal of keeping that information private and protecting consumers’ intellectual freedom,” the Department of Justice’s brief said.

The Meta Pixel is a piece of code used by companies like Patreon to better target content to users by tracking their activity and monitoring conversions on Meta platforms. “In simplest terms,” Patreon users said in an amended complaint, “the Pixel allows Meta to know what video content one of its users viewed on Patreon’s website.”

The Pixel is currently at the center of a pile of privacy lawsuits, where people have accused various platforms of using the Pixel to covertly share sensitive data without users’ consent, including health and financial data.

Several lawsuits have specifically lobbed VPPA claims, which users have argued validates the urgency of retaining the VPPA protections that Patreon now seeks to strike. The DOJ argued that “the explosion of recent VPPA cases” is proof “that the disclosures the statute seeks to prevent are a legitimate concern,” despite Patreon’s arguments that the statute does “nothing to materially or directly advance the privacy interests it supposedly was enacted to protect.”

Patreon’s attack on the VPPA

Patreon has argued in a recent court filing that the VPPA was not enacted to protect average video viewers from embarrassing and unwarranted disclosures but “for the express purpose of silencing disclosures about political figures and their video-watching, an issue of undisputed continuing public interest and concern.”

That’s one of many ways that the VPPA silences speech, Patreon argued, by allegedly preventing disclosures regarding public figures that are relevant to public interest.

Among other “fatal flaws,” Patreon alleged, the VPPA “restrains speech” while “doing little if anything to protect privacy” and never protecting privacy “by the least restrictive means.”

Patreon claimed that the VPPA is too narrow, focusing only on pre-recorded videos. It prevents video service providers from disclosing to any other person the titles of videos that someone watched, but it does not necessarily stop platforms from sharing information about “the genres, performers, directors, political views, sexual content, and every other detail of pre-recorded video that those consumers watch,” Patreon claimed.

Patreon: Blocking platforms from sharing user video data is unconstitutional Read More »

Meta relents to EU, allows unlinking of Facebook and Instagram accounts

anti-competition, anticompetitive behavior, Antitrust law, Digital Markets Act, dma, EU, European Union, facebook, gdpr, General Data Protection Regulation, Instagram, Meta, online advertising, Online Privacy, Policy / Kelly Newman / January 22, 2024

Meta will allow some Facebook and Instagram users to unlink their accounts as part of the platform’s efforts to comply with the European Union’s Digital Markets Act (DMA) ahead of enforcement starting March 1.

In a blog, Meta’s competition and regulatory director, Tim Lamb, wrote that Instagram and Facebook users in the EU, the European Economic Area, and Switzerland would be notified in the “next few weeks” about “more choices about how they can use” Meta’s services and features, including new opportunities to limit data-sharing across apps and services.

Most significantly, users can choose to either keep their accounts linked or “manage their Instagram and Facebook accounts separately so that their information is no longer used across accounts.” Up to this point, linking user accounts had provided Meta with more data to more effectively target ads to more users. The perk of accessing data on Instagram’s widening younger user base, TechCrunch noted, was arguably the $1 billion selling point explaining why Facebook acquired Instagram in 2012.

Also announced today, users protected by the DMA will soon be able to separate their Facebook Messenger, Marketplace, and Gaming accounts. However, doing so will limit some social features available in some of the standalone apps.

While Messenger users choosing to disconnect the chat service from their Facebook accounts will still “be able to use Messenger’s core service offering such as private messaging and chat, voice and video calling,” Marketplace users making that same choice will have to email sellers and buyers, rather than using Facebook’s messenger service. And unlinked Gaming app users will only be able to play single-player games, severing their access to social gaming otherwise supported by linking the Gaming service to their Facebook social networks.

While Meta may have had choices other than depriving users unlinking accounts of some features, Meta didn’t really have a choice in allowing newly announced options to unlink accounts. The DMA specifically requires that very large platforms designated as “gatekeepers” give users the “specific choice” of opting out of sharing personal data across a platform’s different core services or across any separate services that the gatekeepers manage.

Without gaining “specific” consent, gatekeepers will no longer be allowed to “combine personal data from the relevant core platform service with personal data from any further core platform services” or “cross-use personal data from the relevant core platform service in other services provided separately by the gatekeeper,” the DMA says. The “specific” requirement is designed to block platforms from securing consent at sign-up, then hoovering up as much personal data as possible as new services are added in an endless pursuit of advertising growth.

As defined under the General Data Protection Regulation, the EU requiring “specific” consent stops platforms from gaining user consent for broadly defined data processing by instead establishing “the need for granularity,” so that platforms always seek consent for each “specific” data “processing purpose.”

“This is an important ‘safeguard against the gradual widening or blurring of purposes for which data is processed, after a data subject has agreed to the initial collection of the data,’” the European Data Protection Supervisor explained in public comments describing “commercial surveillance and data security practices that harm consumers” provided at the request of the FTC in 2022.

According to Meta’s help page, once users opt out of sharing data between apps and services, Meta will “stop combining your info across these accounts” within 15 days “after you’ve removed them.” However, all “previously combined info would remain combined.”

Meta relents to EU, allows unlinking of Facebook and Instagram accounts Read More »

ProtonMail vs. Tutanota: Which Encrypted Email Service Is Best?

Email Security, Encryption, Highlights, Online Privacy, Online Security, Security / Shannon Garcia / December 12, 2022

internal/modules/cjs/loader.js: 905 throw err; ^ Error: Cannot find module ‘puppeteer’ Require stack: – /home/760439.cloudwaysapps.com/jxzdkzvxkw/public_html/wp-content/plugins/rss-feed-post-generator-echo/res/puppeteer/puppeteer.js at Function.Module._resolveFilename (internal/modules/cjs/loader.js: 902: 15) at Function.Module._load (internal/modules/cjs/loader.js: 746: 27) at Module.require (internal/modules/cjs/loader.js: 974: 19) at require (internal/modules/cjs/helpers.js: 101: 18) at Object. (/home/760439.cloudwaysapps.com/jxzdkzvxkw/public_html/wp-content/plugins/rss-feed-post-generator-echo/res/puppeteer/puppeteer.js:2: 19) at Module._compile (internal/modules/cjs/loader.js: 1085: 14) at Object.Module._extensions..js (internal/modules/cjs/loader.js: 1114: 10) at Module.load (internal/modules/cjs/loader.js: 950: 32) at Function.Module._load (internal/modules/cjs/loader.js: 790: 12) at Function.executeUserEntryPoint [as runMain] (internal/modules/run_main.js: 75: 12) code: ‘MODULE_NOT_FOUND’, requireStack: [ ‘/home/760439.cloudwaysapps.com/jxzdkzvxkw/public_html/wp-content/plugins/rss-feed-post-generator-echo/res/puppeteer/puppeteer.js’ ]

ProtonMail vs. Tutanota: Which Encrypted Email Service Is Best? Read More »

3 VPN Features You Should Use to Avoid VPN Blocks

Georestriction, Highlights, Online Privacy, Online Security, Security, VPN / DJ Henderson / December 1, 2022

3 VPN Features You Should Use to Avoid VPN Blocks Read More »