Weekly Privacy Roundup #7
“There's something really liberating about having some corner of your life that's yours, that no one gets to see except you. It's a little like nudity or taking a dump. Everyone gets naked every once in a while. Everyone has to squat on the toilet. There's nothing shameful, deviant or weird about either of them.” ― Cory Doctorow
Stop tracking me, Google: Austrian citizen files GDPR legal complaint over Android Advertising ID
Privacy pressure group Noyb has filed a legal complaint against Google on behalf of an Austrian citizen, claiming the Android Advertising ID on every Android device is "personal data" as defined by the EU's GDPR and that this data is illegally processed.
Based in Vienna, Austria, Noyb is a nonprofit founded by Max Schrems, a lawyer and privacy advocate, to focus on "commercial privacy and data protection violations". It says that "the core task of the office is to work on our enforcement projects and to engage in the necessary research for strategic litigation."
India’s Covid-19 App Is a Privacy Nightmare
To contain the spread of Covid-19, the Indian government imposed a strict nationwide lockdown on March 25 that affects the 1.3 billion people currently living in India. While the lockdown was set to end on April 14, this date has now been pushed twice.
Throughout this period, the government has enacted various measures to curb the spread of the virus, but there’s one in particular that stands out: the government’s repeated insistence for people to download the Aarogya Setu app.
Aarogya Setu — meaning “health bridge” — is an iOS and Android app developed under the guidance of India’s National Informatics Centre through a public-private partnership model. The app aims to help curb the spread of coronavirus with the help of tech-aided contact tracing.
DigitalOcean Data Leak Incident Exposed Some of Its Customers Data
DigitalOcean, one of the biggest modern web hosting platforms, recently hit with a concerning data leak incident that exposed some of its customers' data to unknown and unauthorized third parties.
Though the hosting company has not yet publicly released a statement, it did has started warning affected customers of the scope of the breach via an email.
According to the breach notification email that affected customers [1, 2] received, the data leak happened due to negligence where DigitalOcean 'unintentionally' left an internal document accessible to the Internet without requiring any password.
US Marshals Service exposed prisoner details in security breach
The US Marshals Service (USMS) has suffered a security lapse last year and is currently notifying inmates that some of their personal details might have been exposed online.
According to breach notification letters sent this month, the USMS said the incident came to light on December 30, 2019, when the USMS Information Technology Division (1TD) received an alert from the Department of Justice Security Operations Center (JSOC) about a breach of a public-facing USMS server.
The USMS said the hacked server housed information on current and former USMS prisoners, including data such as names, dates of birth, social security numbers, and home addresses.
EU: UK Must Share More Data to Access Crime-fighting System
A European parliamentary committee has said that the UK's access to an EU crime-fighting system should be blocked unless the country shares more DNA and fingerprint data with member states.
The Justice and Home Affairs Committee, chaired by Spanish socialist MEP Juan-Fernando López-Aguilar, claims that the UK is denying member states access to a sufficient amount of fingerprint data collected by British police.
López-Aguilar said that when it came to sharing data in the battle against crime, the exchange of information between different countries should be based on "the goodwill of reciprocity."
The views of the committee were expressed in a vote that took place yesterday. Although not binding, the outcome of the vote could have an impact on EU decisionmakers as the UK negotiates a post-Brexit deal on the sharing of DNA, fingerprint data, and crime-fighting intelligence with the EU.
López-Aguilar said he hoped that the UK and EU could establish a data-sharing relationship that was "mutually beneficial."
Celebrity personal data taken in ransomware attack
Variety says that the law firm Grubman Shire Meiselas & Sacks, or just gsmlaw.com for short, has experienced a ransomware attack that apparently involved the appropriately named REvil malware.
Rather than simply knocking the law firm out of action temporarily, the ransomware crooks are said to have stolen personal data from a laundry list of celebrity clients, too – allegedly more than 750GB in total including contracts, contact information and “personal correspondence”.
Hackers Selling Over 73 Million User Records On The Dark Web
Hacker group “ShinyHunters” is selling about 73.2 million user records stolen from 10 companies on the Dark Web for about $18,000, reports ZDNet.
Majority of the stolen user records have come from online dating app Zoosk (30 million), while the remaining have come from other sites, such as printing service Chatbooks (15 million), food delivery service Home Chef (8 million), South Korean fashion platform SocialShare (6 million), online marketplace Minted (5 million), online newspaper Chronicle of Higher Education (3 million), South Korean furniture magazine GGuMim (2 million), health magazine Mindful (2 million), Indonesia online store Bhinneka (1.2 million), and U.S. newspaper StarTribune (1 million).
Windows 10 gets DNS over HTTPS support, how to test
Microsoft announced that initial support for DNS over HTTPS (DoH) is now available in Windows 10 Insider Preview Build 19628 for Windows Insiders in the Fast ring.
The DoH protocol addition in a future Windows 10 release was advertised by Redmond in November 2018, with the inclusion of DNS over TLS (DoT) to also stay on the table.
DoH enables DNS resolution over encrypted HTTPS connections, while DoT is designed to encrypt DNS queries via the Transport Layer Security (TLS) protocol, instead of using clear text DNS lookups.
Thorugh the inclusion of DoH support to the Windows 10 Core Networking, Microsoft boosts its customers' security and privacy on the Internet by encrypting their DNS queries and automatically removing the plain-text domain names normally present in unsecured web traffic.
"If you haven’t been waiting for it, and are wondering what DoH is all about, then be aware this feature will change how your device connects to the Internet and is in an early testing stage so only proceed if you’re sure you’re ready," Microsoft explains.