Seven new assaults on data privacy

The last time we shared a roundup of data trackers, we mentioned an emerging market for monetizing your activity on mobile devices. Something called Telecom Data as a Service, in which service providers collect and sell customer data to third parties, including advertisers. This data “is seen as potentially more valuable than some other consumer data because it directly connects mobile phone interactions to individuals through actual billing information.”

Over the past few years there have been developments involving a similar category of data collection taking place at one of the largest Internet service providers (ISP) in the U.S., AT&T. And if you are someone concerned about protecting your data privacy, you’ll be glad to learn that this story has a happy ending.

In late 2013, AT&T announced the rollout of its “U-Verse with GigaPower” high-speed Internet service, with an important footnote added to the bottom of the announcement: 

“…AT&T may use Web browsing information, like the search terms entered and the Web pages visited, to provide customers with relevant offers and ads tailored to their interests.”

Basically, this type of user data could be converted into an advertising revenue stream. To be clear, the company stated that it did not intend to sell the data to third parties, only create tailored ads based on a customer’s Internet use. But unlike a social media service, for instance, that tracks a user’s activity within its service in order to customize ads, an ISP like AT&T can track the entirety of a user’s Internet activity.  

There was an option to opt out of AT&T’s data collection scheme: buy a higher-priced data plan. Back then, AT&T charged “at least another $29 a month ($99 total) to provide standalone Internet service that doesn’t perform this extra scanning of your Web traffic.”  

But then something unexpected happened. AT&T announced that it would end its GigaPower data tracking program. The company attributed the change to new privacy rules being written at the Federal Communications Commission, the Federal agency that regulates ISPs. It was an important development for anyone interested in asserting their right to cyber privacy. 

Protecting your personal data is an ongoing effort that starts with awareness. So with that in mind, here are seven recent developments that you may have missed about privacy and security in popular apps and services:

1. Evernote attempted to update its privacy policies to make it clear that its employees could read your notes, without the option to opt out. But users protested and the company reversed the changes: ‘We announced a change to our privacy policy that made it seem like we didn’t care about the privacy of our customers or their notes. This was not our intent, and our customers let us know that we messed up, in no uncertain terms. We heard them, and we’re taking immediate action to fix it.’ 

2. A Canadian consumer data privacy advocacy group found that many popular fitness tracking devices transmit your data in ways that make the devices vulnerable to interception or tampering. And the devices can potentially be used to track your movements and profile you: “We discovered severe security vulnerabilities, incredibly sensitive geolocation transmissions that serve no apparent benefit to the end user, and that were not available to users for access and correction, and unclear policies leaving the door open for the sale of users’ fitness data to third parties without express consent of the users.”

3. A study published in the Journal of American Medicine looked at a large collection of diabetes apps on Android and concluded: “Most of the 211 apps (81%) did not have privacy policies. Of the 41 apps (19%) with privacy policies, not all of the provisions actually protected privacy (e.g., 80.5% collected user data and 48.8% shared data). Only 4 policies said they would ask users for permission to share data… Patients might mistakenly believe that health information entered into an app is private (particularly if the app has a privacy policy), but that generally is not the case.”

4. If you’re worried about protecting your activity on Facebook, it’s worth recalling that the social network makes it easy for its advertisers and partners to track you freely: “Most people forget that when they download an app or sign into a website with Facebook, they are giving those companies a look into their Facebook profile. Your profile can often include your email address and phone number as well as your work history and current location.”

5. A data security company found that 1.3 million Android phones have been hacked: “Once again, hackers are showing why you should never, ever download apps outside official app stores. Hackers have gained access to more than 1.3 million Google accounts — emails, photos, documents and more — by infecting Android phones through illegitimate apps.”

6. Meitu, a popular photo-editing app that requires a long list of permissions, has other potential security vulnerabilities: “[Security experts] found numerous serious privacy flaws and avenues for potential leaks of personal data. One eagle-eyed researcher found the Android version of the app asked users for dozens of intrusive permissions, and sends the data to multiple servers in China—including a user’s calendar, contacts, SMS messages, external storage, and IMEI number.”

7. WhatsApp was in the news after a disputed report about a security vulnerability; what emerged from the discussion was awareness that the app’s privacy policies are not clearly defined: “One of the biggest concerns around WhatsApp from a privacy perspective is its opacity, as frequently noted in the Electronic Frontier Foundation’s assessments of which tech providers ‘have your back.’ Whilst [WhatsApp] owner Facebook does have a transparency report, released twice a year, it doesn’t drill down into how many data requests relate to WhatsApp, let alone what kinds of information it can hand over.”

Digital trackers can be unnerving when every day seems to bring headlines of some massive data security hack or another company accused of misusing customer data. The first line of defense is keeping informed.