Privacy Weekly Episode 5

Welcome To Episode Five

This is episode five of my weekly privacy newsletter. Headlines from this episode:

  • Department Of Homeland Security To Have Biometric Data Of 260 Million Individuals By 2022
  • Ring Doorbells Had Vulnerability Which Potentially Exposed Wi-Fi Credentials
  • Facebook Shared Personal Data With Tinder And Other Dating Apps Pre Cambridge Analytica Scandal
  • Congress Is Asking FCC Why They Have Yet To Report On US Carriers Selling Location Data Of Its Customers
  • Judge Approves Police Search Of DNA Database
  • UK Metropolitan Police May Have Used Facial Recognition Technology Unlawfully

Please subscribe if you like this episode!


Department Of Homeland Security To Have Biometric Data Of 260 Million Individuals By 2022

According to Quartz, the US Department of Homeland Security (DHS) will have biometric data, which consists of fingerprints, iris scans and facial features (and soon more), of 260 million individuals by 2022, which is the second largest biometric database worldwide after India.

Anyone who has travelled to and from the United States will be familiar with having to provide fingerprints and facial photos. In fact, according to DHS, if you don't want to provide biometric data, you have to refrain from travelling internationally.

Why should it concern you?

  • DHS could perform advanced analysis of individuals in conjunction with other data sources. It's unclear what this consists of, what (self imposed) limits they have and how this will develop in future.
  • Securing data from hackers is tough, it wouldn't be surprising if biometric data from DHS is subject to a breach.
  • DHS shares the biometric data with other agencies and private companies, this further exposes the data.

Links: Quartz, EFF


Ring Doorbells Had Vulnerability Which Potentially Exposed Wi-Fi Credentials

Last week I wrote about how Ring doorbell photos were published to show trick or treaters during halloween. This week it turns out that Ring doorbells had a vulnerability that potentially exposed Wi-Fi credentials of its owners. This could have allowed attackers to gain access to an owners Wi-Fi network, which in turn could lead to other security issues for the owner.

The vulnerability was found by the cyber security company BitDefender. It was reported in June and fixed by Ring in September. A similar vulnerability was found in 2016.

What is Ring: Ring provides various surveillance products that monitor and film the outside (or even the inside) of peoples homes. Pictures and films are often shared within a community and law enforcement. The company is owned by Amazon.

The big picture:

  • More and more people are getting connected devices, from doorbells that film actvity around a house, to sensors, to AI assistants that listen in on your conversations. These systems may have security weaknesses that could potentially expose data to attackers. Not only that, but the manufacturers potentially also have access to this data.
  • Ring has had similar issues in the past.
  • Ring products impact privacy of individuals around houses, these individuals are likely unaware of this activity.

Links: CNet, BitDefender, Ring

Facebook Shared Personal Data With Tinder And Other Dating Apps Pre Cambridge Analytica Scandal

According to Mashable, which bases its claims on leaked internal documents, Facebook shared personal data with dating apps including Tinder. This was before the Cambridge Analytica scandal.

Why it matters: Facebook has been under scrutiny about their use and sharing of personal data since the Cambridge Analytica scandal. This further highlights the practices of the company (from before the scandal).

Links: Mashable, NBC News


Congress Is Asking FCC Why They Have Yet To Report On US Carriers Selling Location Data Of Its Customers

In May 2018 it was revealed that major US carriers were selling (real time) customer/user location data. Not only that, but they were doing so with little to no oversight or checks and balances.

Even though these companies have promised to stop the practice, it seems to still be going on.

Now, congress is asking the FCC why they still haven't produced a report on the situation.

Why it matters: As a paying customer of a major carrier, you would expect that your location data is kept private. It seems that's not the case and the FCC isn't in a hurry to understand why. This also shows the US may be lacking powers to stop breaches of privacy by large telco companies.

Links: The Register


Judge Approves Police Search Of DNA Database

A judge in Florida has approved a search warrant to analyse a DNA database. The DNA database, from GEDmatch, is populated with DNA provided by consumers (end users).

Users can indicate whether their DNA can be used in police searches. However, the judge said all data should be included in the search, regardless of opt outs from users.

What are DNA databases: There are companies that develop DNA profiles for a fee for anyone who is interested. These DNA profiles are stored by these companies. The company in scope of the warrant does not develop DNA profiles themselves, rather it's populated by users that upload their DNA in order to look for (unknown) family members.

Why it matters:

  • The judge dis-regarded whether users opted out of police searches, in breach of user consent.
  • The search (warrant) was a broad one involving all of the DNA records, impacting a million people directly and millions indirectly (see next point).
  • DNA data impact is not just limited to a single person (e.g. of the person uploading their own data), it impacts family members who have similar DNA.

Links: Huffington Post


UK Metropolitan Police May Have Used Facial Recognition Technology Unlawfully

Police in London have been using (live) facial recognition technology. Now, the Information Commissioners Office (ICO, which is the UK's Data Protection Authority) has said that they may have done so unlawfully. That's because in the UK this technology should only be used if strictly necessary and it must have legal basis (as determined by data privacy laws).

Why it matters: Use of facial recognition technology by law enforcement is spreading fast. Setting up ground rules for its use is crucial if we are to protect privacy.

Links: The Independent, ICO