Google Tracks 39 Types of Personal Data, Apple Tracks 12

New research claims that of five major Big Tech firms, Google tracks more private data about users than any other — and Apple tracks the least. AppleInsider reports: Apple has previously introduced App Tracking Transparency specifically to protect the privacy of users from other companies. However, a new report says that Apple is also avoiding doing any more tracking itself than is needed to run its services. According to StockApps.com, Apple “is the most privacy-conscious firm out there.” “Apple only stores the information that is necessary to maintain users’ accounts,” it continues. “This is because their website is not as reliant on advertising revenue as are Google, Twitter, and Facebook.”

The StockApps.com report does not list what it describes as the “data points” that Big Tech firms collect for every user. However, it says they include location details, browser history, activity on third-party websites, and in Google’s case, also emails in Gmail. It also doesn’t detail its methodology, but does say that it used marketing firm digitalinformationworld to investigate Apple, Amazon, Facebook, Google, and Twitter. Of these five, Google reportedly tracks 39 separate data points per user, while Apple tracks only 12. Unexpectedly, Facebook is stated as tracking only 14 data points, while Amazon tracks 23, and Twitter tracks 24.

Read more of this story at Slashdot.

New US Privacy Law May Give Telecoms Free Pass On $200 Million Fines

An anonymous reader quotes a report from Motherboard: The American Data Privacy and Protection Act (ADPPA), a new federal privacy bill that has actually a chance of becoming law, is designed to introduce new privacy protections for Americans. But it may also have the side effect of wiping out $200 million worth of fines proposed against some of the country’s biggest telecommunications companies as part of a major location-data selling scandal in which the firms sold customer data that ended up in the hands of bounty hunters and other parties. The issue centers around the ADPPA’s shift of enforcement for privacy related matters from the Federal Communications Commission (FCC), which proposed the fines, to the Federal Trade Commission (FTC). The news highlights the complex push and pulls when developing privacy legislation, and some of the pitfalls along the way.

The FCC proposed the $200 million fines in February 2020. The fines came after Motherboard revealed that the carriers sold phone location data to a complex supply chain of companies which then provided it to hundreds of bounty hunters and other third parties, including someone that allowed Motherboard to track a phone for just $300. The fines also came after The New York Times and the office of Sen. Ron Wyden found that the carriers sold location data in a similar method to a company called Securus, which allowed law enforcement officials to track the location of phones without a warrant. A former sheriff abused the tool to spy on judges and other officials. The offending telecoms — AT&T, T-Mobile, Sprint, Verizon — said they stopped the sale of location data at varying points in time in response to the investigations. The FCC then found that the carriers broke the law by selling such data.

FCC Press Secretary Paloma Perez told Motherboard in an emailed statement that “our real-time location information is some of the most sensitive data there is about us, and it deserves the highest level of privacy protection. That is why the FCC has proposed more than $200 million in fines against the nation’s largest wireless carriers for selling their customers’ location data. Through our continued oversight we have ensured that these carriers are no longer monetizing their consumers’ real-time location in this way, and we are continuing our investigation into these practices and expect to reach a conclusion very soon.” In July FCC Chairwoman Jessica Rosenworcel sent letters to a host of U.S. telecommunications, tech, and retail companies to ask about their use of location data.

Read more of this story at Slashdot.

Purism’s ‘Librem 5 USA’ Smartphone Achieves Major New Shipping Milestone

Purism posted an announcement Thursday about their privacy-focused “Librem 5 USA” smartphones. “New orders placed today will ship within our standard 10-business-day window.”

The Librem 5 USA now joins the Librem Mini and Librem 14 as a post-Just In Time product, one where instead of relying on Just In Time supply chains to manufacture a product just as we need it, we have invested in maintaining much larger inventories so that we can better absorb future supply chain issues that may come our way.

For anyone who is new to the product, the Librem 5 USA is our premium phone that shares the same hardware design and features as our mass-produced Librem 5, but with electronics we make in the USA using a separate electronics supply chain that sources from US suppliers whenever possible. This results in a tighter, more secure supply chain for the Librem 5 USA.

The Librem 5 USA uses the same PureOS as our other computers and so it runs the same desktop Linux applications you might be used to, just on a small screen.

PureOS on the Librem 5 USA demonstrates real convergence, where the device becomes more than just a phone, it becomes a full-featured pocket-sized computer that can act like a desktop when connected to a monitor, keyboard and mouse, or even a laptop (or tablet!) when connected to a laptop docking station. All of your files and all of your software remains the same and follows you where you go. Applications just morph from the smaller screen to the larger screen when docked, just like connecting a external monitor to a laptop.

Everyone who has backed the Librem 5 and Librem 5 USA projects hasn’t just supported the production of the hardware itself, they have also supported a massive, multi-year software development effort to bring the traditional Linux desktop to a phone form-factor. Projects such as Phosh (the GUI), Phoc (the Compositor), Squeekboard (the Keyboard), Calls (for calling), Chats (for texting and messaging), and libhandy/libadwaita (libraries to make GTK applications adaptive) all required massive investment and many of these projects have already been moved to the GNOME infrastructure to better share our effort with a larger community.

We are delighted to see that many other mobile projects have recognized the quality of our efforts and adopted our software into their own projects….

The Librem 5 USA was designed for longevity and because we support right to repair, we also offer a number of spare parts in our shop, including replacement modems so you can make sure you support all the cellular bands in a particular continent, replacement batteries for when you ultimately wear out your existing battery, and plenty of other spare parts that haven’t had sufficient demand to post formally on our shop (yet). If you need a spare part that isn’t yet on the shop, just ask.

Read more of this story at Slashdot.

American Phone-Tracking Firm Demo’d Surveillance Powers By Spying On CIA and NSA

Anomaly Six, a secretive government contractor, claims to monitor the movements of billions of phones around the world and unmask spies with the press of a button. Reader BeerFartMoron shares a report: In the months leading up to Russia’s invasion of Ukraine, two obscure American startups met to discuss a potential surveillance partnership that would merge the ability to track the movements of billions of people via their phones with a constant stream of data purchased directly from Twitter. According to Brendon Clark of Anomaly Six — or “A6” — the combination of its cellphone location-tracking technology with the social media surveillance provided by Zignal Labs would permit the U.S. government to effortlessly spy on Russian forces as they amassed along the Ukrainian border, or similarly track Chinese nuclear submarines. To prove that the technology worked, Clark pointed A6’s powers inward, spying on the National Security Agency and CIA, using their own cellphones against them.

Virginia-based Anomaly Six was founded in 2018 by two ex-military intelligence officers and maintains a public presence that is scant to the point of mysterious, its website disclosing nothing about what the firm actually does. But there’s a good chance that A6 knows an immense amount about you. The company is one of many that purchases vast reams of location data, tracking hundreds of millions of people around the world by exploiting a poorly understood fact: Countless common smartphone apps are constantly harvesting your location and relaying it to advertisers, typically without your knowledge or informed consent, relying on disclosures buried in the legalese of the sprawling terms of service that the companies involved count on you never reading.

Read more of this story at Slashdot.

Police Records Show Women Are Stalked With Apple AirTags Across the Country

samleecole shares a report from Motherboard: Police records reviewed by Motherboard show that, as security experts immediately predicted when the product launched, this technology has been used as a tool to stalk and harass women. Motherboard requested records mentioning AirTags in a recent eight month period from dozens of the country’s largest police departments. We obtained records from eight police departments. Of the 150 total police reports mentioning AirTags, in 50 cases women called the police because they started getting notifications that their whereabouts were being tracked by an AirTag they didn’t own. Of those, 25 could identify a man in their lives — ex-partners, husbands, bosses — who they strongly suspected planted the AirTags on their cars in order to follow and harass them. Those women reported that current and former intimate partners — the most likely people to harm women overall — are using AirTags to stalk and harass them.

Multiple women who filed these reports said they feared physical violence. One woman called the police because a man she had a protective order against was harassing her with phone calls. She’d gotten notifications that an AirTag was tracking her, and could hear it chiming in her car, but couldn’t find it. When the cops arrived, she answered one of his calls in front of the officer, and the man described how he would physically harm her. Another who found an AirTag in her car had been wondering how a man she had an order of protection against seemed to always know where she was. The report said she was afraid he would assault or kill her. […] The overwhelming number of reports came from women. Only one case out of the 150 we reviewed involved a man who suspected an ex-girlfriend of tracking him with an AirTag.

Read more of this story at Slashdot.

Writing Google Reviews About Patients Is Actually a HIPAA Violation

“According to The Verge, health providers writing Google reviews about patients with identifiable information is a HIPAA violation,” writes Slashdot reader August Oleman. From the report: In the past few years, the phrase ‘HIPAA violation’ has been thrown around a lot, often incorrectly. People have cited the law, which protects patient health information, as a reason they can’t be asked if they’re vaccinated or get a doctor’s note for an employer. But asking someone if they’re vaccinated isn’t actually a HIPAA violation. That’s a fine and not-illegal thing for one non-doctor to ask another non-doctor. What is a HIPAA violation is what U. Phillip Igbinadolor, a dentist in North Carolina, did in September 2015, according to the Department of Health and Human Services. After a patient left an anonymous, negative Google review, he logged on and responded with his own post on the Google page, saying that the patient missed scheduled appointments. […]

In the post, he used the patient’s full name and described, in detail, the specific dental problem he was in for: “excruciating pain” from the lower left quadrant, which resulted in a referral for a root canal. That’s what a HIPAA violation actually looks like. The law says that healthcare providers and insurance companies can’t share identifiable, personal information without a patient’s consent. In this case, the dentist (a healthcare provider) publicly shared a patient’s name, medical condition, and medical history (personal information). As a result, the office was fined $50,000 (PDF).

Read more of this story at Slashdot.

Lapsus$ Found a Spreadsheet of Passwords as They Breached Okta, Documents Show

The Lapsus$ hackers used compromised credentials to break into the network of customer service giant Sitel in January, days before subsequently accessing the internal systems of authentication giant Okta, according to documents seen by TechCrunch that provide new details of the cyber intrusion that have not yet been reported. The report adds: […] The documents provide the most detailed account to date of the Sitel compromise, which allowed the hackers to later gain access to Okta’s network. […] The documents, obtained by independent security researcher Bill Demirkapi and shared with TechCrunch, include a Sitel customer communication sent on January 25 — more than a week after hackers first compromised its network — and a detailed timeline of the Sitel intrusion compiled by incident response firm Mandiant dated March 17 that was shared with Okta.

According to the documents, Sitel said it discovered the security incident in its VPN gateways on a legacy network belonging to Sykes, a customer service company working for Okta that Sitel acquired in 2021. The timeline details how the attackers used remote access services and publicly accessible hacking tools to compromise and navigate through Sitel’s network, gaining deeper visibility to the network over the five days that Lapsus$ had access. Sitel said that its Azure cloud infrastructure was also compromised by hackers. According to the timeline, the hackers accessed a spreadsheet on Sitel’s internal network early on January 21 called “DomAdmins-LastPass.xlsx.” The filename suggests that the spreadsheet contained passwords for domain administrator accounts that were exported from a Sitel employee’s LastPass password manager.

Read more of this story at Slashdot.