According to TechWire Asia, China's National Computer Network Emergency Response Technical Team expressed to app developers the need to reevaluate the amount of data collected from their users. In its half-yearly report, the agency identified a significant number of mobile apps that need to rectify the issue of over-collection, and called for a national response to address the problem, as the country’s 800 million mobile users migrate to online platforms for their shopping needs. According to IAPP, the report of the agency states that "a large number of apps exhibit abnormal behavior, such as detecting other apps or reading and writing user device files, posing a potential security threat to the user’s information security".
Irish data protection authority rules Ireland's ID card scheme to be unlawful from data protection perspective.
The Irish data protection Commission (DPC) has ordered the Irish government to delete 3.2 million citizens' personal data, after ruling that its national ID scheme was unlawful. According to the Irish Times, in a highly critical report on its investigation into the card, the privacy authority found there was no legal reason to make individuals obtain the card in order to access State services. The commission’s report represents a major blow to the scope of the project, which has faced strong opposition from digital rights campaigners. According to the Register, the DPC stated that in practical terms, a person's capacity to access public services both offline and online is now contingent, in an ever-increasing range of contexts, on obtaining and producing a Public Services Card.
UK's data protection authority launches investigations over the use of facial recognition software at King's Cross
The UK' Information Commissioner's Office has launched an investigation into the use of facial recognition in King's Cross area in London. The authority indicated being deeply concerned about the growing use of facial recognition technology in public spaces, and seeking detailed information about how it is used. According to the Guardian, ICO's announcement came two days ago the mayor of London, Sadiq Khan, wrote to the development’s owner demanding to know whether the company believed its use of facial recognition software in its CCTV systems was legal. The developers includes a consortium of Argent, a property developer, Hermes Investment Management, on behalf of BT Pensioners, and AustralianSuper, an Australian pension scheme. According to IAPP, the consortium said the facial-recognition tech has been implemented “in the interest of public safety and to ensure that everyone who visits has the best possible experience.
The ninth US Circuit Court of Appeals in San Francisco has issued a decision allowing the continuation of a class-action lawsuit against Facebook's use of facial recognition tools. The lawsuit was filed in 2015 by Ilinois Facebook users who argued that the company was illegally collecting and using biometric data of people to identify them in photographs. The federal court decided against Facebook's request to halt the lawsuit. In its decision, the court noted that 'the development of face template using facial-recognition technology without consent (as alleged here) invades an individual’s private affairs and concrete interests. Similar conduct is actionable at common law.' The company announced plans to appeal the decision. As explained by Techcrunch, the case could result in a considerable financial penalty for Facebook. Privacy law violations in Illinois could be subject to damages between US$1000 and US$5000 in penalties and the case could involve around 7 million users.
Irish data protection authority opens investigation against US-based start-up scraping millions of Instagram users' data
The Irish data protection Commission has announced having launched an investigation against Hyp3r, a San Francisco start-up, which scrapped millions of Instagram users' data, including their locations and stories. Instagram issued the company a cease and desist order, and then evicted it from the platform once made aware of its activities. According to Business Insider, Hyp3r had been operating in plain sight for a year, taking advantage of a weakness in Instagram's security, but Instagram failed to notice. The Irish data protection authority is now working to establish whether EU data subjects have been affected in the first instance and will then assess whether further information from Instagram is required.
Researchers of cyber security company CheckMarx found vulnerabilities in LeapFrog’s LeapPad Ultima that lead to privacy risk of data of children and their parents.They identified that some of LeapFrog’s communications aren’t encrypted and this vulnerability can expose the personal data of the child – including their name, gender and date of birth. And the details of their parents such as name, home address, and even credit card information.
The other vulnerability identified was within the LeapFrog’s Pet Chat app that allows children to send pre-loaded emojis and preset messages rather than writing original messages. This could allow an attacker to track the tablet or even send a “preset” message to the tablet user.
LeapFrog and Pet Chat were removed from the stores.“We thank CheckMarx for bringing these security issues to our attention, as the safety of the children who use our products is our top priority,” said Mari Sunderland, VP of digital product management at LeapFrog Enterprises.
Twitter has disclosed bugs related to how the company shares personal information for ad targeting purposes. According to TechCrunch, in a blog post on its Help Center about the latest “issues” Twitter says it “recently” found, it admits to finding two problems with users’ ad settings choices that mean they “may not have worked as intended.'' The bugs relate to tracking ad conversions and users' web browsing activities. According to CNET, Twitter users who clicked or viewed an ad for a mobile app since May 2018 may have shared data about the experience with third-party measurement and advertising partners. Both bugs appear to be in breach with the EU's GDPR, especially after the UK’s privacy regulator warned in June that systematic profiling of web users via invasive tracking technologies such as cookies is in breach of EU privacy laws.
In a letter the Democratic senators of US wrote to Facebook CEO Mark Zuckerberg on whether Facebook had done enough to protect the privacy of children. This follows the reported flaws in the facebook kids messenger chat.
In the letter the senators mentioned “Your company has a responsibility to meet its promise to parents that children are not exposed to unapproved contacts, a promise that it appears that Facebook has not fulfilled.” They also asked questions such as when the company first became aware of the flaw in the Facebook kids messenger and if there are any other flaws in the app that could violate the Children’s Online Privacy Protection Act (COPPA).
Luxembourg’s National Data Protection Commission (CNDP) is discussing with Amazon over concerns about Alexa recordings, after Bloomsberg revealed instances of everyday conversations as well as cases of suspected domestic violence had been recorded and reviewed. According to the BBC, the Luxembourgish regulator is the lead supervisory authority for the company in the EU, meaning that it co-ordinates investigations into the business on behalf of the other member states, and at this point it has not launched a formal privacy probe.
A number of top privacy commissioners from all continents (Asia, Europe, Americas, Oceania and Africa) have published a joint statement raising concerns over the data protection safeguards of Facebook's new currency project. According to TechCrunch, regulators seek more clarity on what users’ personal data will be used for and how users will be able to control what their data is used for. The list of signatories includes Canada’s privacy commissioner Daniel Therrien; the European Union’s data protection supervisor, Giovanni Buttarelli; U.K. Information commissioner, Elizabeth Denham; Albania’s information and data protection commissioner, Besnik Dervishi; the president of the Commission for Information Technology and Civil Liberties for Burkina Faso, Marguerite Ouedraogo Bonane; and Australia’s information and privacy commissioner, Angelene Falk.