Why Do Android Flashlight Apps Need Dozens of Permissions?


This site may earn affiliate commissions from the links on this page. Terms of use.

No one should be downloading a flashlight app in the Year of Our Lord 2019 — that’s why both Google and Apple have integrated the ability into their devices as part of the base operating system. Avast security researcher Luis Corrons decided to evaluate the security of flashlight apps after the wave of concern around the Russian-owned Faceapp software. According to his work, there are still 937 flashlight applications on Google Play, despite the fact that Flashlight capabilities are baked into the Android OS. Many of these applications request far more permissions from end users than they ever need to function.

Instead of being limited to the functions you’d expect a flashlight to need (access the LED flash itself, download ads from the internet, and lock-screen access so the flashlight can be turned on or off without unlocking the device), many of these apps request far more. The average number of permissions requested by app is 25. 408 applications request 10 permissions or fewer, but 262 of them require 50 permissions or more. The table below shows the worst offenders:

Now, just because an application is requesting a lot of permissions doesn’t necessarily mean it is requesting them for nefarious purposes. But when Corrons dug deeper, the issues kept getting worse. A massive number of applications request permission to kill background processes, access your fine-grained location data, control Bluetooth connections, record audio, download data without notification, and write to your contacts list. A few even process incoming calls.

As Corrons discusses, the reason these apps have such ludicrous permissions isn’t because they’re actually trying to hook you up with Nigerian princes with large fortunes to dispose of. It’s undoubtedly so they can gather data and then sell it to other firms as part of their efforts to endlessly monetize all of human existence. He steps through how some of these apps are developed by studios with multiple multi-million downloads on the app store. All of the apps require the same invasive permissions, and they’re almost certainly funneling data to the same invisible group of partners.

Google, of course, could stop this kind of garbage in its tracks by forcing app developers to only request permissions that they can plausibly prove they need, and by tightening the approval process to make this kind of rampant data-collecting against its own terms of service. Google doesn’t, because that would alert people to how much of their own daily device usage is uploaded to third-party corporations in the first place. The companies that take advantages of loose user permission requirements aren’t exploiting a loophole; they’re using the system in the manner in which it’s intended to operate. Corrons notes that it’s extremely important for users to be aware of what kind of permissions their applications request. This is true, but it also puts the impetus of fixing the problem solely on the end-user.

Google has allowed its app store to be abused by people who are running massive data harvesting regimes — and it’s on Google to fix that problem, not end-users. Nobody should be downloading a flashlight app on a modern device. But Google shouldn’t be allowing applications to request permissions that they have no business requesting, either.

Now Read:




10 minutes mail – Also known by names like : 10minemail, 10minutemail, 10mins email, mail 10 minutes, 10 minute e-mail, 10min mail, 10minute email or 10 minute temporary email. 10 minute email address is a disposable temporary email that self-destructed after a 10 minutes. https://tempemail.co/– is most advanced throwaway email service that helps you avoid spam and stay safe. Try tempemail and you can view content, post comments or download something

Brexit means clear your cookies for democracy – gpgmail


Brexit looks set to further sink the already battered reputation of tracking cookies after a Buzzfeed report yesterday revealed what appears to be a plan by the UK’s minority government to use official government websites to harvest personal data on UK citizens for targeting purposes.

According to leaked government documents obtained by the news site, the prime minister has instructed government departments to share website usage data that’s collected via gov.uk websites with ministers on a cabinet committee tasked with preparing for a ‘no deal’ Brexit.

It’s not clear how linking up citizens use of essential government portals could further ‘no deal’ prep.

Rather the suspicion is it’s a massive, consent-less voter data grab by party political forces preparing for an inevitable general election in which the current Tory PM plans to campaign on a pro-Brexit message.

The instruction to pool gov.uk usage data as a “top priority” is also being justified internally in instructions to civil servants as necessary to accelerate plans for a digital revolution in public services — an odd ASAP to be claiming at a time of national, Brexit-induced crisis when there are plenty more pressing priorities (given the October 31 EU exit date looming).

A government spokesperson nonetheless told Buzzfeed the data is being collected to improve service delivery. They also claimed it’s “anonymized” data.

“Individual government departments currently collect anonymised user data when people use gov.uk. The Government Digital Service is working on a project to bring this anonymous data together to make sure people can access all the services they need as easily as possible,” the spokesperson said, further claiming: “No personal data is collected at any point during the process, and all activity is fully compliant with our legal and ethical obligations.”

However privacy experts quickly pointed out the nonsense of trying to pretend that joined up user data given a shared identifier is in any way anonymous.

 

For those struggling to keep up with the blistering pace of UK political developments engendered by Brexit, this is a government led by a new (and unelected) prime minister, Boris ‘Brexit: Do or Die’ Johnson, and his special advisor, digital guru Dominic Cummings, of election law-breaking Vote Leave campaign fame.

Back in 2015 and 2016, Cummings, then the director of the official Vote Leave campaign, masterminded a plan to win the EU referendum by using social media data to profile voters — blitzing them with millions of targeted ads in final days of the Brexit campaign.

Vote Leave was later found to have channelled money to Cambridge Analytica-linked Canadian data firm Aggregate IQ to target pro-Brexit ads via Facebook’s platform. Many of which were subsequently revealed to have used blatantly xenophobic messaging to push racist anti-EU messaging when Facebook finally handed over the ad data.

Setting aside the use of xenophobic dark ads to whip up racist sentiment to sell Brexit to voters, and ongoing questions about exactly how Vote Leave acquired data on UK voters for targeting them with political ads (including ethical questions about the use of a football quiz touting a £50M prize run on social media as a mass voter data-harvesting exercise), last year the UK’s Electoral Commission found Vote Leave had breached campaign spending limits through undeclared joint working with another pro-Brexit campaign — via which almost half a million pounds was illegally channeled into Facebook ads.

The Vote Leave campaign was fined £61k by the Electoral Commission, and referred to the police. (An investigation is possibly ongoing.)

Cummings, the ‘huge brain’ behind Vote Leave’s digital strategy, did not suffer a dent in his career as a consequence of all this — on the contrary, he was appointed by Johnson as senior advisor this summer, after Johnson won the Conservative leader contest and so became the third UK PM since the 2016 vote for Brexit.

With Cummings at his side, it’s been full steam ahead for Johnson on social media ads and data grabs, as we reported last month — paving the way for a hoped for general election campaign, fuelled by ‘no holds barred’ data science. Democratic ethics? Not in this digitally disruptive administration!

The Johnson-Cummings pact ignores entirely the loud misgivings sounded by the UK’s information commissioner — which a year ago warned that political microtargeting risks undermining trust in democracy. The ICO called then for an ethical pause. Instead Johnson stuck up a proverbial finger by installing Cummings in No.10.

The UK’s Digital, Culture, Media and Sport parliamentary committee, which tried and failed to get Cummings to testify before it last year as part of a wide-ranging enquiry into online disinformation (a snub for which Cummings was later found in contempt of parliament), also urged the government to update election law as a priority last summer — saying it was essential to act to defend democracy against data-fuelled misinformation and disinformation. A call that was met with cold water.

This means the same old laws that failed to prevent ethically dubious voter data-harvesting during the EU referendum campaign, and failed to prevent social media ad platforms and online payment platforms (hi, Paypal!) from being the conduit for illegal foreign donations into UK campaigns, are now apparently incapable of responding to another voter data heist trick, this time cooked up at the heart of government on the umbrella pretext of ‘preparing for Brexit’.

The repurposing of government departments under Johnson-Cummings for pro-Brexit propaganda messaging also looks decidedly whiffy…

Asked about the legality of the data pooling gov.uk plan as reported by Buzzfeed, an ICO spokesperson told us: “People should be able to make informed choices about the way their data is used. That’s why organisations have to ensure that they process personal information fairly, legally and transparently. When that doesn’t happen, the ICO can take action.”

Can — but hasn’t yet.

It’s also not clear what action the ICO could end up taking to purge UK voter data that’s already been (or is in the process of being) sucked out of the Internet to be repurposed for party political purposes — including, judging by the Vote Leave playbook, for microtargeted ads that promote a no holds barred ‘no deal’ Brexit agenda.

One thing is clear: Any action would need to be swiftly enacted and robustly enforced if it were to have a meaningful chance of defending democracy from ethics-free data-targeting.

Sadly, the ICO has yet to show an appetite for swift and robust action where political parties are concerned.

Likely because a report it put out last fall essentially called out all UK political parties for misusing people’s data. It followed up saying it would audit the political parties starting early this year — but has yet to publish its findings.

Concerned opposition MPs are left tweeting into the regulatory abyss — decrying the ‘coup’ and forlornly pressing for action… Though if the political boot were on the other foot it might well be a different story.

Among the cookies used on gov.uk sites are Google Analytics cookies which store information on how visitors got to the site; the pages visited and length of time spent on them; and items clicked on. Which could certainly enable rich profiles to be attached to single visitors IDs.

Visitors to gov.uk properties can switch off Google Analytics measurement cookies, as well as denying gov.uk communications and marketing cookies, and cookies that store preferences — with only “strictly necessary” cookies (which remember form progress and serve notifications) lacking a user toggle.

What should concerned UK citizens to do to defend democracy against the data science folks we’re told are being thrown at the Johnson-Cummings GSD data pooling project? Practice good privacy hygiene.

Clear your cookies. Indeed, switch off gov.uk cookies. Deny access wherever and whenever possible.

It’s probably also a good idea to use a fresh browser session each time you need to visit a government website and close the session (with cookies set to clear) immediately you’re done.

When the laws have so spectacularly failed to keep up with the data processors, limiting how your information is gathered online is the only way to be sure. Though as we’ve written before it’s not easy.

Privacy is personal and unfortunately, with the laws lagging, the personal is now trivially cheap and easy to weaponize for political dark arts that treat democracy as a game of PR, debasing the entire system in the process.




10 minutes mail – Also known by names like : 10minemail, 10minutemail, 10mins email, mail 10 minutes, 10 minute e-mail, 10min mail, 10minute email or 10 minute temporary email. 10 minute email address is a disposable temporary email that self-destructed after a 10 minutes. https://tempemail.co/– is most advanced throwaway email service that helps you avoid spam and stay safe. Try tempemail and you can view content, post comments or download something

Web feature developers told to dial up attention on privacy and security – gpgmail


Web feature developers are being warned to step up attention to privacy and security as they design contributions.

Writing in a blog post about “evolving threats” to Internet users’ privacy and security, the W3C standards body’s technical architecture group (TAG) and Privacy Interest Group (PING) set out a series of revisions to the W3C’s Security and Privacy Questionnaire for web feature developers.

The questionnaire itself is not new. But the latest updates place greater emphasis on the need for contributors to assess and mitigate privacy impacts, with developers warned that “features may not be implemented if risks are found impossible or unsatisfactorily mitigated”.

In the blog post, independent researcher Lukasz Olejnik, currently serving as an invited expert at the W3C TAG; and Apple’s Jason Novak, representing the PING, write that the intent with the update is to make it “clear that feature developers should consider security and privacy early in the feature’s lifecycle” [emphasis theirs].

“The TAG will be carefully considering the security and privacy of a feature in their design reviews,” they further warn, adding: “A security and privacy considerations section of a specification is more than answers to the questionnaire.”

The revisions to the questionnaire include updates to the threat model and specific threats a specification author should consider — including a new high level type of threat dubbed “legitimate misuse“, where the document stipulates that: “When designing a specification with security and privacy in mind, all both use and misuse cases should be in scope.”

“Including this threat into the Security and Privacy Questionnaire is meant to highlight that just because a feature is possible does not mean that the feature should necessarily be developed, particularly if the benefitting audience is outnumbered by the adversely impacted audience, especially in the long term,” they write. “As a result, one mitigation for the privacy impact of a feature is for a user agent to drop the feature (or not implement it).”

Features should be secure and private by default and issues mitigated in their design,” they further emphasize. “User agents should not be afraid of undermining their users’ privacy by implementing new web standards or need to resort to breaking specifications in implementation to preserve user privacy.”

The pair also urge specification authors to avoid blanket treatment of first and third parties, suggesting: “Specification authors may want to consider first and third parties separately in their feature to protect user security and privacy.”

The revisions to the questionnaire come at a time when browser makers are dialling up their response to privacy threats — encouraged by rising public awareness of the risks posed by data leaks, as well as increased regulatory action on data protection.

Last month the open source WebKit browser engine (which underpins Apple’s Safari browser) announced a new tracking prevention policy that takes the strictest line yet on background and cross-site tracking, saying it would treat attempts to circumvent the policy as akin to hacking — essentially putting privacy protection on a par with security.

Earlier this month Mozilla also pushed out an update to its Firefox browser that enables an anti-tracking cookie feature across the board, for existing users too — demoting third party cookies to default junk.

Even Google’s Chrome browser has made some tentative steps towards enhancing privacy — announcing changes to how it handles cookies earlier this year. Though the adtech giant has studiously avoided flipping on privacy by default in Chrome where third party tracking cookies are concerned, leading to accusations that the move is mostly privacy-washing.

More recently Google announced a long term plan to involve its Chromium browser engine in developing a new open standard for privacy — sparking concerns it’s trying to both kick the can on privacy protection and muddy the waters by shaping and pushing self-interested definitions which align with its core data-mining business interests.

There’s more activity to consider too. Earlier this year another data-mining adtech giant, Facebook, made its first major API contribution to Google’s Chrome browser — which it also brought to the W3C Performance Working Group.

Facebook does not have its own browser, of course. Which means that authoring contributions to web technologies offers the company an alternative conduit to try to influence Internet architecture in its favor.

The W3C TAG’s latest move to focus minds on privacy and security by default is timely.

It chimes with a wider industry shift towards pro-actively defending user data, and should rule out any rubberstamping of tech giants contributions to Internet architecture which is obviously a good thing. Scrutiny remains the best defence against self-interest.




10 minutes mail – Also known by names like : 10minemail, 10minutemail, 10mins email, mail 10 minutes, 10 minute e-mail, 10min mail, 10minute email or 10 minute temporary email. 10 minute email address is a disposable temporary email that self-destructed after a 10 minutes. https://tempemail.co/– is most advanced throwaway email service that helps you avoid spam and stay safe. Try tempemail and you can view content, post comments or download something

America’s largest companies push for federal online privacy laws to circumvent state regulatory efforts – gpgmail


As California moves ahead with what would be the most restrictive online privacy laws in the nation, the chief executives of some of the nation’s largest companies are taking their case to the nation’s capitol to plead for federal regulation.

Chief executives at Amazon, AT&T, Dell, Ford, IBM, Qualcomm, Walmart, and other leading financial services, manufacturing, and technology companies have issued an open letter to Congressional leadership pleading with them to take action on online privacy, through the pro-industry organization, The Business Roundtable.

“Now is the time for Congress to act and ensure that consumers are not faced with confusion about their rights and protections based on a patchwork of inconsistent state laws. Further, as the regulatory landscape becomes increasingly fragmented and more complex, U.S. innovation and global competitiveness in the digital economy are threatened,” the letter says.

The subtext to this call to action is the California privacy regulations that are set to take effect by the end of this year.

As we noted when the bill was passed last year there are a few key components of the California legislation including the following requirements:

  • Businesses must disclose what information they collect, what business purpose they do so for and any third parties they share that data with.

  • Businesses would be required to comply with official consumer requests to delete that data.

  • Consumers can opt out of their data being sold, and businesses can’t retaliate by changing the price or level of service.

  • Businesses can, however, offer “financial incentives” for being allowed to collect data.

  • California authorities are empowered to fine companies for violations.

There’s a reason why companies would push for federal regulation to supersede any initiatives from the states. It is more of a challenge for companies to adhere to a patchwork of different regulatory regimes at the state level. But it’s also true that companies, following the lead of automakers in California, could just adhere to the most stringent requirements which would clarify any confusion.

Indeed many of these companies are already complying with strict privacy regulations thanks to the passage of the GDPR in Europe.


10 minutes mail – Also known by names like : 10minemail, 10minutemail, 10mins email, mail 10 minutes, 10 minute e-mail, 10min mail, 10minute email or 10 minute temporary email. 10 minute email address is a disposable temporary email that self-destructed after a 10 minutes. https://tempemail.co/– is most advanced throwaway email service that helps you avoid spam and stay safe. Try tempemail and you can view content, post comments or download something

Mozilla launches a VPN, brings back the Firefox Test Pilot program – gpgmail


Mozilla today announced that it is bringing back the Firefox Test Pilot program to allow users to try out new features before they are ready for mainstream usage. While the name is familiar, though, the overall goals of the new program are a bit different from the last iteration and the focus is less on crazy experiments and more on beta testing products that are almost ready for public consumption.

The first new project in the Test Pilot program is the beta of the Firefox Private Network VPN service, which is now available in the U.S. for Firefox desktop users.

The Firefox Test Pilot program has gone through its share of iterations. First launched three years ago, it quickly became the incubation ground for a number of new features. In January of this year, though, the organization decided to shut it down.

Why bring it back now? Clearly, Mozilla was getting valuable feedback from the Test Pilot users, who were surely among the most dedicated Firefox fans.

The organization says that it wanted to take time to evolve the program and this new version is indeed somewhat different. “The difference with the newly relaunched Test Pilot program is that these products and services may be outside the Firefox browser, and we will be far more polished, and just one step shy of general public release,” the team explains.

The new Test Pilot program then is less about giving users the opportunity to test some of the Firefox team’s more eccentric ideas and more like a traditional public beta test program.

The new VPN project, the team writes, is a good example of this approach. It’s a Test Pilot project because the team wants to fine-tune it a bit more before its public release.

The Firefox Private Network isn’t so much about trying to circumvent geo-restrictions and instead mostly focuses on giving users access to a private network when they are on public WiFi and helping them hide their locations from website and ad trackers (and indeed, a lot of the new Test Pilot projects will focus on privacy). That’s probably why Mozilla doesn’t refer to it as a VPN either, though that’s obviously what it is.

“One of the key learnings from recent events is that there is growing demand for privacy features,” Mozilla’s Marissa Wood writes today. “The Firefox Private Network is an extension which provides a secure, encrypted path to the web to protect your connection and your personal information anywhere and everywhere you use your Firefox browser.”

Mozilla is partnering with Cloudflare for this launch and Cloudflare is providing the proxy server for it. It’s available as a Firefox extension, but only in the U.S. and fore Firefox desktop users. For now, it’s available for free, though there have been some hints that Mozilla will at some point start charging for the service. Since it’s not a full VPN service, it remains to be seen how much the organization will be able to charge for it. Last year, Mozilla partnered with ProtonVPN and offered that service for $10 per month.

It’s worth noting that Opera, too, includes a free built-in VPN service, which includes the ability to set your location to either the Americas, Europe or Asia.

If you want to give the new service a try, you only need a Firefox account and sign up here.

 

 


10 minutes mail – Also known by names like : 10minemail, 10minutemail, 10mins email, mail 10 minutes, 10 minute e-mail, 10min mail, 10minute email or 10 minute temporary email. 10 minute email address is a disposable temporary email that self-destructed after a 10 minutes. https://tempemail.co/– is most advanced throwaway email service that helps you avoid spam and stay safe. Try tempemail and you can view content, post comments or download something

Telegram fixes bug that failed to delete ‘unsent’ photos and videos – gpgmail


Mobile messaging app Telegram has fixed a bug allowing users to recover photos and videos “unsent” by other people.

Telegram, which has more than 100 million users, has an ephemeral messaging feature that allows users to “unsend” sent messages from other people’s inboxes, such as when a message is sent by mistake.

But one security researcher, Dhiraj Mishra, who found the privacy issue and shared his findings exclusively with gpgmail, said although Telegram was removing the messages from a user’s device, any sent photos or video would still be stored on the user’s phone.

The researcher found other messaging apps, like WhatsApp, had the same ephemeral “unsend” feature, but when tested, deleted both message and content.

Mishra said the Android version of Telegram would permanently store photos and videos in the device’s internal storage.

“This works perfectly in groups as well,” he told gpgmail. “If you have a Telegram group of 100,000 members and you send a media message by mistake and you delete it, it only gets deleted from the chat but will remain in media storage of all 100,000 members,” he said.

It’s not known if Telegram users have been affected by the privacy issue. But recently we reported several cases of visa holders who have been denied entry to the U.S. for content on their phones sent by other people.

After gpgmail reached out, Telegram fixed the vulnerability. Mishra received €2,500 from the bug bounty for discovering and disclosing the vulnerability.

A spokesperson for Telegram confirmed the bug fix had rolled on September 5.


10 minutes mail – Also known by names like : 10minemail, 10minutemail, 10mins email, mail 10 minutes, 10 minute e-mail, 10min mail, 10minute email or 10 minute temporary email. 10 minute email address is a disposable temporary email that self-destructed after a 10 minutes. https://tempemail.co/– is most advanced throwaway email service that helps you avoid spam and stay safe. Try tempemail and you can view content, post comments or download something

Ring Provided a Map of Its Customers to Police


This site may earn affiliate commissions from the links on this page. Terms of use.

Ring was one of the first companies to make video doorbells and has since expanded to other home security products. As part of its aggressive strategy after the Amazon acquisition, Ring has partnered with hundreds of police departments across the US. This program has proven controversial, and it becomes more so with each new report. According to a new leak, Ring’s pitch to police sometimes includes a map of active Ring customers, something it previously said it would not do. 

Ring’s current strategy seems to be signing up as many law enforcement organizations as possible to be partners. The agreements signed with police call for departments to promote Ring products, in some cases creating new positions specifically to coordinate with the company and residents. Buy getting residents to sign up for the Ring Neighbors app, police earn credit toward free cameras they can distribute to the community. The benefit to police is access to the Ring Neighbors portal. There, police can request access to video clips from doorbells around their jurisdiction. 

Ring has long maintained that it protects the privacy of users in the Neighbors portal. The newly leaked emails and documents certainly call that into question. The emails relate to Ring’s deal with Georgia’s Gwinnett County Police Department. A Ring representative shared two maps with the police, both showing active Ring camera locations inside Gwinnett County. One map was zoomed out, showing just an unresolved blob of red dots, but the other was more zoomed in, showing more accurately where the cameras were. 

The maps of active Ring cameras provided by Ring to Gwinnett County Police.

In the months after the maps went out, Ring and Gwinnett County went back and forth to hammer out the deal. Ring eventually provided about $15,000 worth of cameras to get police started. Like other leaked “Memorandums of Understanding,” the agreement with Gwinnett County required the police to spend time promoting Ring’s products and services. In some cases, police even provide Ring with access to 911 call data in order to post updates in the Neighbors app. The company believes this helps encourage users to engage with police and provide video footage when asked. 

On some level, it’s not outlandish to help people voluntarily provide video footage to police. Police have long done the same thing simply by canvassing areas around crime scenes for security cameras.SEEAMAZON_ET_135 See Amazon ET commerce The issue cited by privacy advocates is how easy Ring makes it for police to request mountains of data they may not need. Ring itself also has a sordid history. It’s been less than a year since Ring came under fire for giving employees full access to customer video. It’s hard to trust Ring to run a surveillance operation with police in an ethical way with no oversight.

Now read:




10 minutes mail – Also known by names like : 10minemail, 10minutemail, 10mins email, mail 10 minutes, 10 minute e-mail, 10min mail, 10minute email or 10 minute temporary email. 10 minute email address is a disposable temporary email that self-destructed after a 10 minutes. https://tempemail.co/– is most advanced throwaway email service that helps you avoid spam and stay safe. Try tempemail and you can view content, post comments or download something

DMVs Are Selling Data to Private Investigators, Marketing Firms


This site may earn affiliate commissions from the links on this page. Terms of use.

A new report shows that the DMVs (Department of Motor Vehicles) in many states are taking full advantage of the modern information economy, and they’re making bank doing it. The data we’re required to hand over by law in order to qualify for a driver’s license is being used for very different purposes than you likely intend. Specifically, it’s being sold to private investigators.

That’s the result of a major Motherboard investigation into how DMVs are using the personal data of the citizens they supposedly serve. Like a lot of companies these days, DMVs sell data. Insurance companies buy some of the data, but much of it is being sold to other sources, like private investigators. Such data is apparently popular for surveilling cheating spouses, and the same private investigators that advertise such services are apparently major purchasers.

DMV-Data-Sales

Data and graph by Vice

Multiple DMVs stressed that they don’t sell social security numbers or photographs, as if this represents some kind of meaningful protection. Some contracts with these investigators are for bulk searches; some are targeted searches. The cost per search is as low as $0.01, and these contracts can run for months at a time.

“The selling of personally identifying information to third parties is broadly a privacy issue for all and specifically a safety issue for survivors of abuse, including domestic violence, sexual assault, stalking, and trafficking,” Erica Olsen, director of Safety Net at the National Network to End Domestic Violence, told Motherboard in an email. “For survivors, their safety may depend on their ability to keep this type of information private.”

All of this is perfectly legal, thanks to the Driver’s Privacy Protection Act, which was passed in 1994. While that law was specifically intended to increase the protections surrounding DMV databases, it included specific carve-outs for private investigators. Granted, the text of the law states that private investigators are only allowed to access these records for a “permitted” DPPA use, but apparently that’s not an issue.

The exact data sold varies from state to state, but it typically includes at least a name and address. Other data, including zip codes, phone numbers, date of birth, and email address are also included depending on the state. The DMV also sells data to credit reporting companies like Experian and LexisNexis. Delaware has arrangements with more than 300 entities. Wisconsin has more than 3,000.

Why are DMVs going down this road? Money. Delaware brought in $384,000 for itself between 2015 and 2019, while the Wisconsin DMV brought in $17M in 2018 alone, up from just $1.1M in 2015. In Florida, the DMV made an eye-popping $77M just in 2017. The contracts with various DMVs explicitly state that the purpose of these agreements is to generate revenue, and the states are aware that some of the information they sell to third-parties is abused. Whether their controls for catching and locking abusers out of these systems are adequate are an entirely different question.

It is long past time for the United States to pass better privacy laws. There is absolutely no justification for the current free-for-all. There is no standard for how data-sharing agreements should be overseen. Local investigations have found that Florida is selling data to marketing firms, not just private investigators, and some citizens have been hit with an onslaught of robocalls and spam as a result. Florida sells data to Acxiom, one of the largest data brokers in America. Acxiom is not a PI firm, just in case you were wondering. Citizens who have been slammed with robocalls, direct mail, and even door-to-door salesman showing up at their homes as a result of this relentless data-selling have no recourse. There’s no one to complain to, there’s no way to get taken off the lists, and there’s no way to prevent their own data from being endlessly sold. Robocalls have become such an epidemic, people now actively avoid answering the phone unless they know the number of the person calling them.

People often ask questions like “Why should I care if someone sells my data?” but don’t connect the question to the fact that they get 15 robocalls a day. Sexual assault and domestic violence survivors may not have those kind of options. But privacy shouldn’t be a right that depends on whether someone is threatening to harm you physically. Privacy should be the default state, particularly when it concerns the government organizations virtually all of us are required to interface with.

If you ever drive in the United States, you must have a driver’s license. Just as with credit reporting agencies, none of us get any choice in the manner. The legal system allows states and the federal government to create effectively mandatory standards because it recognizes that doing so helps ensure the safety of everyone. But if the legal system is going to require that citizens submit data to the federal and/or state government for licensing and registration purposes, it ought to simultaneously require that said data is kept private and only accessed under strictly controlled conditions. The idea that people “opt in” to these practices simply by existing has been stretched past the breaking point. It’s time for a change.

Now Read:




10 minutes mail – Also known by names like : 10minemail, 10minutemail, 10mins email, mail 10 minutes, 10 minute e-mail, 10min mail, 10minute email or 10 minute temporary email. 10 minute email address is a disposable temporary email that self-destructed after a 10 minutes. https://tempemail.co/– is most advanced throwaway email service that helps you avoid spam and stay safe. Try tempemail and you can view content, post comments or download something

Monster.com says a third-party exposed user data, but didn’t tell anyone – gpgmail


An exposed web server storing résumés of job seekers — including from recruitment site Monster — has been found online.

The server contained résumés and CVs for job applicants spanning between 2014 and 2017, many of which included private information like phone numbers and home addresses, but also email addresses and a person’s prior work experience.

Of the documents we reviewed, most users’ were located in the United States.

It’s not known exactly how many files were exposed, but thousands of résumés were found in a single folder dated May 2017. Other files found on the exposed server included immigration documentation for work, which Monster does not collect.

A company statement attributed to Monster’s chief privacy officer Michael Jones said the server was owned by an unnamed recruitment partner, which it no longer works with. When pressed, the company declined to name the recruitment partner.

“The Monster Security Team was made aware of a possible exposure and notified the recruitment company of the issue,” the company said, adding the exposed server was secured shortly after it was reported in August.

Although the data is no longer accessible directly from the exposed web server, hundreds of résumés and other documents can be found in results cached by search engines.

But Monster did not warn users of the exposure, and only admitted user data was exposed after the security researcher alerted gpgmail to the matter.

“Customers that purchase access to Monster’s data — candidate résumés and CVs — become the owners of the data and are responsible for maintaining its security,” the company said. “Because customers are the owners of this data, they are solely responsible for notifications to affected parties in the event of a breach of a customer’s database.”

Under local data breach notification laws, companies are obliged to inform state attorney generals where large numbers of users in their states are affected. Although Monster is not duty bound to disclose the exposure to regulators, some companies proactively warn their users even when third-parties are involved.

It’s not uncommon for companies to warn their users of a third-party breach. Earlier this year after hackers siphoned off millions of credit cards from the American Medical Collection Agency, a third-party payments processor, its customers — LabCorp and Quest Diagnostics — admitted to the security lapse.

Monster said that because the exposure happened on a customer system, Monster is “not in a position” to identify or confirm affected users.


10 minutes mail – Also known by names like : 10minemail, 10minutemail, 10mins email, mail 10 minutes, 10 minute e-mail, 10min mail, 10minute email or 10 minute temporary email. 10 minute email address is a disposable temporary email that self-destructed after a 10 minutes. https://tempemail.co/– is most advanced throwaway email service that helps you avoid spam and stay safe. Try tempemail and you can view content, post comments or download something

Facebook’s lead EU regulator is asking questions about its latest security fail – gpgmail


Facebook’s lead data protection regulator in Europe has confirmed it’s put questions to the company about a major security breach that we reported on yesterday.

“The DPC became aware of this issue through the recent media coverage and we immediately made contact with Facebook and we have asked them a series of questions. We are awaiting Facebook’s responses to those questions,” a spokeswoman for the Irish Data Protection Commission told us.

We’ve reached out to Facebook for a response.

As we reported earlier, a security research discovered an unsecured database of hundreds of millions of phone numbers linked to Facebook accounts.

The exposed server contained more than 419 million records over several databases on Facebook users from multiple countries, including 18 million records of users in the U.K.

We were able to verify a number of records in the database — including UK Facebook users’ data.

The presence of Europeans’ data in the scraped stash makes he breach a clear matter of interest to the region’s data watchdogs.

Europe’s General Data Protection Regulation (GDPR) imposes stiff penalties for compliance failures such as security breaches — with fines that can scale as high as 4% of a company’s annual turnover.

Ireland’s DPC is Facebook’s lead data protection regulator in Europe under GDPR’s one-stop shop mechanism — meaning it leads on cross-border actions, though other concerned DPAs can contribute to cases and may also chip in views on any formal outcomes that result.

The UK’s data protection watchdog, the ICO, told us it is aware of the Facebook security incident.

“We are in contact with the Irish Data Protection Commission (DPC), as they are the lead supervisory authority for Facebook Ireland Limited. The ICO will continue to liaise with the IDPC to establish the details of the incident and to determine if UK residents have been affected,” an ICO spokeswoman also told us.

It’s not yet clear whether the Irish DPC will open a formal investigation of the incident.

It does already have a large number of open investigations on its desk into Facebook and Facebook-owned businesses since GDPR’s one-stop mechanism came into force — including one into a major token security breach last year, and many, many more.

In the latest breach instance, it’s not clear exactly when Facebook users phone numbers were scraped from the platform.

In a response yesterday Facebook said the data-set is “old”, adding that it “appears to have information obtained before we made changes last year to remove people’s ability to find others using their phone numbers”.

If that’s correct, the data breach is likely to pre-date April 2018 — which was when Facebook announced it was making changes to its account search and recovery feature, after finding it had been abused by what it dubbed “malicious actors”.

“Given the scale and sophistication of the activity we’ve seen, we believe most people on Facebook could have had their public profile scraped in this way,” Facebook said at the time.

It would also therefore pre-date GDPR coming into force, in May 2018, so would likely fall under earlier EU data protection laws — which carry less stringent penalties.


10 minutes mail – Also known by names like : 10minemail, 10minutemail, 10mins email, mail 10 minutes, 10 minute e-mail, 10min mail, 10minute email or 10 minute temporary email. 10 minute email address is a disposable temporary email that self-destructed after a 10 minutes. https://tempemail.co/– is most advanced throwaway email service that helps you avoid spam and stay safe. Try tempemail and you can view content, post comments or download something