2024 Privacy Concerns and Violations

A British report by the consumer organization Which? has revealed that some air fryers and other smart devices may collect personal data, raising privacy concerns. Air fryers from Xiaomi, Tencent, and Aigostar were found to record audio on users' phones without explaining why. Some devices also sent personal data to servers in China.

Other smart devices, such as Samsung TVs and Huawei smartwatches, were flagged for requesting extensive permissions, including access to precise locations and apps.

There's no word on whether similar devices have their ears on in the U.S.

The British Information Commissioner’s Office (ICO) plans to release new guidance in 2024 to ensure manufacturers comply with data protection laws. The guidance will clarify how to request consent, provide privacy information, and protect user rights. The ICO warned it would monitor compliance and take action if necessary to safeguard consumers.

Which? said the company claimed that all of the permissions it asks for have a justified need.

An ICO spokesperson said its fresh guidance for firms next year will "outline our clear expectations for what they need to do to comply with data protection laws and, in turn, protect people using smart products."

"It will cover areas including how to ask for consent, how to provide privacy information and what tools need to be available for people to exercise their rights," the spokesperson said.

Popular shopping apps regularly violate their users' privacy, new research says.

Around 60% of the most popular Android shopping apps are in potential violation of Google Play's privacy policy standards, according to a review by research firm Comparitech of 91 apps internationally in November .

On average, the shopping apps requested access to 26 permissions, eight of which Android classified as high level or "dangerous," including access to body sensors, calendars, calling, camera, contacts, GPS location, microphone, storage and texting, Comparitech said.

Thirty-two of the apps requesting access to an Android device's camera and media files didn't disclose they would in their privacy policy and 12 apps requested access to location data also without disclosure, Comparitech said.

Groupon, for example, requested access to the device's camera but doesn't mention needing access in its privacy policy, Comparitech said.

In response, a Groupon spokesperson told ConsumerAffairs "that the camera permission has been removed from our Android app manifest," starting in Android 24.14.

"Going forward, the camera permission will only be requested from users when it is necessary," the spokesperson said, "for example, when they choose to upload a photo with a review for a specific deal."

The findings come during the holiday shopping season, where nearly 1 in 5 shoppers will use an app to make purchases in 2024, according to a survey by Bain & Company. 

What were the shopping apps violating privacy?

The apps requesting the most dangerous permissions in the U.S. were Amazon Shopping, which requested 20 dangerous permissions, followed by AliExpress at 19 and Flipkart at 18.

An Amazon spokesperson told ConsumerAffairs that its "mobile app requests permissions for device functions that enable us to provide helpful features to our customers, such as the ability to visualize products in their home with their device’s camera or search for products using text-to-speech."

"Customers have full transparency into the device permissions we request in the Permissions dashboard within the app and can control which permissions they allow to enable specific features, providing an additional level of control beyond their device’s settings," the spokesperson added.

A spokesperson for AliExpress told ConsumerAffairs the company is "deeply committed to our users’ privacy rights and information security, considering them core to our promise of a secure and reliable platform"

"We have put in place thorough data security measures, including regular reviews of our data practices to uphold our ISO certifications for data security. We will persist in safeguarding user privacy and security, following all applicable laws and regulations," the spokesperson added.

The other companies didn't respond to requests for comment from ConsumerAffairs.

While artificial intelligence (AI) has made it easy for consumers to find recipes, write thank-you cards, or even do homework assignments, some chatbots have been designed for people to build relationships. 

These sites serve as a platform for consumers to build any kind of relationship – platonic, romantic, professional, etc. – with a chatbot. 

Though it may seem harmless at the outset to have an outlet to vent or share things, Mozilla’s *Privacy Not Included guide has done some deep diving, discovering that these platforms can actually be dangerous when it comes to consumers’ privacy and safety. 

The company analyzed data from 11 of the most popular relationship chatbots and determined that none provided adequate levels of privacy, security, and safety for users. 

“Today, we’re in the wild west of AI relationship chatbots,” said Jen Caltrider, director of *Privacy Not Included. “Their growth is exploding and the amount of personal information they need to pull from you to build romances, friendships, and sexy interactions is enormous. 

“And yet, we have little insight into how these AI relationship models work. Users have almost zero control over them. And the app developers behind them can’t even build a website or draft a comprehensive privacy policy. That tells us they don’t put much emphasis on protecting and respecting their users’ privacy. This is creepy on a new AI-charged scale.” 

Privacy and security are at risk

The data from this analysis will be in *Privacy Not Included’s 2024 Valentine’s Day buyer’s guide. The goal is to help open consumers’ eyes to the security and privacy risks that come with utilizing these services. 

For starters, Mozilla identified over 24,000 data trackers after using the Romantic AI app for just one minute. Once the app collects users’ data, they can share it with marketing companies, advertisers, social media platforms, and more. 

Another security flaw that Mozilla discovered: 10 of the 11 chatbots didn’t require users to make strong passwords. This makes users’ accounts even easier for hackers or scammers. 

It’s also important to note that consumers have no control over how their data or personal information is used by these platforms. This opens the door for these chatbots to utilize and manipulate users’ personal information as they please, which comes with several privacy and security risks. 

“One of the scariest things about the AI relationship chatbot is the potential for manipulation of their users, “Caltrider said. “What is to stop bad actors from creating chatbots designed to get to know their soulmates and then using that relationship to manipulate those people to do terrible things, embrace frightening ideologies, or harm themselves or others? This is why we desperately need more transparency and user control in these AI apps.” 

In its yearly review of the identity landscape, the Identity Theft Resource Center (ITRC) suggests that, as others have hinted at, the walls really are crumbling when it comes to your identity’s safety.

As this reporter experienced, last summer, the possibility that your Personal Identity Information (PII) will wind up on the dark web is a Vegas-worthy, bet-the-house possibility.

Last year witnessed a record-breaking spike in data breaches, marking a worrying trend for cybersecurity. The ITRC’s tracking saw a 78% increase in 2023 compared to 2022.

However, a disturbing trend emerged: more than 1,400 public breach notices lacked crucial information about how the attack happened, representing a significant drop from the 100% transparency rate seen just five years ago. How did that Comcast hack happen? Who knows? The one involving T-Mobile? Your guess is as good as ours.

Companies are embarrassed by these thefts

The report suggests that even though nearly 11% of publicly traded companies faced compromises in 2023 — a worrying statistic on its own – transparency remained elusive.

Companies withheld attack details in 47% of cases compared to 46% for other organizations. This lack of openness makes it difficult to assess threats and hold entities accountable. 

It’s also a reputational concern. Case-in-point is Norton Healthcare, which waited nearly six months before admitting to its patients that it had been the victim of a cyberattack.

Even though the company said that information that may have been impacted included names, contact information, Social Security numbers, birth dates, health information, insurance information, medical identification numbers, driver's license numbers or other government IDs, financial account numbers, and digital signatures, it opted to couch its breach to its customers as “We regret any inconvenience this incident may cause you.”

One reason why 2024 will be worse

The snowball effect of this is that more and more of us will see our PII on sale to anyone who wants to buy it. 

It’s a safe bet, too, that Generative AI will also contribute to a rise in the sophistication of phishing attacks and other forms of identity fraud and scams using personal information stolen in data breaches, Eva Velasquez, executive director of ITRC, said.

While other "techsperts" think that AI will enable cybercrooks to leverage a person’s data in ways like voice cloning or deep fake videos, Velasquez thinks the opposite. That the sheer volume of personal data available via the dark web, coupled with the ability of hackers to employ AI to send out phishing emails and texts, is a much larger issue.

And, if 2024 repeats what the ITRC saw in 2023, consumers need to pay extra attention to four categories: healthcare, financial services, transportation, and utility companies – which, despite having fewer breaches – topped the list for estimated victims in 2023.

“Therefore, the probability of being hacked is unpredictable but on the rise unless you take measures to protect yourself,” suggests Miklos Zoltan, founder & CEO Privacy Affairs, a company that monitors personal data available on the dark web.

“By adopting a few straightforward rules and habits, you can make it more difficult for hackers to access your data and remove yourself from their line of sight.”

Telling the real from the fake

While AI can create convincing messages, there’s one way you can figure out which are real and which are not – one that seldom gets mentioned: take a quick look at the “who” and “what.”

Let’s look at the email below that a member of the ConsumerAffairs team received.

The email says:

1. It’s from “T-Mobile,” yet the “via” says it’s from “susd12.org” which happens to be the Sunnyside School District in Arizona. Not exactly “T-Mobile,” is it?

2. There's an attachment – a document that says “Translate to English.” Ask yourself why.

3. When you click on the triangle next to your name (“me”), it brings up the full details of the sender. The “reply to” doesn’t go to “T-Mobile” or the Sunnyside Schools, but rather to a website in Russia. A real T-Mobile email would come from a .com in the U.S.

As John Fahd, founder and CEO of ITegrators, explained, “If a scam email needs a reply from you, you'll see that the ‘Reply To’ field has a different email address than the one that actually sent you the email.”

“Scammers use this technique to get replies by enticing you to read and respond to the emails they send using the names of reputed brands, companies, governmental organizations, and so on.”

And you can’t beat common sense either. Ask “why” T-Mobile is sending you an invoice when you’re actually an AT&T customer. If a truly legit company really needs to get in touch with you and you don’t respond, trust us, they’ll find a way, probably by sending you a letter with a real request and a real phone number to contact.