2023 Privacy Concerns and Violations

The Federal Trade Commission (FTC) has issued a five-year ban on facial recognition technology to Rite Aid after the store mishandled its uses for over a decade. 

While the surveillance technology was implemented in Rite Aid stores for safety reasons, the agency found that Rite Aid was using it in ways that are harmful to consumers, including falsely accusing customers of shoplifting. According to the FTC’s complaint, women and people of color were primarily targeted for shoplifting. 

“Rite Aid’s reckless use of facial surveillance systems left its customers facing humiliation and other harms, and its order violations puts consumers’ sensitive information at risk,” said Samuel Levine, director of the FTC’s Bureau of Consumer Protection. 

“Today’s groundbreaking order makes clear that the Commission will be vigilant in protecting the public from unfair biometric surveillance and unfair data security practices.”  

Shoppers were profiled

Rite Aid had been using the facial recognition technology in its stores from 2010 through 2020, and it was originally implemented to help stores identify potential shoplifters or other problematic behaviors. 

The FTC learned that not only did Rite Aid not disclose to shoppers that they were being surveilled, but employees were also told to keep the surveillance system under wraps. Additionally, there were no systems in place to protect shoppers, which ultimately led to a great deal of chaos and harm for Rite Aid shoppers. 

“Employees, acting on false positive alerts, followed consumers around its stores, searched them, ordered them to leave, called the police to confront or remove customers, and publicly accused them, sometimes in front of friends or family, of shoplifting or other wrongdoing, according to the complaint,” the FTC wrote. “In addition, the FTC says Rite Aid’s actions disproportionately impacted people of color.” 

In one such instance, an 11-year-old girl was falsely accused of shoplifting based on images that had been generated from the facial recognition system. 

Rite Aid had contracted with two companies that created a database of people that were believed to be shoplifters or a general harm to the store. The database ended up being full of inaccurate information, low-quality images, and customers’ personal information. 

Protecting consumers moving forward

In addition to the five-year ban, the FTC has also required Rite Aid take further action to protect consumers. 

The company has been mandated to delete all pictures and videos that have been collected while this technology was implemented, and ensure all third-party entities do the same. In addition, should this technology be utilized again after five years, Rite Aid is required to clearly display notices in their stores, implement a data security system, and delete any data within five years. 

"Rite Aid’s mission has always been and will continue to be to safely and conveniently serve the communities in which we operate,” the company said in a statement. “The safety of our associates and customers is paramount. As part of the agreement with the FTC, we will continue to enhance and formalize the practices and policies of our comprehensive and information security program.” 

Since there are so many connected products on the market today, consumers have a difficult time distinguishing those that take care of their personal data from those that don't.

And, if you’re a parent and not as careful as you should be, tech gifts could be roasting on an open fire of your child’s privacy this year. 

The new Mozilla *Privacy Not Included holiday buyers’ guide shows that there’s a sleighful of children’s connected toys and apps that collect and repurpose hoards of data, and compared to adult-connected tech, many of the kids’ tech products are actually worse in the data leakage department. 

Mozilla researchers pointed to Embodied Inc’s Black Mirror-esque AI Moxie Robot as a prime example. They found that the toy records and shares its “conversations” with kids with Google and ChatGPT-maker OpenAI. But, in their opinion, Embodied Inc’s – and others’ – privacy policies are also getting more opaque and dishonest. 

“Embodied Inc’s privacy policy tells parents to teach their kids not to share personal information with their Moxie learning robot — yet the product’s marketing simultaneously encourages kids to hone skills like emotional regulation and self-confidence,” Mozilla said. 

“Other companies also often market smartwatches to parents of children too young for first phones. Researchers found many privacy concerns here, including one, the Angel Watch for Kids, that doesn't even seem to have a privacy policy that covers the smartwatch or app at all.”

But, what chapped the researchers even more was that many companies they previously rated positively — including Bose, Eufy, and Sonos — seemed to fall shot in the privacy department and earned new privacy warning labels this year.

Plus, companies like Amazon, Samsung, Wyze and Microsoft Xbox which had already earned warning labels, got even worse on data collection, use, sharing and security. 

“Wyze had serious security vulnerabilities that it was slow to respond to over the past couple of years, and Bose now says it can possibly sell data on users’ head movements while using headphones,” the researchers noted, adding that federal charges and fines against Amazon and Microsoft have confirmed their suspicions about those products’ privacy infringements, particularly when it comes to children’s uses. 

Who made the list – both naughty and nice?

The 2023 holiday edition of *Privacy Not Included reviews over 150 popular tech products across six categories, including Smart Home, Toys & Games and Wearables.

The list of reviews is quite a lineup, too: Microsoft Xbox, Sonos, Garmin Fitness Trackers, Apple Watches, Fitbit, Peloton Bikes, Amazon Ring, iRobot vacuums, Tile Trackers, Bose headphones, and the Tamagotchi Uni.

Mozilla researchers said they invested an average of eight hours researching every product in their guide, going as far as scouring companies’ track records, pouring over privacy policies and regulatory filings, and contacting each company looking for answers as to why some of what they found was going on.

The researchers said that there are some trustworthy products – some. And also acknowledged that some good products got even better.

An example the researchers shared was Garmin, the maker of GPS navigators and smartwatches. After *Privacy Not Included alerted the company last year that it had not made certain that all users had the equal right to delete their personal/private data, Garmin amended its privacy policy to explicitly state that all users have the same data deletion rights.

Researchers were also pleased with the virtual pet Tamagotchi Uni, which earned a big thumbs-up for not collecting much personal information at all — as good as good can get when it comes to ensuring privacy. 

Says Jen Caltrider, lead researcher for *Privacy Not Included: “The privacy and security of our favorite apps and gadgets has gotten worse across the board, but especially among children’s products. The companies that are good at privacy do it by not collecting any data in the first place. Alexa, did you catch that?

“All in all, if you're looking to give gifts that protect and respect the privacy of your loved ones this holiday season, maybe stick to good old-fashioned books.” 

It’s natural for a credit card company to know where you shop, how much you spend, and on what days. But, then, if it turns around and sells that information to any company that wants to buy it, some might say that may be going a little too far. 

According to an investigation from US PIRG, Mastercard has increasingly monetized an “immense” amount of transaction data that it has access to over the past several years – enabling companies to improve marketing that can predict your buying behavior prospect for new high-spending customers. 

“It’s like if you hired a babysitter and while watching your kids, they took photos of everything in your house to sell online later,” said R.J. Cross, director of PIRG’s Don’t Sell My Data campaign. 

And, Cross told ConsumerAffairs this isn’t just your straightforward “Mastercard” that’s branded as their own, but also includes other partner-branded “Mastercard" -- like the ones that airlines offer, for example.

Run, but you can’t hide

To show some examples, PIRG pointed ConsumerAffairs to Mastercard’s listing on Amazon Web Services Data Exchange, where we found trough after trough of data that companies can access address listings for:

• Online Food & Meal Delivery – Frequent Buyers

• Online Shoppers – High Spenders

• Likely to Be a Small Business – In Market

• Luxury Retailers – High Spenders

• Fast Fashion Apparel Buyers – High Spenders

• Big Ticket Shoppers (Online) – Frequent Buyers

• Affluent Shoppers

• Brick and Mortar Shoppers

• Luxury Travelers & Tourists

As well as “built-to-order audiences” that a client can spec out to work with their own marketing strategies. Those specs can include an advertiser's choice of: 

• Transactions (e.g., amount, frequency, offline vs. online)

• Date and Time (e.g., date range, time of day, weekend vs. weekday)

• Geography (e.g., country, state/province, DMA, city, region)

• Industry / Merchants (e.g., Merchant Category Codes (MCCs), custom aggregate set of industry merchants)

“Mastercard creates categories of consumers based on this transaction history, like identifying ‘high spenders’ on fast fashion or ‘frequent buyers' of big-ticket items online, and sells these groupings, called ‘audiences,’ to other entities," the report said.

These groups can be targeted at the micro-geographic level, and even be based on AI-driven scores Mastercard assigns to consumers predicting how likely they are to spend money in certain ways within the next three months.”

But Mastercard isn’t alone

PIRG’s Cross were quick to point out that Mastercard is not the lone wolf in spinning data accumulation into gold. 

“Nor is it necessarily the worst actor," she told ConsumerAffairs. “But in its position as a global payments technology company, Mastercard has access to enormous amounts of information derived from the financial lives of millions, and its monetization strategies tell a broader story of the data economy that’s gone too far.”

Who else is in on this? PIRG said lots of companies – almost every company that can collect and sell data is in the business.

“The big tech companies are the worst offenders, like Meta and Amazon. But also see Mozilla Foundation's report earlier this month that most car companies sell data they collect about consumers – particularly Ford and Toyota. Another report from 2021 found Uber Eats and Grubhub are big sellers, too," Cross noted.

"And the telephone companies, too! T-Mobile in particular has gotten big in this world in the last couple of years."

Does this mean you should cancel your Mastercard credit card?

Now that you know what PIRG found, how far should you go in protecting yourself?

“It's hard to escape credit card companies monetizing your data without your knowledge. Canceling is likely unrealistic for many people,” a spokesperson for PIRG told ConsumerAffairs.

“Right now the best option is to take advantage of the options the payment networks do offer.”

PIRG offers a complete "tips guide" for the Mastercard issue, but here are the highlights:

• Filling out this form on Mastercard’s website to opt-out of analytics, which will cut down on your data being used for extra purposes.

• Sign up for its data portal to request it delete your data.

• If you're a California or Virginia resident, take advantage of your consumer rights, thanks to state consumer privacy laws. 

• Use this form to delete the data Mastercard uses in its "identity graph" product, which gathers even more personal info. Residents of other states cannot opt out of this program at the time.

How much do you trust the Meta family of fine apps? The company certainly has had a rough few years, starting with the Cambridge Analytica faux pax, but now there may be a new verse in the book of "Instagram" in its privacy bible: “We giveth and we taketh away.” 

Lia Habereman, who teaches Social and Influencer Marketing at UCLA, picked up the scent of that addition and posted it on X (formerly known as Twitter), saying that the addition of a “Close Friends'' option could be coming to Instagram. 

“This would be one way to get people off Stories and out of DMs — create a Close Friends feed experience,”  she wrote. One that would likely allow Instagram’ers to only show certain posts to those a person deems close and trustworthy as opposed to posting to their “regular/normal” profile for the world to see.

Andrew Hutchinson, content and social media manager, at SocialMediaToday, likes where this is going. He thinks this new option is a smart move that matches up with how many people are using Instagram these days. 

“Sharing posts with close friends only is another step along this path, which could help users feel more comfortable about sharing more often if they know that only a few trusted people will see that update,” Hutchinson said.

“It’s not a major change, and functionally, it’s not a big shift either. But it would provide another option to facilitate more enclosed group discussion, which could help IG lean into the latest behavioral trends.”

The whole family is in on the dance, it appears

One might think that if Meta’s new Twitter (er, X) killer “Threads” is an official part of Instagram, there would be some privacy-forward movement there, too. But no such luck according to a new study by HomeSecurityHeroes – one that claims Threads is the “worst social media platform for protecting user privacy,” collecting 50% more personal data than X.

In fact, Meta’s entire family – Instagram, Threads, Facebook, and Messenger – is extremely notorious for collecting the most user data for advertising and marketing purposes. As a unit, they track an astonishing 86% of personal information.

So, should you move to X?

If you want a social media app that’s part of the elite, then your best bet was X. The survey said X only collects 50% of available data, but that was then and this is now and “now” means X’s new sheriff – Elon Musk – is changing things up in regards to privacy.

Mashable’s research team recently went over the company’s new Privacy Policy word by word and their takeaway was this: “There are some interesting bits, and some slightly worrying bits, though deciphering what exactly they mean is not entirely straightforward.”

Compared to Twitter’s old privacy policy, X is now collecting some new types of data, including employment history, educational history, and biometric data. “The company also plans to use that data in new ways, most importantly to train AI,” said Mashable’s Caitlin Welsh and Stan Schroeder. “Have this in mind before you hand over your data to X.”

If the Eighties were part of your life, you saw this coming. Not the polyester, tight, v-neck shirts, but a foretelling of where we’ve come to communicating with each other. “It’s so funny – we don’t talk anymore.” Thanks, Cliff Richard.

Technology has pretty much ruined interpersonal communication. We can’t communicate with most of the people in our lives these days without it.

E-mail was our first crutch. Then, texting. Now, a new trend that’s on the rise when talking to loved ones is voice notes. It’s a big rise, too – WhatsApp said last year that over 7 billion voice messages were sent via its app.

To find out why, Preply surveyed Americans to get their reasons. The top finding is that a majority – two in every three – send voice notes. 

“Americans say voice notes are convenient while they are on the go” Melissa Stephenson, media relations associate with North Star Inbound told ConsumerAffairs. “The study showed that 44% said they use voice notes while driving and another 44% use them when they are in a hurry, showing an easier way to multitask and communicate.”

The debate continues

Once you get past the convenience aspect, do the upsides of voice notes outweigh the downside? 

“Forty percent of Americans who use voice notes say they are good enough to replace phone calls, and one in four prefer using voice notes to keep in touch with those they don’t see often,"  Stephenson said. "These findings show people are building and keeping personal connections with voice notes.”

Other research shows that voice notes allow people to have more expressive conversations than texting or an emoji provides. 

The hellish side

Still, people are divided on voice notes. Some think voice note’rs are poison. Others are worried about their confidentiality.

“While people are sending and receiving voice notes, one aspect has them worried. Forty-one percent of Americans say they think it’s easier to eavesdrop on voice notes, putting privacy at risk. Using headphones or waiting to listen to a voice note while in private may help with this issue,” Stephenson said.”

“Another downside of voice notes is the effort they take. Forty-eight percent believe voice notes require more effort than a traditional typed text and a large majority say that they often need to listen to a voice note more than once to fully understand and respond appropriately, which might explain why they feel extra effort is needed for them.”

Tech experts' two-cents worth

The debate over voice notes gets a little more contentious when you ask tech and privacy professionals. Their sermons include concerns about data being shared with third parties, leading to cyberpiracy and other issues.

As ConsumerAffairs recently found out, a meager three seconds of a person’s voice in the wrong hands could lead to them being hounded for the rest of their lives by AI-using cyber creeps.

When someone uses voice-related information, they cross a line they probably don’t realize they’re crossing: biometric data. Dr. Dani Cherkassky, CEO, Co-founder of Kardome, says that biometric data stored locally on a person’s phone may not pose a risk to user privacy, but that abuses can occur when the tech companies that offer voice recognition devices store this data in the cloud.

Cherkassky reminds consumers that the biometrics-capturing cat is out of the bag. Google and Amazon have caught heat for capturing biometrics, but they aren't the only ones doing it.

There’s no uniformity in how those data collections are regulated, either. Some states have wiretapping laws, some don’t, and the EU takes the subject more seriously than the U.S. does.

Concerned about the danger of biometrics?

Raj Ananthanpillai, founder and CEO of Trua, a company that provides identity protection in digital environments, says anyone who bristles at the thought of their voice recordings coming back to haunt them has all the triggers they need to prevent that from happening.

“Many smartphones and tablets incorporate biometric authentication, such as fingerprint or facial recognition, to unlock the device or authorize transactions,” he told ConsumerAffairs.

He suggests the first thing everyone should do is look at the permissions they’re granting to apps or services that use biometrics on their devices. For example, Apple gives its users all of the keys necessary to do that within their iPhones.

Ananthanpillai’s second ace is to limit data sharing. “Be cautious about sharing biometric data with third-party apps or services and evaluate the trustworthiness of the entities requesting access to biometric information,” he said.

His third? Regularly review permissions. Every time you download or update an app, take a look at what permissions you’re granting for the use of biometrics. If you’re the least bit uncomfortable, one click will revoke access if necessary and remove unnecessary biometric data stored on devices or apps.

The next time you check into a hotel, you might find a cybercriminal hiding under your bed.

Figuratively, of course, but cybersecurity experts say hotels are becoming one of the riskiest places for travelers, and many threats await them right in their rooms. 

"It's crucial to understand that the willingness of cybercriminals to intrude on your privacy or steal your data does not depend on your presence in the office or your holiday plans,”  says NordVPN's cybersecurity expert Adrianus Warmenhoven.

“Hackers can use a hotel's cybersecurity vulnerabilities in several ways to reach you even in your room. So while you’re on vacation and using the internet connection of where you’re staying, you should be cautious and manage cybersecurity risks.”

Wi-Fi’nagling

Warmenhoven says those vulnerabilities start with the hotel’s free Wi-Fi. There are two ways in which hackers can steal travelers' passwords and personal information through a hotel's Wi-Fi.

One is where a guest connects to the hotel's Wi-Fi and malicious malware is downloaded to their device. The second is where hackers create sort of an "evil twin" – a fake, unsecured Wi-Fi hotspot with an unsuspicious name like "Guest Wi-Fi" or "Free Hotel Wi-Fi" – and steal private information that way.

"To avoid being hacked through hotel Wi-Fi, travelers must take a few steps. First, ask the person at the reception desk to give the exact name and password for the provided Wi-Fi to avoid connecting to an ‘evil twin’ network.

"Second, use a VPN service to encrypt your data and prevent third parties from intercepting it. Finally, it is always a good idea to enable a firewall while using public Wi-Fi," Warmenhoven said.

Another Wi-Fi-related issue could come from a guest using their device’s automatic connection function because hotels are frequently surrounded by public and insecure internet connections.

Disabling that option helps to mitigate cybersecurity risks on a trip, but Warmenhoven warns that if a traveler leaves their smartphone in their hotel room with the phone disconnected from Wi-Fi, the connection can automatically be turned on if, by chance, the hotel staff moves it while cleaning a room. 

USB chargers can be trouble, too

Some hotels provide USB charging ports in their rooms for the convenience of their guests, an easy way to charge a device, especially if the traveler is coming from a location with a different kind of plug.

However, cybercriminals may have already beaten the guest to that charging port, installing malware on phones to perform an attack called juice jacking. When this type of attack happens, hackers can steal users' passwords, credit card information, address, name, and all sorts of data. 

"Safe device charging on your way to your vacation spot might be challenging because you must carry a power bank or USB data blocker, but hotel rooms always have a socket. Usually, it's the safest way to charge your devices," says Warmenhoven.

Cyberstalking via smart TVs

The most unique hack these days comes from smart TVs. Depending on a hacker’s aim, they could cyberstalk travelers with built-in microphones or cameras, steal personal credentials used to log in to apps on smart TV and sell them on the dark web.

Experts recommend unplugging the smart TV when not in use. By covering the webcam and avoiding logging in with personal credentials, you can also mitigate cyber risks.

If you’re tired of being tracked, tired of website algorithms feeding you things you don’t have an ounce of interest in, or tired of fighting spam, there is now a browser that fights all those annoyances for everyone.

A year after rolling out its nuisance-fighting browser for Mac users, DuckDuckGo (DDG) has released a version for Windows users.

The company claims its alternative to Google search and Chrome won’t track you for a minute, plus it can block other companies from tracking you, too. “Just a fast, lightweight browser that makes the Internet less creepy and less cluttered,” the company calls it.

DuckDuckGo isn’t exactly a household name, but it has proved to be the little search engine that could. Since it first launched in 2008, its daily searches have moved from the hundreds of thousands to the hundreds of millions.

Is privacy important to you?

Privacy is at the heart of DDG’s browser update, a fact the company’s CEO doesn’t want to be lost on anyone.

“Search alone doesn’t actually solve the privacy harms people are concerned with,” Gabriel Weinberg said. “Like ads following you around, unsettling targeting, or people grabbing up your personal information. Search is part of that, but there are lots of trackers hiding behind websites.” 

That privacy crusade begins with DDG’s Duck Player, a YouTube player that lets you watch YouTube videos without privacy-invading ads and keeps video views from impacting the recommendations pushed your way.‌‌

Another plus is tracker blocking which the company claims goes way past what’s available from Chrome and other browsers. For example, its Tracker Loading Protection is designed to block hidden trackers from companies like Google and Facebook that may be lurking on other websites before they ever get a chance to load. ‌‌‌‌

There’s also…

• Smarter Encryption to guarantee that more of the websites you visit and the links you click on are encrypted and secure – at least relative to other browsers.

• For those who don’t like leaving any trace of where they’ve been on the internet, DuckDuckGo is introducing the Fire Button, which supposedly burns recent browsing data in one click. On the flip side, there’s also a handy “Fireproof” option for any sites you want to stay logged into.

• Another privacy perk is Email Protection, which has the ability to disguise your email address with unique @duck.com email addresses so when you’re signing up for things online, your Gmail or other regular inboxes don’t get spammed with spew.

Users like what they see, but there’s room for improvement

In the reviews ConsumerAffairs saw of DuckDuckGo, it’s hard to find any naysayers. Out of the 1.81M reviews on Google Play Store, the app averages a 4.7-star rating.

The only thing pundits say is a concern is that DDG’s competitors like Microsoft and Google have tied their services tightly to their apps and it’s making it tougher for someone to make the switch. For example, Google Docs is tied to Chrome.

“DuckDuckGo’s hope is that it can get people to do the one download to get into the browser, and then the company can provide all kinds of services,” said The Verge’s David Pierce.

And both Weinberg and the company’s product director, Peter Dolanjski, said Pierce is speaking to the choir when it comes to features. Weinberg cited DuckDuckGo’s email protection as one example. “Ideally, these are features that protect you, that we can also make more visible,” he said.

A fraudster’s best friend may be sitting right on your wrist. Cybercriminals are taking advantage of a new breed of scam via fitness trackers and health apps, according to cybersecurity company NordVPN.

And like many other data thieves, they’re feasting on what consumers have allowed social media networks to glean from gadgets like Fitbit and popular exercise apps.

All it takes is craftily befriending users to share their exercise goals. Once that box is checked, then it’s off to mining personal information or manipulating them into sending over money. 

“The trend in fitness tracker fraud shows it’s no longer enough just keeping an eye out for scammers while on your mobile or laptop — now they could be targeting you on the treadmill,” Marijus Briedis, cybersecurity expert at NordVPN, said.

“Once a scammer has you in their sights, what begins as bonding over a recent workout can quickly turn into a form of social engineering where they seek to mine as many personal details as possible while your guard is down. This can ultimately lead to attempts to manipulate you with fake personal stories, investment ‘opportunities’ or even identity theft.”

Stopping the scammers in their tracks

This is such a new wrinkle that there's no single switch to flip to stop these fraudsters, yet, there are individual app permissions you can turn off to protect what’s most important to you. 

Note: iOS and Android app permissions may be named differently, depending on the version of your operating system, so it may take a bit of extra digging to determine what’s what.

When it comes to fitness apps, the first line of defense is to avoid sharing any personally identifying information and keeping a basic ‘vanilla’ profile on your online groups, using an avatar or no picture at all.

“As with romance scams, beware of any requests from strangers, chats that veer away from fitness topics, or attempts to move the conversation onto another website or app,” Briedis added.

But, don’t stop there.

"While some running or cycling apps will request special access to your location settings to track your favorite routes, there’s no excuse for a blood pressure checker getting hold of your call history or being able to see your photos. As a minimum, make sure that any fitness apps you add allow you to delete your data,” he said.

The phone camera

If you give an app access to your camera, you’ve made the app developer very happy. With that permission, an app can take pictures and record videos as you might expect, but the Nord VPN researchers caution that some apps may misuse this permission to access your camera without your knowledge. When that happens, all bets are off and a fraudster can invade your privacy.

If you don’t want that to happen, you should only grant access to your camera to trusted apps that actually require camera functionality, such as your camera app.

“Sometimes camera requests make sense for other apps too. For example, social media apps may need it for video calls or posts, while other apps may require it to scan QR codes,” the researchers said. “But if you need help determining whether you trust the app enough, you can always grant access to your camera only when the app is in use.”

Microphone

Another entry point for someone who wants to invade your life and plunder your personal privacy is your phone’s microphone. Just like the camera, you should inspect which apps can access it, too. Some make perfect sense – like Google Assistant or texting via voice – but if you don’t see a significant reason for an app to access your microphone, stay on the safe side and deny the request.

Files and media

Apps with access to your files and media can read, modify, or delete the content on your device, including your sensitive files, photos, and videos. Some of the more notorious ones are apps that claim to clean junk files and save battery life.

Trusted brand apps that truly need access to your photos, such as Google Photos, or security software that needs to scan your files for malware, such as Norton, should be safe, but any off-brand apps should be chosen carefully.

Location

One line that apps like to wave their foot over hoping to cross into a person’s every move is the one with location settings. Google Maps? No problem. But, do you want Facebook to know where you are at all times?

Online services and websites that collect information from children under 13 must notify their parents directly and obtain their permission before they collect that child's information.

Microsoft's Xbox Live failed to do so, violating the Children’s Online Privacy Protection Act (COPPA), according to the Federal Trade Commission (FTC).

To settle those charges, Microsoft has agreed to obtain parental consent before collecting personal information from children's accounts created before May 2021. As part of its efforts to protect children, Microsoft will also inform adult Xbox Live users about its privacy settings.

"As the next generation enters the digital age, their personal data becomes a valuable asset to organizations looking to capitalize on it,” Nicky Watson, co-founder and chief architect of Cassie, a data privacy management company, told ConsumerAffairs.

“The FTC settlement with Xbox Live is keeping organizations accountable for collecting information about minors and increasing transparency about how that information will be used.”

Does your family have an Xbox Live account?

The agency says that any family who subscribes to Xbox Live can create a special account for their children that will give them privacy protections that adults don’t receive.

For example, with a child account, Microsoft is limited in how it shares your child’s information and your child may only communicate with friends that you approve. To review and adjust your child’s privacy settings, go to your Microsoft Privacy Dashboard.

Watson drove home the point that in this case with Xbox Live, both parents and children should be aware of their data privacy rights and how to better understand their preferences, and the FTC is shoulder-to-shoulder with that perspective. The agency says that before a website or online service collects personal information from any child, it has to notify you and get the parent’s permission. The notice must tell the parent:

• What information the site will collect about your child

• How it will use the information

• How to give — or withhold — your consent.

It must also include a link to the privacy policy with more details.

If a parent gives consent, their rights don’t end there. They have the right to review the information that the website or service collects about their child and delete it if they choose. They also have the right to rescind their consent at any time.

To learn more, check out the FTC’s advice about protecting your child’s information online.

The Federal Trade Commission (FTC) and Facebook are squaring off… again. The agency claims that Facebook failed to fully comply with its 2020 privacy order.

That order accused the social media giant of misleading parents about their ability to control who their children communicated with through Facebook’s Messenger Kids app. The agency said the company also misrepresented the access it allowed app developers to private user data.

Because of those indiscretions, the FTC wants the original order rewritten to take away any wiggle room Facebook has been using to its advantage.

Facebook -- now known as Meta -- has now been on the FTC's wrong side three times for allegedly failing to protect users’ privacy. The Commission first filed a complaint against Facebook in 2011 and secured an order in 2012 barring the company from misrepresenting its privacy practices. 

“Facebook has repeatedly violated its privacy promises,” said Samuel Levine, director of the FTC’s Bureau of Consumer Protection. “The company’s recklessness has put young users at risk, and Facebook needs to answer for its failures.”

What the FTC wants

If the FTC gets sign-off on the proposed changes, Facebook – and Meta’s other services such as Instagram, WhatsApp, and Oculus – would be prohibited from making any money off the back of the data it collects. This would include its virtual reality products and any user under age 18.

In addition, the social media company would have to walk the straight and narrow on its use of facial recognition technology. It would also be required to provide additional user protections. Those include:

• Blanket prohibition against monetizing the data of children under 18. Plus any data it collects on someone under 18 cannot be used for commercial gain even after those users turn 18.

• Pause the launch of new products and services until those products and privacyprotections are fully vetted by an assessor. 

• Limits on future uses of facial recognition technology

In the meantime, what parents can do

Readers of the Mozilla Foundation’s “Privacy: Not Included” series have slapped both Facebook Messenger and Messenger for Kids with a “Super Creepy” label.

“With Facebook-owned apps, we always worry there is a good deal that could go wrong,” the Mozilla Foundation wrote in its review of Messenger for Kids. 

“There are no ads served to kids in Facebook Messenger and Facebook claims they don’t use data from the Messenger Kids app for ads in their other apps. It does still collect children’s data though, so be wary. If you do decide to use Facebook Messenger, it’s probably best to assume nothing you say or do is actually private.”

Yaron Litwin, chief marketing officer at Canopy, a platform designed to keep kids safe online and give parents some peace of mind, told ConsumerAffairs that parents should talk with their children and provide examples of online communication and behavior that could be a concern. 

“In addition, having clear family rules in place regarding online responsibility and the sharing of personal photos is crucial,” he suggested.

Since the beginning of 2023 artificial intelligence (AI), in the form of ChatGPT, has been the rage. The platform is being used to write poetry, compose essays and answer obscure questions.

Now there are dozens of ChatGPT apps that you can download to your device. But some privacy experts see trouble ahead.

In fact, the European Data Protection Board (EDPB), the group coordinating Europe’s various privacy agencies, has established a ChatGPT task force is determine if privacy regulations are needed.

Sarah Hospelhorn, CMO at BigID, says consumers should be cautious about how they use these apps until they get a firm handle on privacy policies.

“Users’ privacy can be compromised if they're using an ungoverned set of data,” Hospelhorn told ConsumerAffairs. “It could be personal data, employee or consumer data, secrets and passwords, even seemingly benign data like your mother's maiden name or shopping history.”

Aaron Rafferty, CEO of Standard DAO, says users’ privacy can be compromised in several ways when using ChatGPT and other AI platforms. 

The threats

“The most concerning issues include the potential for data breaches, exposing sensitive user conversations, and unauthorized access to personal information,” he told us. “The scenario of Samsung employees using ChatGPT and ultimately compromising proprietary Samsung information that is now owned by OpenAI and its users is just one example of many. There's also the risk of AI-generated misinformation that could inadvertently violate user privacy or manipulate public opinion.”

Sameer Ahmed Khan is the co-founder & CEO of Social Champ, a MarTech start-up backed by Techstars. Khan says these new AI apps present new privacy concerns that haven't been factors with other forms of technology.

"A determined hacker team can infiltrate and exploit cybersecurity gaps to steal all data or inputs without alerting the target or their safeguards,” Khan told us. “ChatGPT is no different, and the exploits around its security measures are continuously being penetration tested by malicious actors.”

Privacy concerns limit business uses

Khan thinks there are limited business uses for ChatGPT because of privacy issues. He notes that Microsoft has developed a fix, and “it's just a matter of using Microsoft 365 Copilot, which was launched to uplevel business users with AI.”

The growing number of ChatGPT apps all have different privacy policies which you should review carefully before downloading. Ai Chat - GPT Chat Bot, an app available at the Apple app store, carries a note that it does not collect any user data. However, not all are like that.

Because of that, Rafferty believes U.S. regulators will eventually address privacy issues with new policies and will likely strike a balance between fostering innovation and ensuring user privacy.

Can someone hack your phone through a QR code? Can a scammer steal your personal and financial information via a QR code? Can a bad actor encrypt your device until you pay a ransom? Yes, yes, and yes.

A year ago, the FBI raised fears that those possibilities were real and now security and privacy experts are raising the ceiling on those fears even higher. They pose questions about how the general public can protect themselves when they’re scanning QR codes to view confirm package deliveries, add time to a parking meter, or in an advertisement.

“Unfortunately as the popularity of QR codes has increased with the public, its popularity has also increased with scammers who are setting up phony QR codes to lure you to their bogus website where they solicit personal information used for identity theft or persuade you to make a payment with a credit card,” attorney Steven Weisman, wrote for Scamicide. 

“Or even in some instances, merely by scanning the phony QR code, you will download harmful malware such as ransomware or even malware that will enable the scammer to take over your email account.” 

And the possibilities are infinite. When ConsumerAffairs dug into all the ways that QR codes could be clandestinely turned into digital weapons, we found everything from digital business cards, menus, social media links, getting an app, opening a PDF, showing a location, to sending a text message, making a phone call, making payments, getting rewards and discounts and starting a WhatsApp conversation.

How bad can a fake QR code mess up your life?

As Yaniv Masjedi at Aura points out, there’s “technically” no such thing as a “fake” QR code. “The codes themselves aren’t dangerous — it’s how they’re used that can become problematic,” he says.

The real trouble is a rabbit hole that the scammers have built, and once they get a victim inside, there are few ways to burrow out. Here’s everything that could go wrong:

• You could be redirected to a phishing website. With things like Photoshop and website builders in their treasure box, a scammer can easily make you believe that you’ve landed on a real big brand website – one that most people will never detect as fake. Once you’ve taken that bait, they then ask for your sensitive information. “But anything you enter — name, contact information, credit card number — goes to the scammer and can be used to steal your identity,” Masjedi said.

• Your device could be infected by malware. Masjedi continued – “QR codes can also download malicious software onto your device such as malware, ransomware, and trojans. These viruses can spy on you, steal your sensitive information or files (like photos and videos), or even encrypt your device until you pay a ransom.”

• If the scammer is good at their game, a QR code could send an email from your account. On top of designing QR codes to send people to websites, scammers can also program the codes to open payment sites (think PayPal or Venmo), follow social media accounts, and send pre-written emails. 

Is there a solution?

The good news is that there are ways people can protect themselves. The bad news is that most of them are very granular and take extra work.  

“The first step to protecting yourself is to always check the URL of any website the QR code takes you to that requests a payment or personal information,” Weisman said. “If the URL does not begin with https, but only begins with http, you know it is a scam.”

When it comes to updates on orders from places like Amazon or deliveries from UPS or FedEx, Weisman suggests refraining from using the QR code and going directly to your account rather than through the QR code. 

“If you receive an unordered package with a QR code to scan for instructions to return it, go directly to your account at a legitimate company, such as Amazon rather than use the QR code.  And just like you shouldn't click on links in social media posts unless you have absolutely confirmed they are legitimate, the same holds true for QR codes in social media.  Trust me, you can't trust anyone.”

If you have a recent smartphone – ones with iOS 13 and above and Android 9 and above – Beaconstac says that those come equipped with advanced QR Code readers. So you really don’t need to download any third-party app.

But if you have an older phone – or simply want to add another level of security – ConsumerAffairs found these two apps as the best-rated possible solutions:

• Kaspersky’s QR Code Reader and Scanner: GooglePlay 4.4*; Apple App Store 4.6*

• QR & Barcode Reader by Gamma Play: GooglePlay 4.5*; Apple App Store 4.3*

If you’re a former AT&T customer who may have been bit by an unlimited data plan and haven’t cashed a check from the carrier to settle claims made by the Federal Trade Commission (FTC), time is wasting. To help out, the FTC has announced a new claims process to return money to thousands of former AT&T customers who had those plans in place anytime between October 2011 and June 2015.

However, what if you are a current AT&T customer who had an unlimited data plan during this time? No need to file a claim — you should have gotten a bill credit from AT&T in early 2020.

The settlement goes back to the FTC’s claim that AT&T throttled their data, slowing down their internet speed after they used a certain amount of data in a billing cycle. The limits on this “unlimited” plan made it hard — and, in some cases, impossible — to browse the internet or stream videos. And, before people signed a long-term contract, AT&T didn’t adequately disclose to customers that it would slow down their internet.

Throttling has been a thorn in the side of the FTC for years now. In addition to AT&T, it also went after TracFone for the same thing.

AT&T's response? "While we continue to dispute the allegations in this lawsuit from 2014, we elected to settle in 2019 rather than continue with drawn-out litigation," the company said in an email to ConsumerAffairs.

Here’s what to know

If you think you meet the AT&T settlement criteria and want to move forward with a claim, here’s what you need to do:

• Determine if you’re eligible and file your claim at ftc.gov/ATT.

• You have until May 18, 2023, to file a claim.

• Questions about filing a claim? Call the refund administrator at 1-877-654-1982 or email info@ATTDataThrottling.com.

We’ve all – yes, probably all – have taken some sort of online quiz. What Hollywood star would be a perfect partner for you? What was your first car? Where did you go to high school?

Guess what – these things have a lot in common: they’re trying to sucker you in so they can get their grubby little hands on your personally identifiable information (PII).

So, before you take a quiz to find out which Marvel character you’re most like, ask yourself: Do I know who’s gathering this information about me — or what they plan to do with it?

The Federal Trade Commission (FTC) says that all those cute little quizzes and surveys are carefully crafted to get innocent people to spill the beans on the answers to security questions that they can turn around and use those answers to try and reset your accounts, then steal your bank and other account information.

The agency says that some scammers go even further, by hacking social media accounts and sending malware links to friends of the hacked account holder under the guise of sharing a quiz.

It’s ok to lie!

Even though they’re tempting, Terri Miller, a consumer education specialist at the FTC, says don’t take the bait.

“One major way to protect your personal information — in addition to maintaining strong passwords and using multi-factor authentication — is to steer clear of online quizzes -- or just don’t answer them truthfully,” she said.

Miller had some interesting advice on how to outsmart the tricksters. “As for accounts that require actual security questions, treat them like additional passwords and use random answers, preferably long ones, for those too. Asked to enter your mother’s maiden name? Say it’s something else: Parmesan or another word you’ll remember.

Or use a password manager to store a unique answer. This way, scammers won’t be able to use the information they find to steal your identity,” she said.

Anyone who’s more concerned about their overall data privacy than their short term New Year’s resolutions should be very careful about what exercise, weight loss, or quitting smoking apps they load on their phones.

A new study from Incogni, a data privacy platform, took a hard look at resolution-oriented apps and found privacy risks associated with 344 such apps. Here’s a rundown of what its researchers found:

Way too much TMI: Eighty-four percent of all apps Incogni analyzed requested 10.7 permissions on average. The most-requested dangerous permissions are read (74.4%) and modify or delete (66.3%) the contents of your USB storage.

Let’s play cat and mouse: Almost half the apps want to know exactly where you are. An estimated 40% of all apps request dangerous location-related permissions, with precise location requested slightly more often (38.4% of all apps) than approximate location (37.2%).

“Do I look fat?”: Losing weight apps are the least private and have the worst privacy score. They may argue that they have to analyze and evaluate issues relating to nutrition, etc. so they need a lot of ongoing data to provide that customization.

And the best: Quitting smoking apps perform the best in terms of privacy, with the category’s average score of 23.3 being 38.4% lower than the overall average.

Other resolution-driven apps that scored above the reasonable limit in collecting personal data are:

• Remodeling/renovating home

• Exercising more

• Spending less time on social media

• Traveling more

• Reducing stress

What privacy things you should consider when downloading an app

Incogni’s basic rule of thumb is “the more popular the app, the less private it is.” 

“If you’re planning on downloading an app to help you keep track of your New Year’s resolutions, we recommend caution,” the researchers said, and pointed to three things a consumer should consider:

1. Choose an app with a lower privacy risk score.

2. Stay away from popular apps with 500k or more downloads.

3. Consider the categories. If choosing from a high privacy risk category, check the data safety section of the app in the Google Play or Apple app store. Below are step-by-step instructions for both Android and iPhone.

Apple

Android