| A | B | C | D | E | F | G | H | I | J | K | L | M | N | O | P | Q | R | S | T | U | V | W | X | Y | Z | AA | ||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
1 | DATA EXTRACTION | DATA CLASSIFICATION | ARTICLE EXTRACTION | |||||||||||||||||||||||||
2 | ID | PUBLICATION | BREACH DESCRIPTION | RESPONSIBLE ENTITY | ELEMENTS INVOLVED | THIRD-PARTY INVOLVED? | INFORMATIVE EXCERPTS | RELEVANCE AND COMPARISON | ACTIONS AND BACKLASH | |||||||||||||||||||
3 | C_GOOGL_01 | WSJ | "Google exposed the private data of hundreds of thousands of users of the Google+ social network and then opted not to disclose the issue this past spring, in part because of fears that doing so would draw regulatory scrutiny and cause reputational damage." "A software glitch in the social site gave outside developers potential access to private Google+ profile data between 2015 and March 2018." "the Alphabet Inc. GOOG -5.00% unit on Monday announced a sweeping set of data privacy measures that include permanently shutting down all consumer functionality of Google+" "Google makes user data available to outside developers through more than 130 different public channels known as application programming interfaces, or APIs. These tools usually require a user’s permission to access any information, but they can be misused by unscrupulous actors posing as app developers to gain access to sensitive personal data." "The Google+ data problem, discovered as part of the Strobe audit, was the result of a flaw in an API Google created to help app developers access an array of profile and contact information about the people who sign up to use their apps, as well as the people they are connected to on Google+." "Because of a bug in the API, developers could collect the profile data of their users’ friends even if that data was explicitly marked nonpublic in Google’s privacy settings." "The bug existed since 2015, and it is unclear whether a larger number of users may have been affected over that time." "Google believes up to 438 applications had access to the unauthorized Google+ data." | Keystone: Google Actors: Google+ users, developers Software platform: Google+ | YES | "the company said it is curtailing the access it gives outside developers to user data on Android smartphones and Gmail." "The episode involving Google+, which hasn’t been previously reported, shows the company’s concerted efforts to avoid public scrutiny of how it handles user information, particularly at a time when regulators and consumer privacy groups are leading a charge to hold tech giants accountable for the vast power they wield over the personal data of billions of people." "the company has no evidence that any outside developers misused the data but acknowledges it has no way of knowing for sure" "Google faced pressure to rein in developer access to Gmail earlier this year, after a Wall Street Journal examination found that developers commonly use free email apps to hook users into giving up access to their inboxes without clearly stating what data they collect." "The company’s ability to determine what was done with the data was limited because the company doesn’t have “audit rights” over its developers" "A range of factors go into determining whether a company must notify users of a potential data breach. There is no federal breach notification law in the U.S., so companies must navigate a patchwork of state laws with differing standards." "In its contracts with paid users of G Suite apps, Google tells customers it will notify them about any incidents involving their data “promptly and without undue delay” and will “promptly take reasonable steps to minimize harm.” That requirement may not apply to Google+ profile data, however, even if it belonged to a G Suite customer." "Internal lawyers advised that Google wasn’t legally required to disclose the incident to the public, the people said. Because the company didn’t know what developers may have what data, the group also didn’t believe notifying users would give any actionable benefit to the end users, the people said." | "The snafu threatens to give Google a black eye on privacy after public assurances that it was less susceptible to data gaffes like those that have befallen Facebook." "Revealing the incident would likely result “in us coming into the spotlight alongside or even instead of Facebook despite having stayed under the radar throughout the Cambridge Analytica scandal,” the memo said. It “almost guarantees Sundar will testify before Congress.”" | "The information potentially leaked via Google’s API would constitute personal information under GDPR, but because the problem was discovered in March, it wouldn’t have been covered under the European regulation." “Whenever user data may have been affected, we go beyond our legal requirements and apply several criteria focused on our users in determining whether to provide notice,” a Google spokesman said in a statement." "A privacy task force formed inside Google, code named Project Strobe, has in recent months conducted a companywide audit of the company’s APIs, according to the people briefed on the process. The group is made up of more than 100 engineers, product managers and lawyers, the people said." "Google said it plans to clamp down on the data it provides outside developers through APIs." "Google, a unit of Alphabet Inc., exposed the private data of some users of its Google+ social network to outside developers, but the company said it found no evidence that developers misused data. The phrase “data breach” in a headline on an earlier version of this article could be interpreted as suggesting that data were misused. (Oct. 9, 2018)" | ||||||||||||||||||||
4 | C_GOOGL_02 | Financial Times | "A whistleblower reveals a secret transfer involving the personal data of tens of millions of people and a big tech company. Expressions of outrage follow, and regulators promise to investigate." "US healthcare provider Ascension’s decision to hand the records of 50m of its patients to Google." "The heightened attention to the vast amount of data it already holds to support its consumer advertising business prompts inevitable questions about how information belonging to companies such as Ascension is treated." | Keystone: Google Actors: Ascension, Users Software platform: Google Cloud | NO | "But the huge attention it has received points to both the risks and opportunities as large troves of valuable data are moved, wholesale, to the cloud. How this information is handled, and who reaps the value from it, are questions that will stir much wider concern." "Ascension had signed a fairly standard cloud deal with Google for its patient data to be stored and processed. This is no different to the arrangements companies in many industries have reached with public cloud providers such as Amazon Web Services or Microsoft" "This points to a particular problem for Google as it tries to build a cloud computing business" "No one asks whether a company’s data are adequately ringfenced when it is held in the IBM or Microsoft clouds." "A bigger question from deals like this, meanwhile, concerns the amount of extra value that could be created by holding data in the cloud" "For Ascension, one attraction of using Google is that the internet company will be able to supply useful new diagnostic and organisational tools to medical staff." "Companies, naturally enough, want to keep the value in these insights to themselves, and say they will use it to benefit their patient populations." "This creates one more complication for Google as it tries to build both an enterprise-grade cloud business and mass consumer services in the same company." "Companies turning to the cloud also face questions about how best to reap value from their data, while ensuring their patients remain the main beneficiaries" | "Had Ascension contracted instead with IBM — and if a few dozen IBM workers, rather than Googlers, were able to see patients’ personal data — it wouldn’t have caused a stir." "This echoes other deals that could reshape the health sector, such as Novartis’s recent agreement with Microsoft, tapping that company’s artificial intelligence technology to make more use of its data" | Google has already been faulted for its handling of personal data about a large population of patients, over the way DeepMind was able to access National Health Service data in the UK." "Google, on the other hand, has not been secret about its own desires to bring the benefits of better healthcare information to the public at large." | ||||||||||||||||||||
5 | C_GOOGL_03 | New York Times | "Regulators said that YouTube, which is owned by Google, had illegally gathered children’s data — including identification codes used to track web browsing over time — without their parents’ consent." "The penalty and changes were part of a settlement with the Federal Trade Commission and New York’s attorney general, which had accused YouTube of violating the federal Children’s Online Privacy Protection Act, or COPPA." "Regulators said that YouTube, which is owned by Google, had illegally gathered children’s data — including identification codes used to track web browsing over time — without their parents’ consent." "The site also marketed itself to advertisers as a top destination for young children, even as it told some advertising firms that they did not have to comply with the children’s privacy law because YouTube did not have viewers under 13." "The privacy case against YouTube began in 2016 after the New York attorney general’s office, which has been active in enforcing the federal children’s privacy law in the state, notified the trade commission about apparent violations of the law on the site." “Google and YouTube knowingly and illegally monitored, tracked and served targeted ads to young children just to keep advertising dollars rolling in” | Keystone: Google Actors: children (customer base?), legal representatives Software platform: Youtube (product) | NO | "Critics denounced the agreement, dismissing the fine as paltry and the required changes as inadequate for protecting children’s privacy." "YouTube then made millions of dollars by using the information harvested from children to target them with ads, regulators said." "YouTube must also obtain consent from parents before collecting or sharing personal details like a child’s name or photos, regulators said." "The move is the latest enforcement action taken by regulators in the United States against technology companies for violating users’ privacy" "But critics of the settlement, including Senator Edward J. Markey, Democrat of Massachusetts, described the $170 million penalty as a slap on the wrist for one of the world’s richest companies." "Google had simply agreed to abide by a children’s privacy law it was already obligated to comply with" "They said it was the first time a platform would have to ask its content producers to identify themselves as creators of children’s material." "Although the settlement prohibits YouTube and Google from using or sharing children’s data they have already obtained, it did not hold company executives personally accountable for illegal mining of children’s data, the agreement did not go far enough by requiring YouTube itself to proactively identify children’s videos on its platform" "Google has been forced to deal with privacy violations repeatedly in recent years. The company is subject to a 20-year federal consent order signed in 2011 for deceptive data-mining related to Buzz, a now-defunct social network. The order required Google to establish a comprehensive privacy program and prohibited it from misrepresenting how it handles personal data" "The changes required under the agreement could limit how much video makers earn on the platform because while they still make money on some kinds of ads on children’s videos, they no longer be able to profit from ads targeted at children." | "It follows a $5 billion privacy settlement between the trade commission and Facebook in July over how the company collected and handled user data." "The settlement on Wednesday is likely to have implications beyond YouTube." | "In a blog post on Wednesday about the settlement, YouTube’s chief executive, Susan Wojcicki, said that “nothing is more important than protecting kids and their privacy.” She added, “From its earliest days, YouTube has been a site for people over 13, but with a boom in family content and the rise of shared devices, the likelihood of children watching without supervision has increased.” "YouTube said that not only had it agreed to stop placing targeted ads on children’s videos, it would also stop gathering personal data about anyone who watched such videos, even if the company believed that the viewer was an adult. The company also said it would eliminate features on children’s videos, like comments and notifications, that involved the use of personal data." "In addition to relying on reports from video creators, YouTube planned to use artificial intelligence to try to identify content that targeted young audiences, like videos featuring children’s toys, games or characters." "YouTube said it would funnel $100 million to creators of children’s content over the next three years. It said it would also heavily promote YouTube Kids, its child-focused app, to shift parents away from using the main YouTube app when allowing their children to watch videos." | ||||||||||||||||||||
6 | C_GOOGL_04 | We Live Security | "A mishap involving one of Xiaomi’s security cameras has led Google to temporarily shut down access for Xiaomi devices to Google Nest Hub and Assistant." "This was after a user reported that his Xiaomi Mijia 1080p Smart IP Security Camera received still images from random people’s homes when he tried to stream the feed from his camera to his Google Nest Hub" "The security camera itself can be linked to the Google Nest line of devices using Xiaomi’s proprietary Mi Home app" | XIAOMI | Keystone: Google, Xiaomi Actors: Users Software platform/product: Mi Home, Google Nest, Google Assistant | YES | "The hub, while trying to access the camera feed, started showing still images from random locations. Some of the black-and-white, partly corrupted images even included people sleeping and a baby in a cradle, which is especially disturbing." | N/A | "Google reacted promptly: “We’re aware of the issue and are in contact with Xiaomi to work on a fix. In the meantime, we’re disabling Xiaomi integrations on our devices.”" "The Chinese tech giant has acknowledged the issue and said that it doesn’t take users’ privacy issues lightly: “We apologize for the inconvenience this has caused to our users. Our team has since acted immediately to solve the issue and it is now fixed. Upon investigation, we have found out the issue was caused by a cache update on December 26, 2019, which was designed to improve camera streaming quality. This has only happened in extremely rare conditions. In this case, it happened during the integration between Mi Home Security Camera Basic 1080p and the Google Home Hub with a display screen under poor network conditions,” reads Xiaomi’s statement for XDA developers." | |||||||||||||||||||
7 | C_GOOGL_05 | The Verge | "Google is alerting some users of its Google Photos service that they’ve had their private videos sent to strangers by the search giant. Google’s Takeout service, that lets people download their data, was affected by a “technical issue” between November 21st and November 25th last year. It resulted in a small number of users receiving private videos that didn’t belong to them." | Keystone: Google Actors: Users Software platform/product: Google Photos (product), Google Takeout (service) | NO | "Google’s nonchalant email alerting users doesn’t provide any details on how many people were affected, nor the amount of individual videos that were distributed incorrectly per account." "Google Photos has over 1 billion users, so even a small percentage will impact a significant number of people. Google has apologized “for any inconvenience this may have caused.”" | N/A | "Google fixed the issue after five days, and 9to5Google reports that less than 0.01 percent of Google Photos users who used Takeout were affected." "“We are notifying people about a bug that may have affected users who used Google Takeout to export their Google Photos content between November 21 and November 25,” explains a Google spokesperson in a statement to 9to5Google. “These users may have received either an incomplete archive, or videos — not photos — that were not theirs. We fixed the underlying issue and have conducted an in-depth analysis to help prevent this from ever happening again. We are very sorry this happened.”" | ||||||||||||||||||||
8 | C_AZ_01 | The Guardian | "Last year, an Amazon customer in Germany was mistakenly sent about 1,700 audio files from someone else’s Echo, providing enough information to name and locate the unfortunate user and his girlfriend. " "In San Francisco, Shawn Kinnear claimed that his Echo activated itself and said cheerfully: “Every time I close my eyes, all I see is people dying.” In Portland, Oregon, a woman discovered that her Echo had taken it upon itself to send recordings of private conversations to one of her husband’s employees. In a statement, Amazon said that the Echo must have misheard the wake word, misheard a request to send a message, misheard a name in its contacts list and then misheard a confirmation to send the message, all during a conversation about hardwood floors." "in more than one out of 10 transcripts analysed by one of Bloomberg’s sources, Alexa woke up accidentally." | AMAZON | Keystone: Amazon Actors: Users, legal representatives Software platform/product: Alexa (service), Amazon Echo (product) | NO | "CEOs are less likely to trivialise privacy concerns" "Over the past six months, Bloomberg, the Guardian, Vice News and the Belgian news channel VRT have gradually revealed that all the big five have been using human contractors to analyse a small percentage of voice-assistant recordings" "Having worked at Amazon and another big-five company, Josephson thinks this resistance to these companies is justified. “They have zero interest, in my opinion, in wondering what the impact of those products will be. To treat them as the right people to wield that power is a ludicrous situation that we wouldn’t allow in any other industry. They, frankly, are not safe guardians of the data that they’re collecting every day without us knowing.”" "Accurately interpreting voice commands by taking account of different languages, accents, tones, contexts and degrees of ambient clutter requires far more computational power than a single device can contain. Therefore, most of the work is performed in the cloud, which is how human monitors are able to collect and analyse voice recordings." "“It should be on the box,” says Dr Jeremy Gillula, the project director at the Electronic Frontier Foundation, a group that campaigns against the misuse of technology. “I doubt they thought no one would care. I think they were trying to keep it quiet because if users knew what was going on they might stop buying the devices. It was a calculated business decision.”" "Government regulation is the only thing that is going to halt more damage." "Without effective regulation, there is no defence against more invasive exploitation of voice assistants." "Tech companies rely on the myth of technological inevitability to occlude the business decisions they have made and the possibility of other models." | "we know that Facebook and Google know too much about us, yet we continue to use their services because they’re so damn convenient." "In the real world, voice recognition didn’t become commonplace until Apple launched its phone-based voice assistant, Siri, in 2011." "Apple, whose profits don’t rely primarily on data collection, uses more in-device computation and encryption at both ends. “Apple is the best at privacy,” says Estes. “At the same time, I think everyone agrees that Siri sucks.” Amazon Echo and Google Assistant are much more reliable because these companies’ business models depend on knowing so much more about you in order to microtarget advertising. They like to frame data collection as a means to improve services while playing down the immense commercial benefits" "tech companies routinely obscure the extent and nature of their data harvesting. “Google and Amazon have shown us that they’re inclined to take as much as they can until someone catches them with their hand in the cookie jar,” says Estes. “I hate to be dramatic, but I don’t think we’re ever going to feel safe from their data-collection practices" | "a spokeswoman for Amazon says: “Customer trust is at the centre of everything we do and we take customer privacy very seriously. We continuously review our practices and procedures to ensure we’re providing customers with the best experiences and privacy choices. We provide customers with several privacy controls, including the ability to review and delete their voice recordings. To help improve Alexa, we manually review an extremely small sample of Alexa requests to confirm Alexa understood and responded correctly. Customers can opt out of having their voice recordings included in that review process.”" | |||||||||||||||||||
9 | C_AZ_02 | The Conversation | "Amazon Echo and the Alexa voice assistant have had widely publicised issues with privacy." "Major privacy concerns are starting to emerge in the way Alexa devices interact with other services – risking a dystopian spiral of increasing surveillance and control." "The setup of the Echo turns Amazon into an extra gateway that every online interaction has to pass through, collecting data on each one. Alexa knows what you are searching for, listening to or sending in your messages. Some smartphones do this already, particularly those made by Google and Apple who control the hardware, software and cloud services." "Amazon’s systems appear not just designed to collect as much data as they can but also to create ways of sharing it. " "This risks embedding a culture of state surveillance in Amazon’s operations, which could have worrying consequences. We’ve seen numerous examples of law enforcement and other government bodies in democratic countries using personal data to spy on people, both in breach of the law and within it but for reasons that go far beyond the prevention of terrorism." "Even tech-savvy users don’t necessarily know the full extent of the privacy risks, and when privacy features are added, they often only make users aware after researchers or the press raise the issue." | AMAZON | Keystone: Amazon Actors: Users, legal representatives Software platform/product: Alexa (service), Amazon Echo (product) | NO | "Whether it is the amount of data they collect or the fact that they reportedly pay employees and, at times, external contractors from all over the world to listen to recordings to improve accuracy, the potential is there for sensitive personal information to be leaked through these devices." "This technology gives Amazon a huge amount of control over your data, which has long been the aim of most of the tech giants." "But it creates the possibility that Amazon could start tracking what health information we ask for through Alexa, effectively building profiles of users’ medical histories. This could be linked to online shopping suggestions, third-party ads for costly therapies, or even ads that are potentially traumatic (think women who’ve suffered miscarriages being shown baby products)." "Amazon is disturbingly quiet, evasive and reluctant to act when it comes to tackling the privacy implications of their practices, many of which are buried deep within their terms and conditions or hard-to-find settings" | "While Apple and Google – who face their own privacy issues – have similar voice assistants, they have at least made progress running the software directly on their devices so they won’t need to transfer recordings of your voice commands to their servers" "Apple has a history of resisting FBI requests for user data, and Twitter is relatively transparent about reporting on how it responds to requests from governments" | "Amazon doesn’t appear to be trying to do the same." "An Amazon spokesperson said: “Amazon does not disclose customer information in response to government demands unless we’re required to do so to comply with a legally valid and blinding order. Amazon objects to overbroad or otherwise inappropriate demands as a matter of course." | |||||||||||||||||||
10 | C_AZ_03 | Forbes | "Amazon’s workers are viewing video clips from one of its home CCTV services to improve its AI analytics" "The scandal embroils Amazon’s indoor Cloud Cam service, which “features everything you need to help keep your home safe, with its always-ready motion detection feature helping to capture activities right from the start.”" "employees in India and Romania review clips sent by customers where the AI has triggered mistakenly. The purpose of sending the clips is to improve the AI, but it is isn’t clear that humans do so manually by marking up the footage for the system" "“At one point, on a typical day,” according to Bloomberg, “some Amazon auditors were each annotating about 150 video recordings, which were typically 20 to 30 seconds long.”" "Although the claim is that all clips are sent by users for troubleshooting, it’s not clear why some of those clips would then contain inappropriate content." | AMAZON | Keystone: Amazon Actors: Users Software platform/product: Cloud Cam (service), Amazon Echo (product) | NO | “Despite Amazon’s insistence that all the clips are provided voluntarily,” Bloomberg reported, “teams have picked up activity homeowners are unlikely to want shared, including rare instances of people having sex.”" "In any video analytics service, false alerts undermine user confidence and cause annoyance. They also lead to excess video being captured and streamed, which incurs cost. Bad news all round." "Ultimately, the focus of most video AI intrusion analytics is to identify people and vehicles, distinguishing those from environmental conditions—wind or rain, animals, or changing light conditions." " “Nowhere in the Cloud Cam user terms and conditions does Amazon explicitly tell customers that human beings are training the algorithms behind their motion detection software.”" "For the consumer AI industry, this is the perennial challenge: How to collate AI training data and improve the underlying algorithms without invading the privacy of the consumers capturing the data? Asking permission is one way—but without an incentive, why would anyone agree?" | N/A | “We take privacy seriously and put Cloud Cam customers in control of their video clips,” a company spokesperson told Bloomberg, claiming that only incorrect clips were ever viewed, and everything else remains private and viewable only by the customers themselves. | |||||||||||||||||||
11 | C_AZ_04 | Washington Post | "Aside from muting Echo’s microphone, you cannot stop Amazon from making recordings of your conversations with Alexa." "Many smart-speaker owners don’t realize it, but Amazon keeps a copy of everything Alexa records after it hears its name. Apple’s Siri, and until recently Google’s Assistant, by default also keep recordings to help train their artificial intelligences." "Alexa keeps a record of what it hears every time an Echo speaker activates. It’s supposed to record only with a “wake word” — “Alexa!” — but anyone with one of these devices knows they go rogue." "Alexa’s voice archive made headlines most recently when Bloomberg discovered Amazon employees listen to recordings to train its artificial intelligence. Amazon acknowledged that some of those employees also have access to location information for the devices that made the recordings" "Amazon acknowledges it collects data about third-party devices even when you don’t use Alexa to operate them. It says Alexa needs to know the “state” of your devices “to enable a great smart home experience.”" | AMAZON | Keystone: Amazon Actors: Users Software platform/product: Alexa (service), Amazon Echo (product) | NO | "You can manually delete past recordings if you know exactly where to look and remember to keep going back. You cannot stop Amazon from making these recordings, aside from muting the Echo’s microphone (defeating its main purpose) or unplugging the darned thing." "You can tell Amazon to delete everything it has learned about your home, but you can’t look at it or stop Amazon from continuing to collect it." "Why do tech companies want to hold on to information from our homes? Sometimes they do it just because there’s little stopping them — and they hope it might be useful in the future." "Ask the companies why, and the answer usually involves AI." | "Saving our voices is not just an Amazon phenomenon. Apple, which is much more privacy-minded in other aspects of the smart home, also keeps copies of conversations with Siri. Apple says voice data is assigned a “random identifier and is not linked to individuals”" "The unexpected leader on this issue is Google. It also used to record all conversations with its Assistant but last year quietly changed its defaults to not record what it hears after the prompt “Hey, Google.” But if you’re among the people who previously set up Assistant, you probably need to readjust your settings (check here) to “pause” recordings" "Google Assistant also collects data about the state of connected devices. But the company says it doesn’t store the history of these devices, even though there doesn’t seem to be much stopping it." "Apple does the most admirable job operating home devices by collecting as little data as possible. Its HomeKit software doesn’t report to Apple any info about what’s going on in your smart home. Instead, compatible devices talk directly, via encryption, with your iPhone, where the data stays" | "“Alexa is always getting smarter, which is only possible by training her with voice recordings to better understand requests, provide more accurate responses, and personalize the customer experience,” Beatrice Geoffrin, director of Alexa privacy, said in a statement." | |||||||||||||||||||
12 | C_AZ_05 | Observer | "nothing is ever truly erased by Amazon" "Amazon has finally admitted to saving transcripts of customers’ conversations with the popular assistant long after they’ve “deleted” them" "The admission follows a familiar Amazon pattern, in which the e-commerce giant has been forced to admit to utilizing unpopular tech practices following mounting speculation" "The company confirmed the report by saying that while thousands of workers do listen back to user audio, it’s done with good intention." | AMAZON | Keystone: Amazon Actors: Users Software platform/product: Alexa (service), Amazon Echo (product) | NO | "Senator Chris Coons of Delaware sent questions to Amazon and CEO Jeff Bezos about the company’s AI data storage practices. Back in May, Coons penned a letter asking whether recent media investigations into Alexa-powered Echo devices were true." "a Bloomberg report claimed employees working for Amazon’s Alexa division are indeed listening in on conversations between the AI assistant and customers" "Amazon has sold over 100 million Echo devices to date, making it the most popular voice assistant on the market, surpassing both Google Voice and Apple’s Siri. " | N/A | "“We take the security and privacy of our customers’ personal information seriously,” an Amazon spokesman said in a statement. “We only annotate an extremely small sample of Alexa voice recordings in order [to] improve the customer experience. For example, this information helps us train our speech recognition and natural language understanding systems, so Alexa can better understand your requests, and ensure the service works well for everyone.”" | |||||||||||||||||||
13 | C_APPL_01 | The Atlantic | "Facebook had been paying people, including teens 13 to 17 years old, to install a “research” app that extracted huge volumes of personal data from their iPhones—direct messages, photos, emails, and more. Facebook uses this information partly to improve its data profiles for advertisement, but also as a business-intelligence tool to help paint a picture of competitor behavior" "Apple, too, has benefited from just doing business with the biggest privacy offenders in the tech sector" "There’s nothing requiring Apple to distribute apps from data-hungry companies such as Google and Facebook at all." | APPLE | Keystone: Apple Actors: Users, Facebook Software platform/product: iCloud (service), iPhones (product) | YES | "After the story broke, Facebook said it would shut down the iOS version of the program." "That might look like a severe punishment that will send a strong message to Facebook, and to other companies. But it’s mostly a slap on the wrist. It gives Apple moral cover while doing little to change the data economy the company claims to oppose" "If Apple really cared about personal data, the company could take any number of actions to keep privacy violators off its platforms and away from its customers" "To distribute apps on the iPhone, creators pay an annual fee to Apple, which issues a “certificate” that allows a developer to distribute the apps they create" "Companies such as Google and Facebook get access to iPhone users by offering their apps—Messenger, Gmail, Google Maps, and so on—for download from the Apple App Store." "the App Store came along, and with it app review, the process whereby Apple evaluates the fitness of each software program for its sales channel and platform" "If Apple really objected to data-hungry business models, it could take much more aggressive action during app review" "A truly aggressive flex would see Apple ban companies whose data-collection and usage practices are incompatible with its supposedly progressive position on the matter" "Apple could invest more in its mapping services to make them more competitive, but it could also strike better deals than Google offers with the third parties that use mapping services inside their apps. If Apple wanted to put its (substantial) money where its mouth is, it could even subsidize the use of its own mapping services by developers, with the express purpose of reducing data leakage from location-oriented tools" "Apple is not a company committed to data privacy. It is a company that adopts considerably better policies than its more data-hungry competitors, but that does little to curtail the general problem" | "Facebook ran afoul of Apple because it used this system to distribute its data-collection app to consumers outside the company, which isn’t allowed" "For this privilege, Google reportedly paid Apple $9 billion in 2018, and as much as $12 billion this year." "Apple might not be directly responsible for the questionable use of that data by Google, but it facilitates the activity by making Google its default search engine, enriching itself substantially in the process." "When Google’s turn came around, Hill discovered that the Uber and Lyft apps didn’t work because they rely on the Google Maps API. Location and activity data are particularly valuable these days, too. The Intercept recently reported that Google’s smart-cities division, Sidewalk Labs, is aggregating the data extracted from users via services such as apps and reselling it to urban planners" "It tunes the operation of its own data-driven services, such as those offered in iCloud, but most of those are far less popular than their Google and Facebook competitors. " | "In response, Apple revoked Facebook’s enterprise developer certificate, saying distributing a data-collecting app to consumers “is a clear breach of their agreement with Apple.”" "Apple didn’t take a position on Facebook’s creation of a paid “research” program to extract data from users. It enforced the terms of a licensing agreement; appearing to fight for user privacy is just a side effect. Apple is flexing its contract-law muscle, not its privacy muscle, and gaining a publicity win in the process. Crucially, Apple didn’t ban Facebook from the App Store or the iPhone platform: You can still download and use Messenger." " Apple does lots of deals with those companies. Safari, the web browser that comes with every iPhone, is set up by default to route web searches through Google" "Mapping software in particular exposes the impotence of Apple’s privacy posture" "Apple’s action this week did wreak some havoc inside Facebook, as employees of the social network scrambled to look up company bus schedules or use workplace chat on internal apps that were no longer available.~ | |||||||||||||||||||
14 | C_APPL_02 | Forbes | "the Silicon Valley company is sending “a small proportion of Siri recordings are passed on to contractors working for the company around the world.”" "the audio recordings have been sent to Apple—in order to improve Siri—after an accidental activation of Siri, either though the Cupertino company’s smartwatch, the HomePod wireless speaker or one of the other Apple mobile devices including the iPhone, the iPad, or the iPod touch." "the big issue is that these voice snippets end up being accessed by humans—contractors working for the company around the world—that should not have been authorized in the first place and could provide enough details to identify a user" | APPLE | Keystone: Apple Actors: Users Software platform/product: Siri (service), products with built-in assistant (product) | NO | "“These scraps of data, each one harmless enough on its own, are carefully assembled, synthesized, traded, and sold. Taken to its extreme, this process creates an enduring digital profile and lets companies know you better than you may know yourself.”" "with this latest privacy gaffe, it’s hard to say that Apple is actually practicing what they've been preaching, often in direct opposition to Google or Facebook." "“there have been countless instances of recordings featuring private discussions between doctors and patients, business deals, seemingly criminal dealings, sexual encounters and so on. These recordings are accompanied by user data showing location, contact details, and app data.”" "Apple has created a false sense of privacy with their marketing messaging." | "Amazon has a team of people around the world that analyzes snippets of conversations that Alexa-powered devices secretly record and upload—without the user's consent or knowledge—to the cloud, claiming it will improve Alexa's "customer experience."" "Google admitted that it also had a team reviewing audio snippets—less than 0.2% of all audio recordings it claims." "this latest privacy scandal highlights the false sense of privacy that Apple has communicated through its marketing strategy to help distinguish itself from Amazon and Google" "In addition, and contrary to Amazon Alexa and Google Assistant, there's no way to opt-out having your audio recordings sent to Apple servers" "we found that none of the current leading digital voice assistants (Alexa, Google, and Siri) provide enough guarantees to help protect a user's privacy to recommend any of them" | "Apple does clearly stipulate in its privacy policy that it is sending to its servers "certain information such as your name, contacts, music you listen to, and searches" to help Siri recognize your pronunciation and provide better responses" | |||||||||||||||||||
15 | C_APPL_03 | Forbes | "After taking the whole month of August to thoroughly review the process that it uses to handle the recordings of Siri queries, Apple announced today that it will turn it off by default and bring the human evaluation process in-house" "Following a report published in late July by the Guardian which revealed that Apple contractors were regularly hearing confidential details on customers' Siri recordings" | APPLE | Keystone: Apple Actors: Users Software platform/product: Siri (service), products with built-in assistant (product) | NO | ""We know that customers have been concerned by recent reports of people listening to audio Siri recordings as part of our Siri quality evaluation process—which we call grading," added the Cupertino company. "We heard their concerns, immediately suspended human grading of Siri requests and began a thorough review of our practices and policies. We’ve decided to make some changes to Siri as a result."" ""We were hired for 6 months and paid $10 an hour," told one of the Apple contractors to the newspaper. "But unlike what Apple said, it was fairly easy to identify the identity of the user."" | N/A | "the U.S. technology giant decided—a week later—to temporarily stop contractors from "grading" Siri voice recordings" "Before Apple suspended grading, the process involved reviewing a small sample of audio from Siri requests—less than 0.2% according to the California-based company." "Apple still plans to resume the Siri grading program later this fall, following a Siri software update, but promised to make the following three changes" (more on article) | |||||||||||||||||||
16 | C_APPL_04 | New York Times | "It turns out that an iPhone user can call another iPhone user and listen in on that person’s conversations through the device’s microphone — even if the recipient does not answer the call." "The problem was the result of a bug and involves Apple’s FaceTime app for placing video and audio calls over an internet connection. The bug could also give a caller access to a live feed of the recipient’s camera." | APPLE | Keystone: Apple Actors: Users Software platform/product: Siri (service), products with built-in assistant (product) | NO | "The glitch is embarrassing for Apple, which is set to report disappointing financial earnings on Tuesday." "I replicated the bug using two iPhones. I began by placing a FaceTime call to the other iPhone, and while the call was ringing, I swiped up on the screen, hit add person and added myself to the conversation. From there, I was able to listen in on the recipient’s microphone, even if the person did not pick up." | N/A | "Apple said it had disabled Group FaceTime, the feature that was causing the glitch" "“We’re aware of this issue and we have identified a fix that will be released in a software update later this week,” Apple said in a statement" | |||||||||||||||||||
17 | C_APPL_05 | The Atlantic | "The bug allows users to listen in on, or even watch, the person they are calling before that party has answered the call. It doesn’t even require any technical knowledge or esoteric hacking" "A 2014 leak of celebrities’ private iCloud photos offers an exception, but successful phishing attacks led to that breach, not a defect in Apple’s servers." | APPLE | Keystone: Apple Actors: Users Software platform/product: FaceTime (product), iCloud (service) | NO | "This FaceTime bug arrives on the heels of Apple’s apparent fall from grace, and that makes it a sign of something relatively new. Hardware and software systems are more complex than ever, and bugs are bound to arise. Most are accidental, the unexpected combination of instructions given by humans to computers, which do exactly what they are told." "The bug should also raise concerns about the ongoing drive to turn everything that once worked well into a less reliable and secure, if more convenient, computational equivalent. FaceTime isn’t expressly necessary. It’s a convenient way to make calls, especially video calls, but there are others, such as Skype." "A deliberate accident leads to a realization that FaceTime audio quality is better, which might inspire me to use it more often, and more deliberately. Eventually, as millions or billions of people do so, the relevance of the public switched telephone network might degrade, making Apple a telco as much as anything" "News about it will dissipate into the background, until eventually it will be largely forgotten." | "Microsoft aspired to a similar assault on telephony when it bought Skype and then transformed it into a corporate service." "It’s a proprietary service of Apple, and the company needs a lot more of those services to keep consumers on its high-profit devices. But slow, steady change makes services proliferate. That’s how Facebook or Google or LinkedIn went from obscurity to necessity." | "Apple has taken the group-calling service offline until a software update can be provided. In the meantime, if you have an iPhone, it’s probably a good idea to turn off FaceTime until a fix arrives." | |||||||||||||||||||
18 | C_FB_01 | New York Times | "They also underscore how personal data has become the most prized commodity of the digital age, traded on a vast scale by some of the most powerful companies in Silicon Valley and beyond." "Facebook allowed Microsoft’s Bing search engine to see the names of virtually all Facebook users’ friends without consent, the records show, and gave Netflix and Spotify the ability to read Facebook users’ private messages." "The social network permitted Amazon to obtain users’ names and contact information through their friends, and it let Yahoo view streams of friends’ posts as recently as this summer, despite public statements that it had stopped that type of sharing years earlier." "In all, the deals described in the documents benefited more than 150 companies — most of them tech businesses, including online retailers and entertainment sites, but also automakers and media organizations. Their applications sought the data of hundreds of millions of people a month, the records show. The deals, the oldest of which date to 2010, were all active in 2017. Some were still in effect this year." " Among the revelations was that Facebook obtained data from multiple partners for a controversial friend-suggestion tool called “People You May Know.”" "The feature, introduced in 2008, continues even though some Facebook users have objected to it, unsettled by its knowledge of their real-world relationships" "In the Cambridge Analytica case, a Cambridge University psychology professor created an application in 2014 to harvest the personal data of tens of millions of Facebook users for the consulting firm." | Keystone: Facebook Actors: Users, Partners, Third-party apps Software platform/product: Facebook | YES | "Pushing for explosive growth, Facebook got more users, lifting its advertising revenue. Partner companies acquired features to make their products more attractive. Facebook users connected with friends across different devices and websites. But Facebook also assumed extraordinary power over the personal information of its 2.2 billion users — control it has wielded with little transparency or outside oversight" "Facebook has been reeling from a series of privacy scandals, set off by revelations in March that a political consulting firm, Cambridge Analytica, improperly used Facebook data to build tools that aided President Trump’s 2016 campaign." "But the documents, as well as interviews with about 50 former employees of Facebook and its corporate partners, reveal that Facebook allowed certain companies access to data despite those protections." "With most of the partnerships, Mr. Satterfield said, the F.T.C. agreement did not require the social network to secure users’ consent before sharing data because Facebook considered the partners extensions of itself — service providers that allowed users to interact with their Facebook friends. The partners were prohibited from using the personal information for other purposes" "Data privacy experts disputed Facebook’s assertion that most partnerships were exempted from the regulatory requirements, expressing skepticism that businesses as varied as device makers, retailers and search companies would be viewed alike by the agency." "Facebook has been hammered with questions about its data sharing from lawmakers and regulators in the United States and Europe. The F.T.C. this spring opened a new inquiry into Facebook’s compliance with the consent order, while the Justice Department and Securities and Exchange Commission are also investigating the company." "Facebook began forming data partnerships when it was still a relatively young company. Mr. Zuckerberg was determined to weave Facebook’s services into other sites and platforms, believing it would stave off obsolescence and insulate Facebook from competition. Every corporate partner that integrated Facebook data into its online products helped drive the platform’s expansion, bringing in new users, spurring them to spend more time on Facebook and driving up advertising revenue. At the same time, Facebook got critical data back from its partners." "Unlike Europe, where social media companies have had to adapt to stricter regulation, the United States has no general consumer privacy law, leaving tech companies free to monetize most kinds of personal information as long as they don’t mislead their users" "Critically, many of Facebook’s special sharing partnerships were not subject to extensive privacy program reviews, two of the former employees said." "Facebook officials said the data sharing did not violate users’ privacy because it allowed access only to public data — though that included data that the social network had made public in 2009" "Facebook records show Yandex had access in 2017 to Facebook’s unique user IDs even after the social network stopped sharing them with other applications, citing privacy risks." | Some of the largest partners, including Amazon, Microsoft and Yahoo, said they had used the data appropriately, but declined to discuss the sharing deals in detail. "Few companies have better data than Facebook and its rival, Google, whose popular products give them an intimate view into the daily lives of billions of people — and allow them to dominate the digital advertising market." "As of 2017, Sony, Microsoft, Amazon and others could obtain users’ email addresses through their friends" "Spotify, which could view messages of more than 70 million users a month, still offers the option to share music through Facebook Messenger. But Netflix and the Canadian bank no longer needed access to messages because they had deactivated features that incorporated it." "These were not the only companies that had special access longer than they needed it. Yahoo, The Times and others could still get Facebook users’ personal information in 2017." "Yahoo could view real-time feeds of friends’ posts for a feature that the company had ended in 2011." "Apple officials said they were not aware that Facebook had granted its devices any special access. They added that any shared data remained on the devices and was not available to anyone other than the users" "Besides Facebook, the F.T.C. has consent agreements with Google and Twitter stemming from alleged privacy violations" "Microsoft officials said that Bing was using the data to build profiles of Facebook users on Microsoft servers" "When The Times reported last summer on the partnerships with device makers, Facebook used the term “integration partners” to describe BlackBerry, Huawei and other manufacturers that pulled Facebook data to provide social-media-style features on smartphones" "The Russian company Yandex, which has been accused of funneling information to the Kremlin, had access to Facebook data as recently as last year." | "Acknowledging that it had breached users’ trust, Facebook insisted that it had instituted stricter privacy protections long ago" "Facebook executives have acknowledged missteps over the past year. “We know we’ve got work to do to regain people’s trust,” Mr. Satterfield said. “Protecting people’s information requires stronger teams, better technology and clearer policies, and that’s where we’ve been focused for most of 2018.”" "Facebook did say that it had mismanaged some of its partnerships, allowing certain companies’ access to continue long after they had shut down the features that required the data" "Facebook has never sold its user data, fearful of user backlash and wary of handing would-be competitors a way to duplicate its most prized asset. Instead, internal documents show, it did the next best thing: granting other companies access to parts of the social network in ways that advanced its own interests." "Facebook, in turn, used contact lists from the partners, including Amazon, Yahoo and the Chinese company Huawei — which has been flagged as a security threat by American intelligence officials — to gain deeper insight into people’s relationships and suggest more connections, the records show." "Facebook’s internal records also revealed more about the extent of sharing deals with over 60 makers of smartphones, tablets and other devices, agreements first reported by The Times in June." "Facebook empowered Apple to hide from Facebook users all indicators that its devices were asking for data. Apple devices also had access to the contact numbers and calendar entries of people who had changed their account settings to disable all sharing, the records show." "Facebook enabled Apple devices to conceal that they were asking for data, making it impossible for users to disable sharing." "Facebook officials said the company had disclosed its sharing deals in its privacy policy since 2010. But the language in the policy about its service providers does not specify what data Facebook shares, and with which companies" "In late 2009, it changed the privacy settings of the 400 million people then using the service, making some of their information accessible to all of the internet. Then it shared that information, including users’ locations and religious and political leanings, with Microsoft and other partners." "Facebook called this “instant personalization” and promoted it as a step toward a better internet, where other companies would use the information to customize what people saw on sites like Bing." "In 2014, Facebook ended instant personalization and walled off access to friends’ information. But in a previously unreported agreement, the social network’s engineers continued allowing Bing; Pandora, the music streaming service; and Rotten Tomatoes, the movie and television review site, access to much of the data they had gotten for the discontinued feature." "Facebook continued the access for Pandora, the music-streaming service, and other companies even after an F.T.C. agreement led to an official change in policy." "Facebook also declined to discuss the other capabilities Bing was given, including the ability to see all users’ friends." "Since then, as the social network has disclosed its data sharing deals with other kinds of businesses — including internet companies such as Yahoo — Facebook has labeled them integration partners, too." | ||||||||||||||||||||
19 | C_FB_02 | The Guardian | "The basic facts had already been reported, in the same publication, 16 months previously: Facebook had allowed someone to extract vast amounts of private information about vast numbers of people from its system, and that entity had passed the data along to someone else, who had used it for political ends." | NO | "The culmination of all that verbosity came earlier this month, when Zuck unloaded a 3,000-word treatise on Facebook’s “privacy-focused” future (a phrase that somehow demands both regular quotation marks and ironic scare quotes), a missive that was perhaps best described by the Guardian’s Emily Bell as “the nightmarish college application essay of an accomplished sociopath”." "The so-called pivot to privacy is in many ways the logical conclusion to the earth-shaking (and market-moving) response to the Cambridge Analytica story, which plunged Facebook into the greatest crisis in its then 14-year history." "when it came to Facebook, the Cambridge Analytica story did not uncover anything new." "Facebook’s PR machine spent much of the first 24 hours after the story broke engaged in a pedantic and self-defeating argument over whether or not what had occurred constituted a “data breach”. By information security standards, Facebook was correct that what occurred was not a “data breach” – as representatives wrote, “no systems were infiltrated, and no passwords or sensitive pieces of information were stolen or hacked”." "The overwhelming consensus from privacy experts is that this plan has little to do with protecting privacy and everything to do with protecting market share." "“Once the integration of those three messaging platforms happens, it will be almost technically impossible to break Facebook up,” said Jonathan Albright, director of the Digital Forensics Initiative at the Tow Center for Digital Journalism. “It won’t happen. You can’t do it. And that’s exactly why they’re moving so quickly to do it.”" | "Almost every company has suffered a big data breach at this point; only Facebook has endured such an existential reckoning" | "After nearly a year of its critics demanding that it respect users’ privacy, here was Facebook saying: “Fine, privacy you shall have.” (More on whether what’s being offered is actually privacy later.)" "Zuckerberg did make a number of specific promises after the Cambridge Analytica story broke. I asked the company for an update on a number of these, and can only offer the Harvard dropout an “incomplete”." (more on article) "The other major promise – the big one – is the pivot to “privacy” announced this month." "The CEO is planning to integrate all three of his company’s messaging platforms – WhatsApp, Instagram and Messenger – into one, which will have end-to-end encryption." | |||||||||||||||||||||
20 | C_FB_03 | CPO Magazine | "Facebook took yet another blow last week when subsidiary site Instagram was breached, exposing the sensitive data of at least 49 million users. And the leak was caused by yet another unprotected Amazon Web Services (AWS) server connected to the internet, a trend that has ensnared a disturbing number of high-profile companies in recent years – including Facebook in a previous incident just last month." "The AWS database, which belonged to a Mumbai-based marketing company called Chtrbox, appears to have been online without a password for at least 72 hours. Roughly 1 out of 20 Instagram users was affected by this, but the exposed records appear to primarily be those of “influencers” and celebrities." "The Instagram breach did not expose financial information, but it did grant access to location and contact information that may not have been meant to be public. The exposed database contained the profile pictures, city and country location, phone number, email address and number of followers of each user." "“This breach is really two breaches. How did Chtrbox get access to the private data of millions of Instagram users? It might have been a known API exposure in Instagram – the investigation is ongoing. And why didn’t Chtrbox secure the data that they posted on AWS? Cloud-based storage needs to be secured – technology to secure data in the cloud is available. Both Chtrbox and Instagram took a light approach to securing personal data, and both should be penalized.”" | Keystone: Facebook, Amazon Actors: Users, Chtrbox (company) Software platform/product: Instagram (product), AWS (service) | YES | "This breach thus did not impact the average Instagram user. The information in the insecure database was influencer metric and contact details for review of and use by interested brands" "These are generally discovered when either a security researcher or an enterprising cyber criminal port scans blocks of addresses, or uses a handful of other clever tricks such as searching certificate transparency logs." "Chatrbox has issued a statement disputing the report, acknowledging the Instagram breach but claiming that the database only contains 350,000 records and that it did not contain private emails or phone numbers." "one must wonder why any were still sitting in an unprotected AWS bucket after years of similar incidents." "it is still unclear whether Chtrbox was even authorized to have some of the sensitive contact information that was apparently in its possession. Instagram has had several issues with its API in the last two years, including an August 2017 incident that exposed the personal information of millions of users." "The bigger issue is that these little bits and pieces of data are inevitably accumulated into monstrous repositories of personal information, typified by data dumps such as the “Collection” series. The more of this data that is accumulated about a business or an individual, the easier it is for an attacker to carry off a targeted phishing attack, account takeover or social engineering scam." "data breaches due to failure to properly secure AWS buckets aren’t always a case of poor security practices or oversight. Speed and ease of integration with other applications is often at odds with proper security procedures" "“Unfortunately, enterprises don’t discover such errors until after such a breach is widely reported on by media, and a lot of damage to users and to the brand has already resulted." "They are getting more focused on services that are hosted in the Public/Private cloud environments, where they know environments change frequently, which leads to higher probability of errors in security policies. When they discover such sensitive databases, they go after scraping as much data they can from them." | N/A | "The database was pulled offline after the report was published by TechCrunch, but had been online for at least 72 hours. The current exposed record count is at 49 million, but could potentially grow in the future" "It is not even the first breach of this nature for parent company Facebook in 2019; in April, 540 million Instagram account records were exposed by way of two open AWS buckets owned by Latin American digital media publisher Cultura Colectiva." "Facebook’s WhatsApp also took a hit earlier in May when it was revealed that a vulnerability had been allowing hackers to install spyware on target devices through an infected voice call." "Data from Facebook users and accounts with its various subsidiary companies already has great value to hackers, but that value will skyrocket when access to these accounts could potentially grant access to tangible crypto funds." | ||||||||||||||||||||
21 | C_FB_04 | Evening Standard | "Facebook has admitted that thousands of apps hoovered up people’s private data without permission months after they stopped using the services." "The social media giant said around 5,000 developers were mistakenly granted unauthorised access to “non-public information” in breach of the company’s own rules" "The data leak appears to breach Facebook’s own rules governing personal information access that it brought in following the incident, which saw founder Mark Zuckerberg grilled by US congress about how it used people’s information." "The latest admission again spotlights the volumes of personal data users sign away when they grant approval to apps – as the tech firm said it had not “seen evidence” that shared data was “inconsistent with the permissions people gave”." | Keystone: Facebook Actors: Users, Partners, Third-party apps Software platform/product: Facebook | YES | "The admission comes two years after Facebook pledged to lock out third party app data access if the service had not been used for 90 days following the Cambridge Analytica scandal, which harvested people’s data – and that of their friends who had not given consent – via permissions granted from “personality test” quizzes inside the social network." "It is understood the newly discovered data leaks include both internal apps, such as games, and also external platforms where users can login using their Facebook credentials to avoid a separate sign-up process." | N/A | Facebook said the “non-public information” may have included a person’s email address, birthday and gender when Facebook was used to “sign into apps”, even if they had not used the service for 90 days. The social network gave the example of a data leaking from fitness app where a user had invited a friend to a workout, but the recipient’s usage was dormant for a long time. Facebook’s vice-president of platform partnerships, Konstantinos Papamiltiadis, said: “Recently, we discovered that in some instances apps continued to receive the data that people had previously authorised, even if it appeared they hadn’t used the app in the last 90 days.” He added: “We currently estimate this issue enabled approximately 5,000 developers to continue receiving information – for example, language or gender – beyond 90 days of inactivity.” | ||||||||||||||||||||
22 | C_FB_05 | Business Insider | "A combination of configuration errors and lax oversight by Instagram allowed one of the social network's vetted advertising partners to misappropriate vast amounts of public user data and create detailed records of users' physical whereabouts, personal bios, and photos that were intended to vanish after 24 hours." "The profiles, which were scraped and stitched together by the San Francisco-based marketing firm Hyp3r, were a clear violation of Instagram's rules. But it all occurred under Instagram's nose for the past year by a firm that Instagram had blessed as one of its preferred "Facebook Marketing Partners."" "The total volume of Instagram data Hyp3r has obtained is not clear, though the firm has publicly said it has "a unique dataset of hundreds of millions of the highest value consumers in the world," and sources said more than of 90% of its data came from Instagram" "To provide some of these capabilities, Hyp3r made unauthorized use of Instagram data in three key ways: - It took advantage of an Instagram security lapse, allowing it to zero in on specific locations, like hotels and gyms, and vacuum up all the public posts made from the locations. - At these locations, it systematically saved users' public Instagram stories — a type of content designed to vanish after 24 hours —including the individual photos that users shared in the stories, in a clear violation of Instagram's terms of service. - It scraped public user profiles on a broad basis, collecting information like user bios and followers, which it then combined with the other location information and data from other sources. - It also uses image-recognition software on users' posts it collects to automatically analyze what they're depicting." "Hyp3r created a tool that could "geofence" specific locations and then harvest every public post tagged with that location on Instagram." "Ordinary users' Instagram stories — posts that are supposed to disappear after 24 hours — have never been available through Instagram's API. But Hyp3r built a tool to collect them too, sources said, saving the images indefinitely, along with the associated metadata" "Hyp3r's scraping appears to violate Instagram's rules on multiple points, including a requirement to store or cache content only "for the period necessary to provide your app's service" (Hyp3r stored user data indefinitely, according to multiple sources), and a prohibition on "reverse engineer[ing] the Instagram's APIs" (Hyp3r deliberately rebuilt its own version of an API that Instagram shuttered after Cambridge Analytica)." "When accessing Instagram through a web browser, there is a publicly available JSON package that bundles up various bits of data into an easy-to-access format. It's available by simply appending a short string of characters to any Instagram URL, and you don't need to log in, gain approval, or authenticate your identity in any way to access it." | Keystone: Facebook Actors: Users, Hyp3r, Third-party apps Software platform/product: Instagram | YES | "Facebook's struggles in locking down users' personal information not only persist but also extend beyond the core Facebook app." "Instagram is not the only service to have been affected over the years, and Hyp3r is almost certainly not the only business scraping its data. But the nature of Hyp3r's activity raises significant questions about the extent of the due diligence that Instagram and parent company Facebook conduct on partners using their platform, as well as on their own procedures to safeguard user data" "Hyp3r denied breaking Instagram's rules, essentially arguing that accessing public data on Instagram in this way is legitimate and justifiable, and saying it was confident that any issues with Instagram would be resolved shortly." "The result of the public information it gleaned was a sophisticated database about Instagram users, their interests, and their movements that Hyp3r openly touted to customers as one of its key selling points, despite the fact that Instagram's policies were structured so that such a thing would not be possible." "Some of Hyp3r's behavior was once permitted by Instagram." "Like many big platforms, Instagram has an API, or application programming interface, that allows developers to build services that can interact with its platform." "Publicly, Hyp3r welcomed Instagram's API changes, writing a worthy blog post in which it said it "understand[s] and welcome[s] the changes that Facebook is making to protect the privacy of all of us," and promising its data would never be used for political purposes." "But behind the scenes, the company got to work building a system that could disregard Instagram's decision and keep on harvesting data anyway, sources told Business Insider." "The result is a database of thousands of locations, including "hotels, casinos, cruise ships, airports, fitness clubs, stadiums and shopping destinations across the globe," as well as hospitals, bars, and restaurants." "If a user makes a post at one of these locations, it is, unbeknownst to them, saved to Hyp3r's systems indefinitely" "By harvesting them systematically from popular locations, Hyp3r became able to build up detailed profiles of huge numbers of people's movements, their habits, and the businesses they frequent over time." "It publicly promises its customers features that far exceed what is available through Instagram's API, saying it "surfaces all public social activity from a location — regardless of hashtags and mentions — so you never miss an opportunity to dazzle your customers."" "Instagram displays public location pages, showing ordinary users posts from a given location, and this package appears on those pages. Sources said that it was through this that Hyp3r was able to scrape some of the data it was illicitly collecting on users." "The data would still have been technically possible to scrape had this JSON package not existed — but its exposure made it significantly simpler." | " Facebook included Hyp3r on its exclusive list of Facebook Marketing Partners — a directory of vetted companies that "can give you superior insights and data for better marketing decisions." "The marketing firm's behavior seems unlikely to be illegal under US law. In 2017, LinkedIn lost a legal fight against a company that had been scraping its publicly available data." | "Instagram sent Hyp3r a cease-and-desist letter after being presented with Business Insider's findings and confirmed that the startup broke its rules." ""HYP3R's actions were not sanctioned and violate our policies. As a result, we've removed them from our platform. We've also made a product change that should help prevent other companies from scraping public location pages in this way," a spokesperson said in a statement." "Before the scandal broke, Instagram's API allowed developers to search for public posts for a given location. But in the aftermath of it, Instagram began to deprecate (i.e. switch off) a bunch of its API's functionality, including location tools — causing chaos for companies, like Hyp3r, that had been relying on it." "Hyp3r said that because the data it collects is already public, it does not require consent from Instagram users to harvest it, and that companies have legitimate business needs that justify knowing what is being shared from their properties." "The company's [Hyp3r] iOS App Store listing shows screenshots of an Instagram post in its app that it says it collected from a specific location — a capability that Instagram does not allow — and in its release notes from December, it references adding "support for Instagram Stories across the app."" "(Instagram's current API allows users to view public posts if they have been mentioned in them, or retrieve some hashtagged posts subject to stricter limitations, but not because of their location.)" "A spokesperson for Instagram said the company periodically reviews Facebook Marketing Partners to ensure compliance." "Instagram also bans data from being transferred "to any ad network," but the Instagram data could be plugged into Facebook's own ads manager to target people with advertisements — meaning Facebook indirectly profited from Hyp3r's data collection." "In other words: A year after Instagram disabled its location functionality for developers, the social network was still inadvertently providing an easy way for developers to keep on collecting this data, without any accountability" "In response to Hyp3r's actions, Instagram has made a change to prevent public location pages from being available to logged-out users." "It has also completely revoked Hyp3r's access to its APIs and removed it from the list of Facebook Marketing Partners." "An Instagram spokesperson said they couldn't yet comment on whether they would notify affected users or ask Hyp3r to formally certify that it deletes the data. The social network has formally asked Hyp3r to stop collecting Instagram data in its cease-and-desist letter, it said, and will ask it to explain itself in a phone interview and provide an account of all the data that was scraped." | ||||||||||||||||||||
23 | ||||||||||||||||||||||||||||
24 | ||||||||||||||||||||||||||||
25 | ||||||||||||||||||||||||||||
26 | ||||||||||||||||||||||||||||
27 | ||||||||||||||||||||||||||||
28 | ||||||||||||||||||||||||||||
29 | ||||||||||||||||||||||||||||
30 | ||||||||||||||||||||||||||||
31 | ||||||||||||||||||||||||||||
32 | ||||||||||||||||||||||||||||
33 | ||||||||||||||||||||||||||||
34 | ||||||||||||||||||||||||||||
35 | ||||||||||||||||||||||||||||
36 | ||||||||||||||||||||||||||||
37 | ||||||||||||||||||||||||||||
38 | ||||||||||||||||||||||||||||
39 | ||||||||||||||||||||||||||||
40 | ||||||||||||||||||||||||||||
41 | ||||||||||||||||||||||||||||
42 | ||||||||||||||||||||||||||||
43 | ||||||||||||||||||||||||||||
44 | ||||||||||||||||||||||||||||
45 | ||||||||||||||||||||||||||||
46 | ||||||||||||||||||||||||||||
47 | ||||||||||||||||||||||||||||
48 | ||||||||||||||||||||||||||||
49 | ||||||||||||||||||||||||||||
50 | ||||||||||||||||||||||||||||
51 | ||||||||||||||||||||||||||||
52 | ||||||||||||||||||||||||||||
53 | ||||||||||||||||||||||||||||
54 | ||||||||||||||||||||||||||||
55 | ||||||||||||||||||||||||||||
56 | ||||||||||||||||||||||||||||
57 | ||||||||||||||||||||||||||||
58 | ||||||||||||||||||||||||||||
59 | ||||||||||||||||||||||||||||
60 | ||||||||||||||||||||||||||||
61 | ||||||||||||||||||||||||||||
62 | ||||||||||||||||||||||||||||
63 | ||||||||||||||||||||||||||||
64 | ||||||||||||||||||||||||||||
65 | ||||||||||||||||||||||||||||
66 | ||||||||||||||||||||||||||||
67 | ||||||||||||||||||||||||||||
68 | ||||||||||||||||||||||||||||
69 | ||||||||||||||||||||||||||||
70 | ||||||||||||||||||||||||||||
71 | ||||||||||||||||||||||||||||
72 | ||||||||||||||||||||||||||||
73 | ||||||||||||||||||||||||||||
74 | ||||||||||||||||||||||||||||
75 | ||||||||||||||||||||||||||||
76 | ||||||||||||||||||||||||||||
77 | ||||||||||||||||||||||||||||
78 | ||||||||||||||||||||||||||||
79 | ||||||||||||||||||||||||||||
80 | ||||||||||||||||||||||||||||
81 | ||||||||||||||||||||||||||||
82 | ||||||||||||||||||||||||||||
83 | ||||||||||||||||||||||||||||
84 | ||||||||||||||||||||||||||||
85 | ||||||||||||||||||||||||||||
86 | ||||||||||||||||||||||||||||
87 | ||||||||||||||||||||||||||||
88 | ||||||||||||||||||||||||||||
89 | ||||||||||||||||||||||||||||
90 | ||||||||||||||||||||||||||||
91 | ||||||||||||||||||||||||||||
92 | ||||||||||||||||||||||||||||
93 | ||||||||||||||||||||||||||||
94 | ||||||||||||||||||||||||||||
95 | ||||||||||||||||||||||||||||
96 | ||||||||||||||||||||||||||||
97 | ||||||||||||||||||||||||||||
98 | ||||||||||||||||||||||||||||
99 | ||||||||||||||||||||||||||||
100 | ||||||||||||||||||||||||||||