The Data Drop News for September 2, 2021
Updated: Aug 15
The Taliban reportedly have control of US biometric devices. UK to diverge from GDPR in post-Brexit overhaul of privacy rules. 38 million records exposed in big data whoopsie. BlueLeaks data dump traced back to 3rd party vendor. ‘Tractorload of vulnerabilities’ at John Deere. Facebook joins ID2020 after $5.5M fine for facial recognition violations. Judge rules that Clearview AI cannot use First Amendment defense. Minnesota cops shared pipeline protestor data with pipeline company. 40% of SaaS data access is unmanaged and publicly exposed. Plus, the latest in privacy-enhancing tech!
Pro tip: listen to The Data Drop at the gym, in the car, or anywhere and anytime you like by subscribing to our podcast.
The Taliban reportedly have control of US biometric devices
In the wake of the Taliban’s rapid takeover of Afghanistan following the departure of US forces, reports indicate that the insurgents could have access to US-gathered biometric data that had been used to track Afghans, including people who worked for U.S. and coalition forces.
Many Afghans fear that the identity documents and databases storing personally identifiable data could be transformed into death warrants in the hands of the Taliban.
This potential data breach underscores that data protection in zones of conflict, especially biometric data and databases that connect online activity to physical locations, can be a matter of life and death.
UK to diverge from GDPR in post-Brexit overhaul of privacy rules
The UK has announced plans to change data protection and privacy laws in what the government describes as a new mandate that promotes innovation and economic growth.
Eliminating "cookie pop-ups" is one of the main goals of the UK's proposed new rules, as is implementing a new series of 'data adequacy partnerships' with other nations.
According to the government, these partnerships will remove the need for costly measures around international data compliance.
Of course, the UK’s new data transfer rules will also need to be deemed GDPR compliant, or else there's a risk of affecting data transfers between the UK and the EU.
38 million records exposed in big data whoopsie
A vulnerability in Microsoft's Azure cloud computing service left several thousand customers susceptible to cyberattacks.
The leak exposed some 38 million records on the open internet, including data from numerous Fortune 500 companies.
Personal data exposed includes data from a number of Covid-19 contact tracing platforms, vaccination sign-ups, job application portals, and employee databases, with sensitive information including people’s phone numbers, home addresses, social security numbers, and Covid-19 vaccination status.
While the data exposures have since been addressed, they show how one bad configuration setting in a popular platform can have far-reaching consequences.
BlueLeaks data dump traced back to 3rd party vendor
A massive data breach of law enforcement agencies from all over the United States has been traced back to a shared third-party vendor.
The data dump, which contains 269 GB of police files from both local agencies and the FBI, was tied to a breach at Houston-based web services company Netsential.
‘Tractorload of vulnerabilities’ at John Deere
Security researchers found multiple vulnerabilities in the systems of John Deere and Case New Holland, two of the world's largest agriculture tech companies, which could put consumers and even the global food supply chain at risk.
The vulnerabilities include the ability to, quote, “literally do whatever the heck we wanted with anything we wanted on the John Deere operation center, period.”
Facebook joins ID2020 after $5.5M fine for facial recognition violations
After a $5.5 million fine for violating facial recognition policies over 200,000 times in South Korea, Facebook has joined the ID2020 Alliance.
ID2020 is a non-profit organization that advocates for ethical, privacy-protecting approaches to digital ID.
Judge rules that Clearview AI cannot use First Amendment defense
An Illinois state court ruled in favor of the ACLU and other advocacy rights groups in their fight over the unauthorized collection of Illinois residents’ photos by facial recognition company Clearview AI .
Clearview had attempted to claim protection for their action under the free speech clause of the First Amendment, but Judge Pamela McLean Meyerson explained that they had no such ground to stand on.
Clearview had been harvesting photographs off the internet, cataloguing their facial geometry and making the information available to public and private purchasers in an online database - all without consent.
Minnesota cops shared pipeline protestor data with pipeline company
It’s been revealed that Minnesota police shared a list of people who attended an anti-pipeline organizing meeting with Enbridge, the Canadian oil company behind the controversial pipeline.
This comes after the state of Minnesota distributed $2.3 million in Enbridge funds to public safety agencies so far, highlighting the close relationship between public law enforcement and private companies.
40% of SaaS data access is unmanaged and publicly exposed
A new report by data access software company DoControl reveals that up to 40% of SaaS data access is unmanaged, meaning that anyone with a private or public link can expose the data to thousands.
On average, a 1,000-employee company stores between 500,000 to 10 million assets in SaaS applications, meaning companies with unmanaged data may be allowing up to 200,000 of these assets to be shared publicly.
10x increase in law enforcement requests for geolocation data
New data from Google shows that police forces have drastically increased their use of geofence warrants, a widely criticized technique that collects data from any user's device that was in a specified area within a certain time range.
Law enforcement has served geofence warrants to Google since 2016, but their usage has increased dramatically in the past three years - up to tenfold in some states.
A single geofence request could include data from hundreds of bystanders.
What is "browser fingerprinting"?
Just like every person has a unique fingerprint, every browser leaves a unique online identifier.
Called browser fingerprinting, this identification is more invasive than cookie-based tracking, and can even bypass VPNs.
The exposed data includes information like the user’s device model, operating system, browser extensions, time zone, and all the granular tech specs of the device itself.
Generally, the information gathered is so unique that it can pinpoint a specific user from the huge expanse of internet users.
Click through to learn more about browser fingerprinting, and what steps you can take to protect yourself.
China passes new privacy law aimed at protecting users’ personal data
China has passed a new privacy law aimed at protecting users’ personal data.
The law calls for companies to get users’ consent before collecting personal data, and has rules for how companies should ensure users’ data is protected when it’s transferred outside of China.
In addition, companies will be required to have clear and reasonable purposes for handling user data, and must limit their data handling to the “minimum scope necessary to achieve these goals.”
The law takes effect on November 1st. No word yet on whether the Communist Party of China will have "NSA-like" access to citizen and organizational data, but it's probably a safe bet.
The latest in privacy-enhancing technology
AWS will start offering free USB security keys
Following a meeting between Amazon CEO Andy Jassy and US President Joe Biden on cybersecurity, the e-commerce giant has announced that it plans to hand out USB security keys to select AWS customers. USB security keys add a valuable, physical layer of security against phishing scams and other password-stealing efforts.
Google expands VPN service
Google One VPN, once restricted to Android users in the US, is now available to Android users in Canada, Mexico, France, Germany, Spain, Italy, and the UK.
While VPNs are a great way to protect your online anonymity, privacy experts warn that the Google One offering may not be the best choice.
The big issue? By using Google One VPN, you're actively feeding every piece of internet-bound data on your device to Google.
The Data Drop is a production of the Data Collaboration Alliance, a nonprofit advancing meaningful data ownership and inclusive innovation through open research and free skills training. To learn more about our partnerships, the Information Ownership Network, or the Data Collaboration University, please visit datacollaboration.org.