While we’ve heard and learned about our “online footprints,” in a July 21st article, Russell Brandom just wrote about a disturbing new phenomenon called “canvass fingerprinting” (www.theverge.com; “Companies have a tricky new way to track your movement across the web).
As Mr. Brandom wrote, the “canvass fingerprinting” was discovered by researchers at Princeton University. As described, this new web-tracking technology can follow users between and among websites. As Mr. Brandom reports, it is “nearly impossible to block” even if an individual has disabled cookies on his browser and isn’t logged into Facebook. Per his article, the Princeton researchers discovered that “canvass fingerprinting” is being used by 5% of the top 1,000 Internet sites including Whitehouse.gov and the official website for the State of California.
How it works is also what makes it so strong even if an individual has blocked cookies on his browser. The technology asks the browser to draw a hidden image and then uses that image to track the browser’s unique properties. Mr. Brandom reports that it appears that AddThis created “canvass fingerprinting” as part of its efforts to find alternatives to cookie tracking. Mr. Brandom also adds that AddThis might end the “canvass fingerprinting” trials as they found, he writes, that the test results are “not uniquely identifying enough.”
Whether AddThis does or doesn’t end the trials, what is clear is the important point with which Mr. Brandom ends his article. The key takeaway is that simply blocking cookies and using other means may not be enough to thwart being tracked. That is very worrisome to those of us concerned about protecting our privacy online.
This is one of those “bad news” stories. It has just been learned that back in March Chinese hackers successfully broke into very sensitive computer files maintained by the Office of Personnel Management (OPM). As reported by Michael S. Schmidt, David E. Sander and Nicole Perlroth in the New York Times, Chinese hackers were targeting tens of thousands of files on Federal employees who have applied for top-secret security clearances (www.nytimes.com; “Chinese Hackers Pursue Key Data on U.S. Workers”; July 9).
This is frightening on many levels starting with the fact that the hackers were able to breach OPM’s e-QIP system which holds these, and other, employee files. Second, the amount of personal and sensitive information that is contained in these top-secret security clearance applications makes it a treasure trove for hackers. Applicants have to provide an array of sensitive information including, names of foreign contacts, financial data, and details about prior employment.
Senior officials and spokespersons for OPM and the Department of Homeland Security (DHS) have said that neither agency had “identified any loss of personally identifiable information.” DHS has also said it has an emergency response team assessing this breach and that the team would mitigate any risks that are identified.
While that is good news, that doesn’t mean that there couldn’t be future risks that personal and financial information has been stolen. Federal employees need to be aware of this breach and vigilantly monitor financial accounts for any unauthorized charges or changes.
Consumers are increasingly online doing all kinds of transactions. These transactions often involve sharing personal and private information. Yet consumers might not be fully aware of how that personal and private information is being used and/or ways in which they could better protect themselves.
So I was particularly interested to read about the just announced “Digital IQ” initiative being launched by the Better Business Bureau (BBB) and Acxiom. Their initiative, which other businesses and organizations will be invited to join, is going to try and help consumers become more knowledgeable about the Internet (www.bbb.org; “Better Business Bureau to Launch “Digital IQ” Initiative with Acxiom”; July 1).
How will this be done? Per the BBB announcement, the partners are going to conduct researched geared at identifying specific areas on which consumers need help in “…developing effective habits and skills for navigating the digital world. By understanding how consumer data is collected and used, as well as the tools available to exercise choice about these processes, consumers can develop a “data comfort zone.” Their initial products will be practical educational materials focusing on shopping and buying but the hope is that the initiative’s scope will expand over time to teaching consumers about other uses of data and analytics.
They’ve announced that their initial research will examine topics including:
- How consumers can become smarter shoppers to get the best deals while staying in their respective data comfort zone;
- How and when consumers should fill out marketing surveys; and
- How advertisers use location data that’s on consumers’ devices.
On June 25th, the Supreme Court issued a seminal decision addressing the convergence of privacy and the digital world. The Court held that police cannot, without a warrant, under most circumstances, search data on a cell phone taken from someone who has been arrested (Riley v. California, 573 U.S. ___ (2014); Riley). I’ve read the decision which touches on many Fourth Amendment questions. I’m not going to summarize the entire decision but want, instead, to highlight some of the overarching pivotal privacy findings.
In reaching its decision, the Court explored the realities of today’s digital world within the context of the Fourth Amendment’s protections against unreasonable warrantless searches by the government of people, their homes, papers and other effects. The Court analyzed and compared the seismic differences between the search of a single document, or of a person who has been arrested, with a search of the enormous data capacity of a cell phone — and of the “quantitatively and qualitatively” different privacy implications between those types of searches. Riley, 573 U.S. ___, at 8-9, 18-20. The Court also analyzed whether searching the data on a cell phone fell within the legally recognized exception to the warrant rule, i.e., the reasonableness of a warrantless search incident to a lawful arrest.
Briefly, here are some of the key privacy findings by the Court:
- The Court found that cell phones, and a search of them, are significantly different, raising corresponding privacy concerns, than searches of other objects. In comparing a potential search of data on a cell phone to searches of individuals or other objects, the Court wrote that “[m]odern cell phones, as a category, implicate privacy concerns far beyond those implicated by the search of a cigarette pack, a wallet, or a purse.” (Riley, 573 U.S. ___, at 17).
- The Court found greater privacy considerations arise from a search of cell phone data precisely because of the volume and range of what can be collected and retained on a cell phone. That very data capacity distinguishes that search from the search of, for example, an individual as the latter “…was limited by physical realities and tended as a general matter to constitute only a narrow intrusion on privacy.” (Riley, 573 U.S. ___, at 17).
- The Court’s opinion recognized the significance, from a privacy perspective, of the diversity and volume of data collected on a cell phone. Unlike a single paper record or document, the sheer quantity and range of cell phone data can “…reveal much more in combination than any isolated record.” (Riley, 573 U.S. ___, at 18). A person’s activities, locations, likes, and relationships can all be constructed from cell phone data. (Riley, 573 U.S. ___, at 18-21).
- Finally, the Court noted “[t]o further complicate the scope of the privacy interests at stake, the data a user views on many modern cell phones may not in fact be stored on the device itself. Treating a cell phone as a container whose contents may be searched incident to an arrest is a bit strained as an initial matter.” (Riley, 573 U.S. ___, at 21).
The Court’s opinion fully recognized the need for police to protect themselves or prevent arrested persons from escaping or that emergency situations could arise that require an immediate search of a cell phone. (Riley, 573 U.S. ___, at 10-11, 25-27). But absent those fact specific situations, police must have a warrant before searching cell phone data.
This decision establishes critical privacy protections by recognizing the central role cell phones occupy in today’s world — and their capacity for collecting and recording continuously so many inter-related aspects of our lives.
The Consumer Financial Protection Bureau (CFPB) knows that more and more consumers are using mobile devices for accessing financial services, transacting banking and other financial activities and managing their personal finances. To help consumers, the CFPB, on June 11th, issued a very helpful guide titled “Tips when using mobile devices for financial services” (http://files.consumerfinance.gov/f/201406_cfpb_consumer-tips_mobile-rfi.pdf). This one pager is an excellent resource.
Here’s a short summary of the CPFB’s top 6 consumer tips for using mobile devices in a safer way for financial transactions:
- Set up alerts on the mobile device(s) and always check account balances;
- Protect personal information and be cautious about accessing financial accounts or conducting financial transactions on a mobile device shared with someone else;
- Use strong passwords and don’t save them on phones;
- Immediately report the loss or theft of a mobile device to every financial institution and financial service used;
- Always use secure websites or apps; and
- Always remember to delete sensitive information when replacing an existing phone or device with a new one.
As the CFPB notes, some of these tips might be obvious but that doesn’t make them any less important or valuable to remember to do.
Most consumers know that their online shopping activities are being tracked by merchants and advertisers. But, Hayley Tsukayama, in her June 9th “The Switch” column for The Washington Post, writes that many consumers aren’t aware that merchants are tracking their in person shopping via the consumers’ smartphones wireless Internet connections (www.washingtonpost.com; “How Apple’s new software makes it harder for retailers to track your movements”).
So how easy is it for merchants to track consumers via their smartphones? The answer is — extremely so! How is it done? As Ms. Tsukayama reports, retailers are able to track shoppers — in their stores and even just passing by — using the unique code that smartphones emit when trying to connect to wireless networks (called the MAC address). Using these codes, merchants are able to discover how often a consumer visits a particular tore or even passes by it. Nordstrom had been using a program using these codes to track shoppers throughout its stores but stopped doing so after concerted outcry by consumer and privacy advocates.
So what’s the good news from Apple? In her column, Ms. Tsukayama reports about learning that Apple is attacking this unique code/tracking problem in the new operating system iOS 8 coming this Fall. Under Apple’s upcoming iOS 8, the code that’s generated will be randomized thus thwarting merchants’ ability to identify iPhones using unique codes. This very neat solution will help those consumers using Apple smartphones. However, consumers using other smartphones with other operating systems will still be trackable.
What’s the solution for consumers using non-Apple smartphones? An available option is one people may not want or like — and that is, turning their smartphones off when they’re shopping. I know that’s not ideal but it is one option for all of us.
There are probably very few people who haven’t had to call tech support for one or more of their electronic devices. Scammers have now come up with ways to use consumers need for those numbers for their own gain.
How do they do this? By creating and advertising fake tech support “800″ numbers. Antoine Gonsalves has written a very informative article about this scam and what industry companies are doing about it (www.cssonline.com; “Google, Facebook Unmask Tech Support Scams”; May 16). The scammers are even using the names of legitimate companies along with the fake “800″ numbers.
As Mr. Gonsalves reports, consumers who call the numbers risk providing their personal information to the scammers and downloading malicious software.
He also wrote that information about this tech support scam was included in the first report by a new non-profit called TrustinAds. TrustinAds has been launched by AOL, Facebook, Google and Twitter to help combat these types of fake online ads. I went to the TrustinAds website (TrustinAds.org) and read the May 8th press release about these fake tech support numbers (“Internet Industry Leaders Offer Tips for Consumers to Avoid Tech Support Advertising Scams”). The scope of the scam is startling — the press release included the fact that Facebook and Google have found at least 4,000 tech support scams using the names of 2,400 legitimate companies.
The TrustinAds press release is worth reading to learn how to try and avoid these tech support scams.
There are many consumers who use various LifeLock services. They will want to know about a recent security scare with the LifeLock wallet app. Excellent details about this scare are found in an article by Graham Cluley and a blog post by Todd Davis, LifeLock’s Chairman and CEO.
Mr. Cluley wrote about the fact that LifeLock very recently deleted all of the user data from its iPhone and Android apps (grahamcluley.com; “LifeLock pulls its wallet apps and deletes user data after security scare”). In his blog, Mr. Davis wrote that LifeLock deleted all of this stored user information from its services after the company found that its apps didn’t meet or comply with the security standards set by the payment card industry (www.lifelockunlocked.com; “An Important Update About LifeLock Wallet”).
Mr. Davis wrote that no user data has been compromised so that wasn’t what caused the company to take this action. He also said that nothing has affected the LifeLock subscription identity theft protection services.
However, consumers who do use LifeLock services, especially the wallet app, will want to read Mr. Cluley’s article and Mr. Davis’ blog. This is a case where consumers will want to be fully informed about what has or hasn’t happened to their personal, and often sensitive, information.
This is another “if it sounds too good to be true it just might not be” cautionary tale. Snapchat seemed like an ideal way to send photos to friends while making sure those photos would not last forever. The promise was that people using their app could send photos that would appear for up to 10 seconds on the recipients’ smartphones and then go poof!
The FTC announced the settlement on May 8th (www.ftc.gov; “Snapchat Settles FTC Charges That Promises of Disappearing Messages Were False”). Snapchat will be monitored for 20 years by the FTC to make sure it no longer makes false and/or deceptive claims to consumers about its privacy and security measures. Additional details about the settlement can be found in the FTC announcement.
Consumers who’ve used Snapchat will want to read the FTC’s announcement to learn what personal information Snapchat might already have sent about, or collected from, them. Consumers considering using Snapchat will want to read the announcement to learn about the reality of the app.
Here’s some timely and important news for consumers using Internet Explorer. Last Thursday, May 1st, Microsoft issued the patch to fix the Internet Explorer vulnerability that had just been found. The patch is for all versions of Internet Explorer.
Microsoft also issued the security patch for Windows XP even though it had already announced it was no longer going to support it. They are doing so, per their announcement, because of the security issue happening so close to the end of this support.
What do consumers have to do to get the security patch? Nothing for those who have automatic updates turned on. Consumers who don’t get automatic updates will need to click on the “Check for Updates” button on the Windows Update portion of their Control Panel to access and install the security patch.
More details about the security patch can be found in a blog written by Adrienne Hall, General Manager, Trustworthy Computing for Microsoft on their official website (TNblogs.technet.com; “Updating Internet Explorer and Driving Security”; May 1st). Lance Ulanoff wrote an informative article about this issue and whether the security patch is coming too late (maskable.com; “Internet Explorer Gets Its Security Patch, and So Does Windows XP”; May 1st).
Consumers who use Internet Explorer but don’t get automatic updates need to follow the Microsoft directions and install the patch as soon as possible.