Weekly Privacy Roundup #6
"If someone steals your password, you can change it. But if someone steals your thumbprint, you can’t get a new thumb. The failure modes are very different." – Bruce Schneier
Is the GDPR failing? If it is, how can it be saved?
The coronavirus pandemic rightly dominates the headlines, including those of the privacy world, but in the background, life goes on. For example, companies operating in the EU are still subject to the GDPR, two years after it first came into operation. But as this blog noted a few months back, there are increasing fears that the law is turning into a paper tiger: impressive in theory, but rather less so in practice. The question is being raised again, prompted by some interesting research carried out by Johnny Ryan, the chief policy officer at the browser company Brave, which places a particular emphasis on privacy. He contacted 28 EU Member State national data protection agencies (DPAs), 17 DPAs in the German states, and 3 other national DPAs, and asked about their staffing levels – particularly how many people they had with technical knowledge.
Xiaomi tracks private browser and phone usage, defends behavior
New research claims that China-based Xiaomi is tracking sensitive information and sending it to their servers if you use the Mi browser, which is bundled with all Redmi and Mi phones.
In a report by Forbes, security research Gabi Cirlig states that Xiaomi's Mi Browser app sends your internet searches, including incognito mode sessions, to Xiaomi servers in Singapore and Russia.
Even more concerning is that Cirlig states that the data being set can easily be associated with a particular user allowing the company to single out users they wish to track.
“My main concern for privacy is that the data sent to their servers can be very easily correlated with a specific user,” Cirlig told Forbes.
While all of this data is uploaded to remote servers in Singapore and Russia, the domains themselves are registered to an organization in Beijing.
Additionally, the researcher noticed that Xiaomi phones record the folders a user opens, the screens a user views, and configured settings.
Xiaomi's music player app was also recording what and when the user played songs.
Hacker leaks 15 million records from Tokopedia, Indonesia's largest online store
A hacker has leaked on Friday the details of 15 million users registered on Tokopedia, Indonesia's largest online store.
The hacker claims the data was obtained in an intrusion that took place in March 2020 and is just a small part of the site's entire user database that was obtained in the hack.
The leaker said he was sharing the 15 million users sample in the hopes someone could help crack the user passwords, so they could be used to access user accounts.
ZDNet has obtained a copy of the leaked file with the help of data breach monitoring service Under the Breach.
UK COVID-19 contact tracing app data may be kept for 'research' after crisis ends, MPs told
Britons will not be able to ask NHS admins to delete their COVID-19 tracking data from government servers, digital arm NHSX's chief exec Matthew Gould admitted to MPs this afternoon.
Gould also told Parliament's Human Rights Committee that data harvested from Britons through NHSX's COVID-19 contact tracing app would be "pseudonymised" - and appeared to leave the door open for that data to be sold on for "research".
The government's contact-tracing app will be rolled out in Britain this week. A demo seen by The Register showed its basic consumer-facing functions. Key to those is a big green button that the user presses to send 28 days' worth of contact data to the NHS.
CAM4 adult cam site exposes 11 million emails, private chats
Adult live streaming website CAM4 exposed over 7TB of personally identifiable information (PII) of members and users, stored within more than 10.88 billion database records.
The sensitive data was leaked after one of the site's production databases was left open to Internet access on a misconfigured Elasticsearch cluster, with records dating back to March 16, 2020.
CAM4 has around 2 billion visitors each year and its members are streaming more than 1 million hours of adult content every week, with over 75,999 private shows being broadcast on a daily basis.
Xiaomi emits phone browser updates after almighty row over web activity it harvested even in incognito mode
A Forbes report last week outlined how some Xiaomi Android phones track their owners' web browsing and online activities.
It was claimed the handsets collect things like browsing history, search queries, and news feed activity, and send the data off to servers in China, even when using the bundled Xiaomi browser's private incognito mode.
Xiaomi, in response, claimed it anonymizes the harvested data for performance monitoring, though it did admit that this "aggregated data collection" included URLs even in incognito mode.
"Our user's privacy and internet security is of top priority at Xiaomi," the phone maker added. "We are confident that we strictly follow and are fully compliant with local laws and regulations.”
Uncle Sam to agencies: No encrypted DNS for you!
The US federal government has been protecting its users by blocking malicious destinations for years, but it won’t let them take advantage of the latest protective measure in DNS – encryption – just yet. Last month, the US Department of Homeland Security warned government agencies that they’re legally bound to use an internal system that won’t support this feature.
The DHS’s Cybersecurity & Infrastructure Security Agency (CISA) published a memorandum on April 21 warning agency CIOs that they’re legally bound to use its internal EINSTEIN network security system when resolving DNS queries. That means that they can’t yet take advantage of technologies that stop people from snooping on or even hijacking their DNS queries.
Breach Exposes Data of 774,000 Australian Migrants
Personal details of 774,000 individuals in Australia's migration system have been exposed in a data breach.
The data was made publicly available via the Home Affairs Department's SkillsSelect platform, which invites skilled workers and entrepreneurs to express interest in moving Down Under.
Partial names, ADUserIDs, and the outcome of applications made by people wishing to migrate to Australia were discovered online by Guardian Australia via a publicly available app hosted on the employment department's domain. Other information uncovered by the newspaper included the age, country of birth, and marital status of applicants.
In total, the breach revealed 774,326 unique user IDs and 189,426 completed expressions of interest, dating back to 2014. By applying filters, the Guardian was able to narrow down an expression of interest to a single entry, then discover other details relating to that particular applicant.
GoDaddy Suffers Data Breach
Domain registrar and web-hosting company GoDaddy has notified an undisclosed number of its 19 million customers of a data breach.
The security incident took place on October 19, 2019, but went undetected until April 23, 2020, when GoDaddy noticed some suspicious activity occurring on a subset of its servers.
As a result of the episode, the web-hosting account credentials of an unknown number of customers have been compromised.
The impact of the breach could be far-reaching since GoDaddy is the world's largest domain registrar, managing 77 million domains.
Firefox’s Private Relay service tests anonymous email alias feature
Email addresses are impossible to live without and yet, despite years of technological advance, can often be just as tricky to live with.
Most people often still have only two email addresses, one for work and a personal address, and they are often sitting targets for spammers, scammers and nuisance emailers in the digital equivalent of ‘we know where you live’.
At the weekend Mozilla announced that it is testing an experimental service called Firefox Private Relay that it thinks will offer an appealing solution to this issue.
NHS app lacks privacy “due diligence”
Open Rights Group's lawyers, AWO, have written to Matt Hancock and NHSX to demand immediate confirmation that they will conduct a full and adequate Data Protection Impact Assessment, consult with the ICO and publish the results.
It was confirmed to Parliament on Monday that this risk assessment had not yet been completed, nor had the ICO had sight of it. 
NHSX is deploying its App in public this week, effectively without completing their data protection privacy obligations. The public and NHSX are therefore unable to judge if it is safe to use, what risks are involved or what has been done to mitigate those risks. We have asked NHSX to clarify those points.
Jim Killock, Executive Director of the Open Rights Group said:
“The NHSX has not done its homework. We are worried that NHSX will not have fully addressed the many privacy risks that come with building a massive database of personal contact events.