A study by Princeton researchers came to light earlier this month, revealing that over 400 of the world's most popular websites use the equivalent of hacking tools to spy on you without your knowledge or consent.
Using session replay scripts from
third-party companies, websites are recording your every act, from mouse moves to clicks, to keylogging what you type, and extracting your personal info off the page. If you accidentally paste something into a text field from your clipboard, like an
address or password you didn't want to type out, the scripts can record, transmit, and store that, too.
What these sites are doing with this information, and how much they anonymize or secure it, is a crapshoot.
Among top retail offenders
recording your every move and mistake are Costco, Gap.com, Crate and Barrel, Old Navy, Toys R Us, Fandango, Adidas, Boots, Neiman Marcus, Nintendo, Nest, the Disney Store, and Petco.
Tech and security websites spying on users include HP.com,
Norton, Lenovo, Intel Autodesk, Windows, Kaspersky, Redhat.com, ESET.com, WP Engine, Logitech, Crunchbase, HPE.com (Hewlett Packard Enterprise), Akamai, Symantec, Comodo.com, and MongoDB.
Other sites you might recognize that are also using active
session recording are RT.com, Xfinity, T-Mobile, Comcast, Sputnik News, iStockphoto, IHG (InterContinental Hotels), British Airways, NatWest, Western Union, FlyFrontier.com, Spreadshirt, Deseret News, Bose, and Chevrolet.com
After several days of radio silence, VPN provider PureVPN has responded to criticism that it provided information which helped the FBI catch a cyberstalker. In a fairly lengthy post, the company reiterates that it never logs user activity. What it does
do, however, is log both the real and assigned 'anonymous' IP addresses of users accessing its service.
In a fairly lengthy statement, PureVPN begins by confirming that it definitely doesn't log what websites a user views or what content he or she
downloads. However, that's only half the problem. While it doesn't log user activity (what sites people visit or content they download), it does log the IP addresses that customers use to access the PureVPN service. These, given the right circumstances,
can be matched to external activities thanks to logs carried by other web companies.
If for instance a user accesses a website of interest to the authorities, then that website, or various ISPs involved in the route can see the IP address doing
the accessing. And if they look it up, they will find that it belongs to PureVPN. They would then ask PureVPN to identify the real IP address of the user who was assigned the observed PureVPN IP address at the time it was observed.
Now, if PureVPN
carried no logs -- literally no logs -- it would not be able to help with this kind of inquiry. That was the case last year when the FBI approached Private Internet Access for information and the company was unable to assist .
But in this case,
PureVPN does keep the records of who was assigned each IP address and when, and so the user can be readily identified (albeit with the help of the user's ISP too).
It is for this
reason that in TorrentFreak's annual summary of no-logging VPN providers , the very first question we ask every single company reads as follows:
Do you keep ANY logs which would allow you to match an IP-address and a
time stamp to a user/users of your service? If so, what information do you hold and for how long?
Clearly, if a company says yes we log incoming IP addresses and associated timestamps, any claim to total user
anonymity is ended right there and then.
While not completely useless (a logging service will still stop the prying eyes of ISPs and similar surveillance, while also defeating throttling and site-blocking), if you're a
whistle-blower with a job or even your life to protect, this level of protection is entirely inadequate.
Leila has two identities, but Facebook is only supposed to know about one of them.
Leila is a sex worker. She goes to great lengths to keep separate identities for ordinary life and for sex work, to avoid stigma, arrest,
professional blowback, or clients who might be stalkers (or worse).
Her "real identity"--the public one, who lives in California, uses an academic email address, and posts about politics--joined Facebook in 2011. Her
sex-work identity is not on the social network at all; for it, she uses a different email address, a different phone number, and a different name. Yet earlier this year, looking at Facebook's "People You May Know" recommendations, Leila (a name
I'm using using in place of either of the names she uses) was shocked to see some of her regular sex-work clients.
Despite the fact that she'd only given Facebook information from her vanilla identity, the company had somehow
discerned her real-world connection to these people--and, even more horrifyingly, her account was potentially being presented to them as a friend suggestion too, outing her regular identity to them.
Because Facebook insists on
concealing the methods and data it uses to link one user to another, Leila is not able to find out how the network exposed her or take steps to prevent it from happening again.
Facebook is tracking what shops you visit offline to target you with ads online. Facebook has brought in new tools for advertisers that will tell businesses whether you've been to one of their real-life shops or at least for those stupidly sharing their
location with the Facebook app.
Select businesses that are eligible for store visits reporting can now also create custom audiences made up of people who have recently visited their store, Facebook said in a blog post. Some of the companies already
involved in this are US department store, Macy's and fast food shop KFC.
Facebook is not the first tech company to track the whereabouts of its customers offline in this way. Google's Store Sales Measurement scheme allows the tech giant to track
customer credit-card transactions -- both online and within brick-and-mortar shops.
People are to have more control over their personal data and be better protected in the digital age under new measures announced by Digital Censorship Minister Matt Hancock.
Public to have greater control over personal data - including right to be forgotten
New right to require social media platforms to delete information on children and adults when asked
In a statement of intent the Government has committed to updating and strengthening data
protection laws through a new Data Protection Bill. It will provide everyone with the confidence that their data will be managed securely and safely. Research shows that more than 80% of people feel that they do not have complete control over their data
Under the plans individuals will have more control over their data by having the right to be forgotten and ask for their personal data to be erased. This will also mean that people can ask social media channels to delete
information they posted in their childhood. The reliance on default opt-out or pre-selected 'tick boxes', which are largely ignored, to give consent for organisations to collect personal data will also become a thing of the past.
Businesses will be supported to ensure they are able to manage and secure data properly. The data protection regulator, the Information Commissioner's Office (ICO), will also be given more power to defend consumer interests and issue higher fines, of up to £17 million or 4% of global turnover, in cases of the most serious data breaches.
Matt Hancock, Minister of State for Digital said:
Our measures are designed to support businesses in their use of data, and give consumers the confidence that their data is protected and those
who misuse it will be held to account.
The new Data Protection Bill will give us one of the most robust, yet dynamic, set of data laws in the world. The Bill will give people more control over their data, require more consent for
its use, and prepare Britain for Brexit. We have some of the best data science in the world and this new law will help it to thrive.
The Data Protection Bill will:
Make it simpler to withdraw consent for the use of personal data
Allow people to ask for their personal data held by companies to be erased
Enable parents and guardians to
give consent for their child's data to be used
Require 'explicit' consent to be necessary for processing sensitive personal data
Expand the definition of 'personal data' to include IP addresses,
internet cookies and DNA
Update and strengthen data protection law to reflect the changing nature and scope of the digital economy
Make it easier and free for individuals to require an
organisation to disclose the personal data it holds on them
Make it easier for customers to move data between service providers
New criminal offences will be created to deter organisations from either intentionally or recklessly creating situations where someone could be identified from anonymised data.
Elizabeth Denham, Information
We are pleased the government recognises the importance of data protection, its central role in increasing trust and confidence in the digital economy and the benefits the enhanced protections will
bring to the public.
Data protection rules will also be made clearer for those who handle data but they will be made more accountable for the data they process with the priority on personal privacy rights. Those
organisations carrying out high-risk data processing will be obliged to carry out impact assessments to understand the risks involved.
The Bill will bring the European Union's General Data Protection Regulation (GDPR) into UK law,
helping Britain prepare for a successful Brexit.
Lobbyists for Google, Facebook, and other websites are trying to stop the implementation of a proposed law in the US that would strengthen consumer privacy protections online.
Representative Marsha Blackburn last week proposed a bill that would
require broadband providers and websites to obtain users' opt-in consent before they use Web browsing history and application usage history for advertising and other purposes or before they share that information with other entities. The rule in
Blackburn's BROWSER Act is similar to a previous proposal blocked by Republicans in Congress and President Donald Trump.
Currently the internet industry claims to be self regulating with mechanisms in which websites let visitors opt out of
personalized advertising based on browsing history. However these rules do not restrict internet companies from gathering such intrusive personal information.
Naturally, lobbyists are trying to stop this from taking effect. The Internet
Association yesterday issued a statement claiming that the bill will somehow diminish consumer experience and will stifle innovation. The Internet Association's founding members include Google, Facebook, Amazon, Dropbox, eBay, Microsoft, Netflix, PayPal,
Reddit, Spotify, Twitter, and about 30 other Web companies.
Germany's telecommunications watchdog has ordered parents to destroy or disable a smart doll because the toy can be used to illegally spy on children. The My Friend Cayla doll, which is manufactured by the US company Genesis Toys
and distributed in Europe by Guildford-based Vivid Toy Group, allows children to access the internet via speech recognition software, and to control the toy via an app.
But Germany's Federal Network Agency announced this week that it classified
Cayla as an illegal espionage apparatus . As a result, retailers and owners could face fines if they continue to stock it or fail to permanently disable the doll's wireless connection.
Under German law it is illegal to manufacture, sell or
possess surveillance devices disguised as another object. According to some media reports, breaching that law can result in a jail term of up to two years.
The ruling comes after Stefan Hessel, a student at Saarbr3ccken University, raised concerns
about the device. He explained:
Access to the doll is completely unsecured. There is no password to protect the connection.
A congressman ahs introduced a law bill demanding that visitors to America hand over URLs to their social network accounts.
Representatve Jim Banks says his proposed rules, titled the Visa Investigation and Social Media Act (VISA) of 2017, require
visa applicants to provide their social media handles to immigration officials. Banks said:
We must have confidence that those entering our country do not intend us harm. Directing Homeland Security to review visa
applicants' social media before granting them access to our country is common sense. Employers vet job candidates this way, and I think it's time we do the same for visa applicants.
Right now, at the US border you can be asked to give
up your usernames by border officers. You don't have to reveal your public profiles, of course. However, if you're a non-US citizen, border agents don't have to let you in, either. Your devices can be seized and checked, and you can be put on a flight
back, if you don't cooperate.
Banks' proposed law appears to end any uncertainty over whether or not non-citizens will have their online personas vetted: if the bill is passed, visa applicants will be required to disclose their online account
names so they can be scrutinized for any unwanted behavior. For travellers on visa-waiver programs, revealing your social media accounts is and will remain optional, but again, being allowed into the country is optional, too.
Banks did not say how
his bill would prevent hopefuls from deleting or simply not listing any accounts that may be unfavorable.
The Register reports that the bill is unlikely to progress.
Last year the state of California passed a new law that banned sites that offer paid subscriptions, and allow people to post CVs and bios, from publishing individuals' ages. The law came into effect on 1st January 2017, and it is now being challenged by
IMDb who have not taken down celebrity birthdays.
The state of California introduced the new law as a politically correct move against age-discrimination. Perhaps they would have done better to frame the birthday ban more in terms of privacy
protections, date of birth is quite a key piece of information enabling identity fraud.
MDb believes that the law is a violation of the First Amendment and it says the state has chosen instead to chill free speech and to undermine access to
factual information of public interest rather than trying to tackle age-discrimination in a more meaningful way. IMDb has now filed a lawsuit against the Californian law.