Strip searches and ads: 10 tech and privacy hot spots for 2020

By Umberto Bacchi

TBILISI (Thomson Reuters Foundation) – From whether governments should use facial recognition for surveillance to what data internet giants should be allowed to collect, 2019 was marked by a heated global debate around privacy and technology.

The Thomson Reuters Foundation asked 10 privacy experts what issues will shape the conversation in 2020:

1. CALIFORNIA DIGITAL PRIVACY LAW – Cindy Cohn, executive director, Electronic Frontier Foundation

“A California law giving consumers more control over their personal information, like the right to know what data businesses have collected about them, to delete it and to opt-out of its sale comes into effect on Jan. 1, 2020.

The legislation could have a ripple effect across the United States, or lead to the passage of a federal law.

This could be good news, if a federal law was to mandate some basic privacy guarantees that states could improve on – or bad news, if it was to instead block stronger state laws.”

2. DIGITAL STRIP SEARCHES – Silkie Carlo, director, Big Brother Watch

“From where we have been to who we have spoken to, our phones contain mountains of data that is increasingly sought after by police during investigations. So-called “digital strip searches”, where crime victims are asked to hand over their phones, are becoming common place all around the world.

In Britain, victims of rape are now routinely required to give police full downloads of their phones, and police can keep the data for 100 years. It’s no coincidence that almost 50% of victims are dropping their cases.

There’s no law in the UK around this and it’s likely we’ll see a showdown between police, data regulators and privacy advocates in 2020.”

3. FACIAL RECOGNITION – Jameson Spivack, policy associate, centre on privacy & technology, Georgetown Law Centre

“In 2019, face recognition technology became an integral part of the public debate about privacy, as people realized just how much of a risk this technology poses to civil rights and liberties.

Public officials have responded, with bans and proposed regulation at all levels of government. These conversations will come to a head in 2020.

In the U.S. this could mean new federal, state, or local policies around how law enforcement is allowed to use (or not use) face recognition; rules for companies developing the technology; and/or increased enforcement action from entities like the Federal Trade Commission or state attorneys general.”

4. BEHAVIOURAL ADVERTISING – Karolina Iwanska, lawyer, Panoptykon Foundation

“A wave of complaints against the use of personal information to target advertising online have been filed with data authorities across the European Union over the past two years.

The Irish data protection authority – which is a lead authority for Google – started an investigation into the company’s advertising business and the British ICO has published a damning report on the ad-tech industry.

2020 should bring much needed decisions in these cases, potentially leading to fines and further restrictions on companies’ use of people’s data.”

5. EU BUDGET – Edin Omanovic, advocacy director, Privacy International

“Next year, the EU will decide its budget for the years 2021-2028. How it will spend what is likely to be in excess of 1 trillion euro ($1.10 trillion) will have a transformative impact not just on its residents, but around the world.

For the first time, it will spend more on migration control than on developing Africa, often involving some sort of surveillance, which could pose huge threats to privacy and other human rights.”

6. AI TECHNOLOGIES – Diego Naranjo, head of policy, European Digital Rights

“A 2019 report on facial recognition by the EU’s rights agency represented a crucial step in the debate that we as societies need to have prior to deploying such technologies, which affect privacy, data protection, and other rights.

We could end up implementing practices in Europe which horrify us when they are implemented elsewhere, for example in China.

This conversation, as well as examining the impact of other technologies, like the potential discriminatory impact of “AI-based lie detectors” on vulnerable groups, such as migrants, will be an important part of the debate in 2020.”

7. ALGORITHMS’ DECISION MAKING – Sandra Wachter, professor, Oxford Internet Institute

“The EU’s General Data Protection Regulation (GDPR) currently focus on things like transparency, consent and notification of data collection, but not on how we are evaluated after data is collected.

This means users have few rights to challenge or contest how they are assessed by algorithms processing their information, which is worrisome since our digital identity steers our paths in lives and impacts our opportunities.

In 2020, the EU’s data watchdog will publish several recommendations on how to improve data rights. This is a great opportunity to give guidance to transform the GDPR, introducing more controls over how algorithms evaluate us.”

8. TARGETED POLITICAL ADS – Matthew Rice, Scotland director, Open Rights Group

“Personal data is becoming ever more central in the operations of political campaigns, as parties buy up commercial data sets in an attempt to derive the voters’ opinions and decide whether to target them online and how.

This practice stretches the limits of data protection laws and strains trust in democratic systems.

With the U.S. Presidential elections taking place in 2020 expect to see a huge amount of attention paid on what personal data parties are using and how they are using it.”

9. BIOMETRICS TECHNOLOGIES – Carly Kind, director, Ada Lovelace Institute

“In 2020 biometrics technologies are likely to come under the serious scrutiny of regulators in Europe (and possibly beyond).

We’re approaching a tipping point in public concern about the increasing ubiquity of facial recognition. In China 84% of people surveyed want the opportunity to review or delete facial data collected about them.

EU authorities have promised facial recognition regulation will be forthcoming in 2020. It is critical that it looks beyond facial recognition to the entire gambit of AI-enabled biometric technologies that will be rolled out in the years to come.”

10. IRELAND’S DATA AUTHORITY – Paul-Olivier Dehaye, co-founder, Personaldata.io

“In 2020, Ireland is likely to come under increased pressure from other European countries to take a stronger stance on data protection after years of lax enforcement.

Thanks to the EU’s harmonization mechanisms, the Irish data authority could be compelled to adjust to the stricter parameters used by its EU counterparts when deciding on the growing number of privacy complaints filed by EU citizens.

As Ireland hosts the European headquarters of U.S. technology firms like Facebook and Google, this would have far-reaching consequences across the bloc.”

($1 = 0.9073 euros)

(Reporting by Umberto Bacchi @UmbertoBacchi, Editing by Belinda Goldsmith; Please credit the Thomson Reuters Foundation, the charitable arm of Thomson Reuters, that covers humanitarian news, women’s and LGBT+ rights, human trafficking, property rights, and climate change. Visit http://news.trust.org)

Capital One says information of over 100 million individuals in U.S., Canada hacked

FILE PHOTO: The logo and ticker for Capital One are displayed on a screen on the floor of the New York Stock Exchange (NYSE) in New York, U.S., May 21, 2018. REUTERS/Brendan McDermid

(Reuters) – Capital One Financial Corp said on Monday that personal information including names and addresses of about 100 million individuals in the United States and 6 million people in Canada were obtained by a hacker who has been arrested.

The suspect, a 33-year-old former Seattle technology company software engineer identified as Paige Thompson, made her initial appearance in U.S. District Court in Seattle on Monday, the U.S. Attorney’s office said.

According to a complaint filed in the District Court for the Western District of Washington at Seattle, Thompson posted information from her hack, which occurred between March 12 and July 17, on coding platform GitHub. Another user saw the post and notified Capital One of the breach.

Law enforcement officials were able to track Thompson down as the page she posted on contained her full name as part of its digital address, the complaint said. Capital One said it identified the hack on July 19.

A representative for the U.S. Attorney’s office said it was not immediately clear what the suspect’s motive was.

The incident is expected to cost between $100 million and $150 million in 2019, mainly because of customer notifications, credit monitoring and legal support, Capital One said.

The hacker did not gain access to credit card account numbers, but about 140,000 Social Security numbers and 80,000 linked bank account numbers were compromised, Capital One said. Other personal information accessed included phone numbers and credit scores.

About 1 million social insurance numbers of the company’s Canadian credit card customers were also compromised.

The Capital One hacker was able to gain access to the data through a misconfigured web application firewall, the U.S. Attorney’s office said.

Credit-reporting company Equifax Inc said last week it would pay up to $700 million to settle claims it broke the law during a 2017 data breach when roughly 147 million people had information, including Social Security numbers and driver’s license data, compromised.

Capital One shares fell 4 percent in late extended trading.

(Reporting by Uday Sampath in Bengaluru; Editing by Sonya Hepinstall and Peter Cooney)

Two out of three hotels accidentally leak guests’ personal data: Symantec

FILE PHOTO - A hand is silhouetted in front of a computer screen in this picture illustration taken in Berlin May 21, 2013. REUTERS/Pawel Kopczynski

By Angela Moon

(Reuters) – Two out of three hotel websites inadvertently leak guests’ booking details and personal data to third-party sites, including advertisers and analytics companies, according to research released by Symantec Corp on Wednesday.

The study, which looked at more than 1,500 hotel websites in 54 countries that ranged from two-star to five-star properties, comes several months after Marriott International disclosed one of the worst data breaches in history.

Symantec said Marriott was not included in the study.

Compromised personal information includes full names, email addresses, credit card details and passport numbers of guests that could be used by cybercriminals who are increasingly interested in the movements of influential business professionals and government employees, Symantec said.

“While it’s no secret that advertisers are tracking users’ browsing habits, in this case, the information shared could allow these third-party services to log into a reservation, view personal details and even cancel the booking altogether,” said Candid Wueest, the primary researcher on the study.

The research showed compromises usually occur when a hotel site sends confirmation emails with a link that has direct booking information. The reference code attached to the link could be shared with more than 30 different service providers, including social networks, search engines and advertising and analytics services.

Wueest said 25 percent of data privacy officers at the affected hotel sites did not reply to Symantec within six weeks when notified of the issue, and those who did took an average of 10 days to respond.

“Some admitted that they are still updating their systems to be fully GDPR-compliant,” Wueest said, referring to Europe’s new privacy law, or the General Data Protection Regulation, which took effect about a year ago and has strict guidelines on how organizations should deal with data leakage.

(Reporting by Angela Moon; Editing by Dan Grebler)

Facebook CEO starts second day of U.S. congressional hearings

Facebook CEO Mark Zuckerberg is surrounded by members of the media as he arrives to testify before a Senate Judiciary and Commerce Committees joint hearing regarding the company’s use and protection of user data, on Capitol Hill in Washington, U.S., April 10, 2018. REUTERS/Leah Milli

By Dustin Volz and David Ingram

WASHINGTON/SAN FRANCISCO (Reuters) – Facebook Inc Chief Executive Mark Zuckerberg started a second day of testimony on Capitol Hill on Wednesday, facing more questions from lawmakers about data privacy at the world’s largest social media network.

The 33-year-old internet magnate, once again wearing a dark suit instead of his usual gray T-shirt, appeared before the U.S. House of Representatives Energy and Commerce Committee, a day after he took questions for nearly five hours in a U.S. Senate hearing.

He navigated through the first hearing on Tuesday without making any further promises to support new legislation or change how the social network does business, foiling attempts by senators to pin him down.

Investors were impressed with his initial performance. Shares in Facebook posted their biggest daily gain in nearly two years on Tuesday, closing up 4.5 percent. They were down slightly in early trading on Wednesday.

Facebook has been consumed by turmoil for nearly a month, since it came to light that millions of users’ personal information was wrongly harvested from the website by Cambridge Analytica, a political consultancy that has counted U.S. President Donald Trump’s election campaign among its clients. The latest estimate of affected users is up to 87 million.

Patience with the social network had already worn thin among users, advertisers and investors after the company said last year that Russia used Facebook for years to try to sway U.S. politics, an allegation Moscow denies.

Lawmakers have sought assurances that Facebook can effectively police itself, and few came away from Tuesday’s hearing expressing confidence in the social network.

“I don’t want to vote to have to regulate Facebook, but by God, I will,” Republican Senator John Kennedy told Zuckerberg on Tuesday. “A lot of that depends on you.”

Zuckerberg deflected requests to support specific legislation. Pressed repeatedly by Democratic Senator Ed Markey to endorse a proposed law that would require companies to get people’s permission before sharing personal information, Zuckerberg agreed to further talks.

“In principle, I think that makes sense, and the details matter, and I look forward to having our team work with you on fleshing that out,” Zuckerberg said.

(Reporting by Dustin Volz in Washington and David Ingram in San Francisco; Editing by Bill Rigby)

CEO Zuckerberg says Facebook could have done more to prevent misuse

FILE PHOTO: Facebook CEO Mark Zuckerberg speaks on stage during the Facebook F8 conference in San Francisco, California, U.S., April 12, 2016. REUTERS/Stephen Lam/File Photo

By Dustin Volz and David Shepardson

WASHINGTON (Reuters) – Facebook Inc Chief Executive Mark Zuckerberg told Congress on Monday that the social media network should have done more to prevent itself and its members’ data being misused and offered a broad apology to lawmakers.

His conciliatory tone precedes two days of Congressional hearings where Zuckerberg is set to answer questions about Facebook user data being improperly appropriated by a political consultancy and the role the network played in the U.S. 2016 election.

“We didn’t take a broad enough view of our responsibility, and that was a big mistake,” he said in remarks released by the U.S. House Energy and Commerce Committee on Monday. “It was my mistake, and I’m sorry. I started Facebook, I run it, and I’m responsible for what happens here.”

Zuckerberg, surrounded by tight security and wearing a dark suit and a purple tie rather than his trademark hoodie, was meeting with lawmakers on Capitol Hill on Monday ahead of his scheduled appearance before two Congressional committees on Tuesday and Wednesday.

Zuckerberg did not respond to questions as he entered and left a meeting with Senator Bill Nelson, the top Democrat on the Senate Commerce Committee. He is expected to meet Senator John Thune, the Commerce Committee’s Republican chairman, later in the day, among others.

Top of the agenda in the forthcoming hearings will be Facebook’s admission that the personal information of up to 87 million users, mostly in the United States, may have been improperly shared with political consultancy Cambridge Analytica.

But lawmakers are also expected to press him on a range of issues, including the 2016 election.

“It’s clear now that we didn’t do enough to prevent these tools from being used for harm…” his testimony continued. “That goes for fake news, foreign interference in elections, and hate speech, as well as developers and data privacy.”

Facebook, which has 2.1 billion monthly active users worldwide, said on Sunday it plans to begin on Monday telling users whose data may have been shared with Cambridge Analytica. The company’s data practices are under investigation by the U.S. Federal Trade Commission.

London-based Cambridge Analytica, which counts U.S. President Donald Trump’s 2016 campaign among its past clients, has disputed Facebook’s estimate of the number of affected users.

Zuckerberg also said that Facebook’s major investments in security “will significantly impact our profitability going forward.” Facebook shares were up 2 percent in midday trading.

ONLINE INFORMATION WARFARE

Facebook has about 15,000 people working on security and content review, rising to more than 20,000 by the end of 2018, Zuckerberg’s testimony said. “Protecting our community is more important than maximizing our profits,” he said.

As with other Silicon Valley companies, Facebook has been resistant to new laws governing its business, but on Friday it backed proposed legislation requiring social media sites to disclose the identities of buyers of online political campaign ads and introduced a new verification process for people buying “issue” ads, which do not endorse any candidate but have been used to exploit divisive subjects such as gun laws or police shootings.

The steps are designed to deter online information warfare and election meddling that U.S. authorities have accused Russia of pursuing, Zuckerberg said on Friday. Moscow has denied the allegations.

Zuckerberg’s testimony said the company was “too slow to spot and respond to Russian interference, and we’re working hard to get better.”

He vowed to make improvements, adding it would take time, but said he was “committed to getting it right.”

A Facebook official confirmed that the company had hired a team from the law firm WilmerHale and outside consultants to help prepare Zuckerberg for his testimony and how lawmakers may question him.

(Reporting by David Shepardson and Dustin Volz; Editing by Bill Rigby)

15 Million T-Mobile Customers’ Data Stolen by Hackers

The credit bureau Experian experienced a data breach, revealing user data from approximately 15 million T-Mobile customers.

The data gathered by the hackers included names, addresses, birth dates, and Social Security numbers along with other forms of identification like driver’s’ license numbers. According to T-Mobile, the hackers were not able to get payment information or bank account information.

People affected by the hack may not be current T-Mobile customers. The companies announced that customers who applied for T-Mobile postpaid services or device financing between September 1, 2013 and September 16, 2015 were the ones who could be victims of the hack.

Experian stated in a press release that no evidence has been presented so far that the data has been used illegally or inappropriately. Experian is a widely used credit-information provider that has experienced several security concerns; the T-Mobile hack is just the latest incident. The last cyberattack on Experian was in 2012 when 200 million Americans had their Social Security numbers exposed.

T-Mobile CEO John Legere had strong feelings regarding the breach and said that his company would be looking for a new and more secure service provider.

“Obviously I am incredibly angry about this data breach and we will institute a thorough review of our relationship with Experian,” but the carrier’s top concern now is helping the people affected, Legere wrote in an open letter on T-Mobile’s site.

Experian North America stated in a notice that it was a business unit that had been compromised, and its consumer credit bureau wasn’t affected. Experian has notified international and U.S. law enforcement.

T-Mobile is now offering free credit monitoring identity resolution services from ProtectMyID for the next two years for their customers that think they may have been affected by the breach. ProtectMyID is a division of Experian.

The breach at Experian is the latest in a string of massive hacks that have claimed tens of millions of customer records. The U.S. Office of Personnel experienced a major hack earlier this year, JPMorgan Chase had a breach of data in 2014, and large retailer, Target, had a major cyberattack on their cash register systems in 2013.