Free tools and resources for Data Protection Officers!

Tag Archives for " data "

Cambridge Analytica Knew How You’d Vote If You Wore Wrangler

The whistle-blower behind the Cambridge Analytica revelations said the now-defunct data research firm used the fashion preferences of Facebook Inc. users to help develop the algorithms needed to target them with political messaging.

Sharing examples of the anonymized data for the first time, originally collected and used by Cambridge Analytica, Christopher Wylie said people who displayed an interest in Abercrombie & Fitch tended on average to be less cautious and more liberal, and individuals who liked Wrangler were usually more conservative and more keen on “orderliness.”

Full article: Cambridge Analytica Knew How You’d Vote If You Wore Wrangler – Bloomberg

Facebook’s Failure to End ‘Public by Default’

With one simple change, Facebook could pass an important privacy test. Right now, users have little choice in the public exposure of their profile pictures. Every single one of them is set to “public” by default. Even if you try to limit your current profile picture visibility using Facebook’s privacy settings for the individual photo, it will still be public.

If you don’t want your profile picture to be public, the only winning move is to delete your account. That’s increasingly difficult to do these days, because not having a social media presence can limit your personal and professional opportunities and even raise the suspicion of authorities.

Full article: Facebook’s Failure to End ‘Public by Default’ – Member Feature Stories – Medium

LinkedIn violated data protection by using 18M email addresses of non-members to buy targeted ads on Facebook

LinkedIn has been called out a number of times for how it is able to suggest uncanny connections to you, when it’s not even clear how or why LinkedIn would know enough to make those suggestions in the first place.

Ireland’s Data Protection Commissioner had conducted — and concluded — an investigation of Microsoft-owned LinkedIn, originally prompted by a complaint from a user in 2017, over LinkedIn’s practices regarding people who were not members of the social network.

Full article: LinkedIn violated data protection by using 18M email addresses of non-members to buy targeted ads on Facebook | TechCrunch

Uber fined £385,000 for data breach affecting millions of passengers

Uber’s European operation has been fined £385,000 for a data breach that affected almost 3 million British users, the Information Commissioner’s Office has announced.

In November 2016, attackers obtained credentials to access Uber’s cloud servers and downloaded 16 large files, including the records of 35 million users worldwide. The records included passengers’ full names, phone numbers, email addresses, and the location where they had signed up.

Source: Uber fined £385,000 for data breach affecting millions of passengers

You probably have more personal data, in more systems, than you think.

There’s lots of guides on the internet to consent and so-forth, but relatively few that dive into hands-on implementation details. Often, legal teams possess a strong understanding of regulatory requirements and the goals of company operations, but they don’t share the same knowledge of systems and data movements implemented across marketing and sales.

Full article: You probably have more personal data, in more systems, than you think.

FTC Gives Final Approval to Settlements in Privacy Shield Cases

US Federal Trade Commission has given final approval to settlements with four companies over allegations that they falsely claimed certification under the EU-U.S. Privacy Shield framework, which establishes a process to allow companies to transfer consumer data from European Union countries to the United States in compliance with EU law.

As part of the proposed settlements with the FTC, all four companies are prohibited from misrepresenting the extent to which they participate in any privacy or data security program sponsored by the government or any self-regulatory or standard-setting organization, and must comply with FTC reporting requirements. In addition, VenPath and SmartStart must continue to apply the Privacy Shield protections to personal information they collected while participating in the program, protect it by another means authorized by the Privacy Shield framework, or return or delete the information within 10 days of the order.

Source: FTC Gives Final Approval to Settlements with Four Companies Related to EU-U.S. Privacy Shield | Federal Trade Commission

A timely raincheck on the GDPR: the law of unintended consequences

As we approach a six-month point since the full implementation date of the GDPR, it is interesting to see evidence of the legislation having much greater consequences and advantages than those for which it was originally intended.

GDPR in its most fundamental form can be seen as a beneficial facility for handling the core issue of risk management between data and people. In this instance, risk is both an opportunity to be exploited as well as a downside to be mitigated. To support this contention, one may cite recent instances of the GDPR having practical impacts way beyond that of its original draftsmen.

Full article: A timely raincheck on the GDPR: the law of unintended consequences

Hackers erase 6,500 sites from the Dark Web in one attack

One of the most popular Dark Web hosting services – Daniel’s Hosting – was slaughtered last week when attackers hosed it clean of about 6,500 hidden services. The admin says they’re gone for good: he hasn’t even figured out where the vulnerability is yet.

Source: Hackers erase 6,500 sites from the Dark Web in one attack – Naked Security

Draft Withdrawal Agreement does not guarantee frictionless free flow of personal data from EU

The draft Withdrawal Agreement at Article 71(2) implies an adequacy assessment by the European Commission could happen in future (this is expected before the end of the transition period in December 2019), but first the UK has to leave the EU and then the Commission has to follow the rules in Article 45 of the GDPR.

This means that the Commission has to involve the European Data Protection Board (EDPB) as part of the adequacy determination process so it won’t be a quick process. However, UK may not get an assessment of adequacy at all.

Full article: Draft Withdrawal Agreement does not guarantee frictionless free flow of personal data from European Union

A leaky database of SMS text messages exposed password resets and 2FA codes

A security lapse has exposed a massive database containing tens of millions of text messages, including password reset links, two-factor codes, shipping notifications and more.

The exposed server belongs to Voxox (formerly Telcentris), a San Diego, Calif.-based communications company. The server wasn’t protected with a password, allowing anyone who knew where to look to peek in and snoop on a near-real-time stream of text messages.

Source: A leaky database of SMS text messages exposed password resets and two-factor codes | TechCrunch

>