2022 Privacy Concerns and Violations

Twitter will pay the U.S. government $150 million after federal officials sued the platform for misleading users about how it protects their data. Regulators accused the company of violating a previous Federal Trade Commission (FTC) privacy settlement by using contact information that it collected to help marketers with targeted advertising. 

Officials said Twitter disclosed to users that phone numbers and email addresses would be used for account security, but the platform apparently did not shed enough light on how that same information would be used for other purposes. The suit claims that these practices affected over 140 million Twitter users who submitted contact information to the platform. 

“From at least May 2013 through at least September 2019, Twitter did not disclose, or did not disclose adequately, that it used these telephone numbers and email addresses to target advertisements to those users through its Tailored Audiences and Partner Audiences services,” the lawsuit stated.

In a company blog post, Twitter Chief Privacy Officer Damien Kieran pointed out that the platform addressed this problem in 2019. He also reaffirmed that Twitter is committed to protecting the privacy of its users.

“In reaching this settlement, we have paid a $150M USD penalty, and we have aligned with the agency on operational updates and program enhancements to ensure that people’s personal data remains secure and their privacy protected,” Kieran said.

In addition to paying a financial penalty, Twitter has agreed to implement a comprehensive privacy and data security program and disclose why and how it collects, shares, and uses personal information that it collects. Twitter users will also now have access to a multi-factor authentication option that does not use their phone number.

FTC advises consumers about data protection

The FTC says consumers should take away several important lessons from this suit so that they can protect their personal information in the future. Those lessons include:

• Use multi-factor authentication whenever possible. The FTC says this type of protection makes it harder for scammers to log in to consumers’ accounts, even if they’re able to steal usernames and passwords.

• Choose forms of multi-factor authentication that don’t involve personal information. The FTC says consumers should opt for authentication apps that use physical tokens instead of software that requires them to input personal data. Physical tokens require consumers to be in physical possession of a real-world object that acts as an authentication device. Some examples include a phone, USB drive, or keycard. 

• Be careful when selecting security questions. The FTC says consumers should only select security questions that they know the answers to. For added security, you could even select random answers to questions; just be sure to remember your nonsensical answers.

• Check your privacy settings. Some platforms allow users to opt out of targeted advertisements in an app’s privacy settings. 

Four years after details of the Facebook-Cambridge Analytica scandal came to light, Washington, D.C. Attorney General Carl Racine has sued Facebook – now Meta – CEO Mark Zuckerberg for his alleged role. 

Racine’s complaint accuses Zuckerberg of directly participating in decision-making that allowed the British data company to make unauthorized use of the company’s data for political purposes. Meta has declined to comment on the lawsuit.

In 2018, it was revealed that Cambridge Analytica, a political marketing firm, had accessed data on Facebook users to target 2016 political ads on behalf of the campaign to remove the U.K. from the European Union and on behalf of Donald Trump’s presidential campaign. Facebook paid a $645,000 fine in connection with the breach in 2019.

In his complaint, Racine points to evidence that he says implicates Zuckerberg in Facebook’s “lax oversight of user data and implementation of misleading privacy agreements.” The result, he contends, was that third parties like Cambridge Analytica were able to obtain personal data on 87 million Americans, including over half of the residents of the District of Columbia.

“Since filing our landmark lawsuit against Facebook, my office has fought tooth and nail against the company's characteristic efforts to resist producing documents and otherwise thwart our suit. We continue to persist and have followed the evidence right to Mr. Zuckerberg,” Racine said. 

Unauthorized access

Facebook has always maintained that Cambridge Analytica made use of information that it was not entitled to receive. Racine said the evidence shows that Zuckerberg was personally involved in the lapses that led to the breach. 

“The evidence shows Mr. Zuckerberg was personally involved in Facebook’s failure to protect the privacy and data of its users, leading directly to the Cambridge Analytica incident,” Racine said. “This unprecedented security breach exposed tens of millions of Americans’ personal information, and Mr. Zuckerberg’s policies enabled a multi-year effort to mislead users about the extent of Facebook's wrongful conduct.”

Racine attempted to name Zuckerberg as a defendant in a previous lawsuit against Facebook, but the judge disallowed it. That lawsuit, which has not yet been resolved, claims that Facebook violated the District of Columbia’s consumer protection law by misleading users and failing to protect their data in the months before the 2016 U.S. presidential election. 

The Federal Trade Commission (FTC) is taking a giant leap forward in the protection of children's privacy. The agency announced on Monday that it will strengthen the Children’s Online Privacy Protection Act (COPPA) by cracking down on any education technology company that monitors children illegally.

The FTC’s new policy statement reinforces that it is illegal for companies to force parents and schools to surrender their children’s privacy rights in order to do schoolwork online or attend class remotely. The agency says companies also cannot deny children access to educational technologies when their parents or school refuse to sign up for commercial surveillance.  

“Students must be able to do their schoolwork without surveillance by companies looking to harvest their data to pad their bottom line,” said Samuel Levine, Director of the FTC’s Bureau of Consumer Protection.

“Parents should not have to choose between their children’s privacy and their participation in the digital classroom. The FTC will be closely monitoring this market to ensure that parents are not being forced to surrender to surveillance for their kids’ technology to turn on.”

Protecting children's privacy

The specific modifications that the FTC added to COPPA include:

Prohibitions Against Mandatory Collection: Companies cannot require children to provide more information than is reasonably needed for participation in an activity.

Use Prohibitions: Ed tech providers that collect personal information from a child with the school’s authorization are prohibited from using the information for any other commercial purpose including marketing or advertising. 

COPPA was first launched in 2000, and the FTC has used it to protect children's privacy since then. The agency previously imposed a fine on Toysmart.com for collecting and selling children's personal data. It also began a probe of YouTube and accused the platform of not doing enough to protect children who use the service.

This Thursday is World Password Day, and leading the celebration are Apple, Google, and Microsoft. Starting sometime within the next year, all three companies will embark on a joint effort and expand support for passwordless sign-ins across all devices and platforms.

If two heads are better than one, then the three-headed effort by the tech giants should be really powerful. For one thing, the trio promises users the ability to sign in through a single action that requires a device PIN or fingerprint verification. The new approach is designed to protect against phishing, and officials say the move will make sign-ins "radically more secure."

“The complete shift to a passwordless world will begin with consumers making it a natural part of their lives. Any viable solution must be safer, easier, and faster than the passwords and legacy multi-factor authentication methods used today,” says Alex Simons, Corporate Vice President of Identity Program Management at Microsoft.

“By working together as a community across platforms, we can at last achieve this vision and make significant progress toward eliminating passwords. We see a bright future for FIDO-based credentials in both consumer and enterprise scenarios and will continue to build support across Microsoft apps and services.”

Consumers need to protect themselves for now

Until the day when all our passwordless hopes come true, anyone who uses a digital device controls much of their own destiny when it comes to privacy and security.

What are some things that the public can do to honor World Password Day? ConsumerAffairs found five tips that various security analysts say could make their cyber use even more secure:

Stop using your pet’s name as your password. Aura, which deals in intelligent safety for consumers, found that more than 39% of American pet parents have used their pet's name as part of their password for an online account. That stat rises to 1 in 2 (50%) among pet parents between the ages of 35 and 44.

"Pet names are often widely known and easily searchable on social media or online,” Aura says. 

Is your password something a family member can guess? In a survey of 1,000 Americans, ExpressVPN uncovered several distressing findings about password security. It found that 44% of people admitted to using personally identifiable information like their date of birth; that the average person uses the same password for six websites and/or platforms; that 43% of people say their loved ones would likely be able to guess their online passwords; and that 2 in 5 people admit to using a variation of their first and/or last name in online passwords they create.

The longer, the stronger. “It’s true that the longer a combination is, the harder it is to remember. But it is one of the best ways to keep information safe so make sure to use at least 8 digits to tighten up security levels,” says CheckPoint. 

Chris Brooks, the founder of CryptoAssetRecovery, agrees and even suggests more firepower.

“People often think that adding symbols to a password makes it more secure. Given the firepower that hackers have at their disposal today, that isn't necessarily true," Brooks suggests. "Short complex passwords can be cracked in fractions of seconds. Complexity + Length is what makes passwords secure."

Check out the strength of your current password. Kaspersky, the anti-virus company, offers a password checker that can tell consumers how strong their passwords are. Before you commit to a password that you think no one on earth would ever figure out, it might be wise to test it out.

Netflix users should use caution. Netflix's recent move to crack down on password sharing has a silver lining for consumers. 

"Keeping the use of a single account and password to a single user means fewer opportunities for identity theft, fraud, or other potential damages to the primary user," Nathan Wenzler, chief security strategist at Tenable, told ConsumerAffairs.

How bad could things get for password-lazy Netflix subscribers?

"As our online presence is increasingly tied to our financial services, shopping and delivery services and our reputations, it's becoming more important that we all take the credentials we use seriously and protect them as much as we can," Wenzler said.

To help shield people from having too much of their personal information online, Google is going to allow the public to request that the tech giant remove certain pieces of personal information from its search results. Now, just by making a simple request, anyone could ask that Google remove contact information like phone numbers, email addresses, physical addresses, and even login credentials from search queries. 

The company has offered this in the past, but it was in limited, special circumstances, such as when information fraudsters steal bank and credit card details or across-the-line situations like non-consensual intimate personal images. 

The company is taking the same precautions now that it’s broadening those requests, but it’s not doing it willy-nilly or by machine. It will still review each request to ensure that it's real, and the company said it won’t delete references that are contained in a news article or are a matter of public record, like a mayor asking to have their office telephone number at city hall removed.

“The internet is always evolving – with information popping up in unexpected places and being used in new ways — so our policies and protections need to evolve, too,” Google said in a blog post. “Open access to information is a key goal of Search, but so is empowering people with the tools they need to protect themselves and keep their sensitive, personally identifiable information private. That’s why we’re updating our policies to help people take more control of their online presence in Search.”

How to request Google remove personal information

For Google to even consider a request to remove content, it first has to pertain to the following types of information:

• Confidential government identification (ID) numbers like a U.S. Social Security number.

• Bank account numbers

• Credit card numbers

• Images of handwritten signatures

• Images of ID docs

• Highly personal, restricted, and official records, like medical records

• Personal contact information (physical addresses, phone numbers, and email addresses)

• Confidential login credentials

If someone is being “doxxed” -- the term for a type of cyber harassment in which someone is using a computer or a phone to purposely cause another person to fear for their well-being -- Google is willing to help remove any content that might lead to that.

For Google to consider the content for removal, it must meet both of these requirements:

• Your contact info is present.

• There’s the presence of explicit threats, implicit threats, or explicit or implicit calls to action for others to harm or harass.

Google reminds people that it will do its part to remove information upon request, but consumers' data may still be available in other ways online.

“It’s important to remember that removing content from Google Search won’t remove it from the internet, which is why you may wish to contact the hosting site directly, if you're comfortable doing so,” the company said.

Less than six months after banishing China Telecom from the U.S. over privacy concerns, the Federal Communications Commission (FCC) has revoked the authority of two other companies that are state-owned entities of China.

ComNet, along with its parent company Pacific Networks, will no longer be able to offer service in the U.S. due to similar privacy concerns. After a thorough review of the companies' practices, the FCC concluded that they had the potential to threaten U.S. security via its telecommunications infrastructure.

Both ComNet and Pacific Networks have 60 days to discontinue all domestic and international services emanating from within the U.S.

Despite the companies' efforts to defend themselves, an FCC investigation concluded that they were "subject to exploitation, influence and control by the Chinese government" and "highly likely to be forced to comply with Chinese government requests without sufficient legal procedures subject to independent judicial oversight.”

Officials feared that the companies were in a position to monitor, store, disrupt, or misroute communications in the U.S., which could allow them to engage in espionage and other harmful activities against the U.S.

Network security equals national security

China may have been the country in the FCC’s crosshairs for this investigation, but it's not the only country that's being examined in light of the war between Russia and Ukraine.

“Our network security has never been more important. As events in Ukraine continue to unfold, reports indicate that hackers acting on behalf of Russia are seeking to sabotage Ukraine’s networks – utilizing new ways of attacking critical infrastructure, financial, and governmental networks, both in cooperation with other hackers and on their own,” FCC Commissioner Geoffrey Starks commented. 

“While we have yet to see a coordinated attack on American networks, we cannot ignore the capabilities of Russian state actors, which one technology company estimates are responsible for nearly 60 percent of all state-sponsored cyberattacks.”

Speaking directly to consumers, Starks equated network security with national security. 

“Today’s action is another positive step towards protecting our national security, but clearly we must continue to rise to the challenges of the day,” he stated.

Ireland’s Data Protection Commission has hit Meta (formerly known as Facebook) with a fine worth $18.6 million for a series of data breach notifications in the European Union (EU).

The commission said Meta failed to have appropriate technical and organizational safeguards in place to protect its users’ data. That left users vulnerable in 12 breaches over a six-month period during 2018.

When the breaches were first revealed, the commission’s investigation revealed that as many as 50 million Facebook accounts were impacted, some allowing hackers access to Facebook users’ photos. 

Meta calls the fine unfair

Facebook should be relieved that the fine wasn't any larger. Under the EU’s data protection law, member blocs like Ireland can levy penalties as high as 4% of a company’s annual revenue for the most egregious violations. In Meta's case, that would have equated to a fine of more than $4 billion.

Last year, Ireland fined another Meta product – WhatsApp – $246 million. Amazon was also slapped with a record $746 million by the country of Luxembourg’s privacy custodian.

Nonetheless, Meta still contends that the fine is unfair because it took the commission nearly four years to make its decision. Company officials say they were still making adjustments to privacy settings at that time.

“This fine is about record-keeping practices from 2018 that we have since updated, not a failure to protect people’s information,” Meta told Bloomberg News.

Two members of the Senate Intelligence Committee -- Ron Wyden (D-Ore.), and Sen. Martin Heinrich (D-N.M.) -- are asking for more transparency about an allegedly immense surveillance effort conducted by the Central Intelligence Agency (CIA).

Wyden and Heinrich want to know what kind of records the CIA collected about American citizens and the legal framework for the collection. They originally requested the declassification of a report by the Privacy and Civil Liberties Oversight Board on a CIA bulk collection program last April, but the letter was not made public until Thursday.

The senators say “the CIA has secretly conducted its own bulk program,” authorized under Executive Order 12333, rather than the laws passed by Congress.

The letter notes that the program was “entirely outside the statutory framework that Congress and the public believe govern this collection, and without any of the judicial, congressional or even executive branch oversight that comes from [Foreign Intelligence Surveillance Act] (FISA) collection.” 

“These documents demonstrate that many of the same concerns that Americans have about their privacy and civil liberties also apply to how the CIA collects and handles information under executive order and outside the FISA law,” said Senators Wyden and Heinrich. “In particular, these documents reveal serious problems associated with warrantless backdoor searches of Americans, the same issue that has generated bipartisan concern in the FISA context. … The public deserves to know more about the collection of this information.”

CIA says it takes privacy seriously

The CIA has been down this road before. In 2017, the Electronic Privacy Information Center (EPIC) warned the Senate Select Committee on Intelligence that the CIA Director must not "turn the enormous surveillance powers of the agency against the American people." It noted that the CIA has "a long history of unlawful surveillance" and pointed to a Freedom of Information Act case pursued by EPIC which revealed that the CIA spied on staff members of the U.S. Senate.

This time around, the CIA is getting out in front of Wyden and Heinrich’s claims by firmly disagreeing with the senators’ interpretation of the situation. Kristi Scott, the agency’s privacy and civil liberties officer, said the CIA takes its responsibility to safeguard the privacy and personal liberties of Americans seriously.

“CIA is committed to transparency consistent with our obligation to protect intelligence sources and methods,” Scott stated.