Privacy Weekly Episode 9

Welcome To Episode Nine

πŸ–– Greetings and welcome to the Exciit.com Privacy Weekly - Episode #9.

πŸ“© Please subscribe if you'd like regular updates in future. I'll only use your Email address for the purposes of the newsletter.

In this episode:

  • iPhone 11 (Pro) Using Location Data Without User Permission
  • New 'Contract For The Web' By Tim Berners-Lee (Inventor Of The Web)
  • US Privacy Bills COPRA And CDPA - What Are They? How Do They Differ?
  • Other Interesting Stories And Links

iPhone 11 (Pro) Using Location Data Without User Permission

Krebs On Security reported that the iPhone 11 (Pro) uses location data even when the user turns off permission to use location data for all services and apps. This is in violation of Apple's own privacy policy. The issue was widely reported, including by The Verge, ZDNet and Forbes.

Apple responded to the finding, indicating that the reason this is happening is because the new 'ultra wideband technology' the phone uses, which gives the phone 'spatial awareness of other similar devices' requires location services. This is part of a standards requirement which requires the technology to be switched off at certain locations (and so the current location is required in order to test whether the phone is in such as area, to comply with the regulation).

Even though Apple are doing this (using location services, when disabled by the user) to comply with regulations related to the new technology, it should have been more transparent about this, and given the user more options to control the behaviour.

Zooming out: Apple prides itself on being a privacy centric company (and generally does a good job). However, this incident goes against that and shows how difficult it can be to introduce the latest technology and still protect (and be transparent about) privacy.

Links: Krebs On Security, The Verge, ZDNet, Forbes, Tech Crunch


New 'Contract For The Web' By Tim Berners-Lee (Inventor Of The Web)

CPO Magazine published an interesting article on Tim Berners-Lee launching a new 'contract for the web'. It has been reported by other publications as well. And it has an official website.

The problem according to Berners-Lee: The internet and the web has become a place where corporations no longer respect privacy, no longer can provide affordable access and people seem less interested in civil discussions.

The solution according to Berners-Lee: To create a 'new contract for the web' that includes 9 core principles.

Current status: 150 organisations have signed up as supporters. It remains to be seen what the lasting impact will be.

The contract outlines 3 requirements that 3 key stakeholders should uphold.

Government (the first stakeholder):

  • Ensure everyone can connect to the Internet.
  • Keep all of the Internet available, all of the time.
  • Respect and protect people's fundamental online privacy and data rights.

Companies (the second stakeholder):

  • Make the internet affordable and accessible to everyone.
  • Respect and protect people’s privacy and personal data to build online trust.
  • Develop technologies that support the best in humanity and challenge the worst.

Citizens (the third stakeholder):

  • Be creators and collaborators on the Web.
  • Build strong communities that respect civil discourse and human dignity.
  • Fight for the Web.

Zooming out: The internet and web is changing from its early beginnings, with less emphasis on the web (due to apps, and differing closed source hardware), and more centralized monoliths and walled gardens (like Facebook and Google).

Do we want to keep the web open and free? How do we achieve that?

Links: CPO Magazine, The Verge, CNBC


US Privacy Bills COPRA And CDPA - What Are They? How Do They Differ?

The US doesn't have a comprehensive federal level privacy law (which encompasses the entire United States). That's why states are creating their own, like California and CCPA (California Consumer Privacy Act).

Recently, senators have proposed two bills:

  • COPRA (from the Democrats): Consumer Online Privacy Rights Act
  • CDPA (from the Republicans): Consumer Data Privacy Act

The IAPP has an article and whitepaper about the subject. In it, the similarities and differences are discussed.

Similarities:

  • Clear and transparent privacy policies.
  • Reasonable data security practices.
  • Use of privacy officers and data security officers.
  • Conduct (annual) risk assessments.
  • Provide products or services, despite individual exercising privacy rights.

Differences:

  • CDPA mostly prohibits stricter state laws.
  • COPRA has a private right of action, which means individuals can litigate if rights have been breached.
  • COPRA recognizes harmful data practices.
  • COPRA has burden of request verification on companies/organizations.
  • COPRA has protection of civil rights.
  • COPRA requires impact assessments on algorithmic decision making.
  • COPRA has responsibilities for executives.
  • CDPA has approved certification programs.
  • CDPA has data broker registrations.
  • COPRA includes creating a new FTC bureau.

Links: IAPP


The Guardian has an interesting opinion piece on how to protect your online privacy. The high level tips are: 1) Use Firefox as your main browser, 2) Use Firefox extensions, such as Privacy Badger or Ghostery.

Vice has three in-depth articles about Ring. Part 1, Part 2 and Part 3.