Pandemic privacy. An election database leaks. GDPR and grandma. Theophrastus on Nextdoor.

Summary

By the CyberWire staff

At a glance.

Privacy issues surface with some tracing apps in the US.
Estonia moves toward immunity passports.
Indonesian election database leaked.
GDPR comes for grandma.
Walking the electronic beat with Nextdoor.

Privacy issues surface with some tracing apps in the US.

The US Federal Government hasn't undertaken development of a national contact-tracing app, but some of the states have. North and South Dakota have deployed Care19, an app that collects geolocation data under conditions that require opt-in, anonymization, and no sharing with third-parties. But researchers at privacy-specialist shop Jumbo Privacy have looked at Care 19 and report, as the Washington Post reports, that "one of the first contact-tracing apps violates its own privacy policy." In particular Jumbo says that Care19 shares location data with Foursquare, best known for its offerings in support of advertisers, and also that the app's data aren't really as anonymous as one might think: they include devices' Advertising Identifiers." Jumbo recommends that users not install the app until Care19's privacy policy is updated for accuracy, and until the app can assure users that their data won't be shared with third parties.

There are other state-level projects under development. The Telegraph reports that British tech company Wejo has contracted with eight states to develop a system for tracking the movements of connected cars, the better to help the states ensure that people are following stay-at-home orders, going out only for essentials like groceries, and not simply gallivanting around like a bunch of Sunday drivers. Comments on the story generally evince a negative reaction to this kind of tracking, as well as some expression of relief that, thank heaven, the commenter drives a primitive rattletrap without newfangled Internet gizmos.

Estonia moves toward immunity passports.

Estonia is preparing a digital immunity passport, a QR code people can display on their smartphones that will inform shopkeepers, gatekeepers, barkeeps and so on that the bearer has been tested for COVID-19. The Telegraph quotes Taavet Hinrikus of Back to Work, a non-governmental organisation that's developing the passport: “Digital immunity passport aims to diminish fears and stimulate societies all over the globe to move on with their lives amidst the pandemic.” The Telegraph's report is ambiguous, saying only that the passport displays test results, but Reuters goes farther, and reports that the intention is to show, specifically, immunity status. There may be some front-running going on here: it's not clear that there's yet a sound understanding of COVID-19 immunity and its relationship to the spread of the virus. There are also questions about how, and how well, private health data are to be secured.

Indonesian election database leaked.

Indonesia's General Election Commission is investigating the release of voters' private information on a hacker website. Reuters says that 2.3 million people's data have so far been released, but that those claiming responsibility are threatening to expose data on 200 million Indonesians. Authorities confirmed that the data were authentic, and that they included such items as home addresses and national identification numbers. The source of the leak is unknown, but the General Election Commission said that it didn't happen in the Commission's own servers. They suggest that it may have come from presidential candidates or political parties, with whom the Commission is obligated by law to share such data.

GDPR comes for grandma.

The BBC reports that a Netherlands court has ruled in favor of a woman whose mother refused to take down photos of the plaintiff's children (the defendant's grandchildren) the defendant had posted to Facebook and Pinterest. The matter falls under the GDPR. While "purely personal" and "household" processing of data do not fall within the scope of the European privacy regulation, social media posts do, because they amount to a form of publication. "With Facebook, it cannot be ruled out that placed photos may be distributed and may end up in the hands of third parties," the court said. The grandmother was ordered to remove the photos. If she doesn't, she'll be hit with a €50 fine for every day she fails to do so, up to a maximum of €1,000. If she does it again, that will be another €50 a day. (Relationships can be so complicated, especially when there are pictures in the picture.)

Walking the electronic beat with Nextdoor.

City Lab is running a critical piece about the ways in which Nextdoor (the "hyperlocal" online community) is becoming incorporated into neighborhood watch programs. Privacy advocates are concerned, seeing too much opportunity for people to indulge in discriminatory, invasive, and other malign activity, and too much risk that such behavior will find its way into community policing. Physical neighborhood watch programs have attracted some criticism, but not much. The concerns may amount to little more than worries the simple novelty of involving Nextdoor may arouse. But there may be something disturbing in the well-known disinhibition the online world seems to induce, and the ease with which what would otherwise be a nasty little private preoccupation can scale and affect the lives of innocent others.

It's long been said that on the Internet, no one knows you're a dog. It might be added that no one knows you're a Karen, a meddler, a poorly informed social critic, etc. Theophrastus knew what he was talking about more than two millennia ago when he wrote that the busybody displayed a lot of kind-hearted affectation, but not much effective help. We hope the police on the beat are smart enough to know the difference. "I'm sure I meant well," is the typical post-meddling justification. Report real crime and real danger, sure, but otherwise live and let live.

Notes.

A note to our readers.

Monday is Memorial Day in the United States, and we'll be observing the Federal holiday with a break from publication. We'll be back as usual on Tuesday, May 26th. In the meantime, spare a thought for the fallen, for their families and those they served with.

Selected Reading

FBI offers US companies more details from investigations of health care hacking (CyberScoop) The FBI has provided U.S. companies more information on the extent of recent criminal and foreign government-backed hacking operations against the health care sector and warned of ongoing efforts to steal U.S. research data.

Using COVID-19 to Double Down on Cyber Norms (Council on Foreign Relations) The United States should use the COVID-19 pandemic as an opportunity to push for clearer guardrails to bound acceptable and unacceptable behavior in cyberspace.

Analysis | The Cybersecurity 202: Privacy experts fear a boom in coronavirus surveillance (Washington Post) Surveillance programs built to combat the pandemic may outlast it.

UK contact tracing app source code reveals 7 security holes (9to5Mac) Analysis of the source code for the UK contact tracing app has revealed no fewer than seven security flaws. One of these is that the random code ...

NHS App Has More Glaring Security Flaws and This is Just Getting Bloody Ridiculous Now (Gizmodo UK) By the time they get the app up to scratch, the pandemic will be over.

UK contact-tracing app set to miss official launch date as Google, Apple release API (ComputerWeekly) Government ministers aim to shore up contact-tracing strategy after junior minister concedes much-publicised app set miss-stated start date and Silicon Valley giants officially launch API for apps that follow different route than NHS

Estonia preparing to launch immunity passport for people recovered from virus (The Telegraph) The Baltic state is hoping the technology will help revive its economy as lockdown restrictions ease

Connected car data used to monitor movement under coronavirus lockdown (The Telegraph) Public authorities are keen to get a sense of where residents are going and why

Perspective | One of the first contact-tracing apps violates its own privacy policy (Washington Post) North and South Dakota’s Care19 coronavirus app sends your location data to more than just the government

Four states warn unemployment benefits applicants about data leaks (NBC News) The breaches stem from two incidents in which states hired contractors to quickly implement the Pandemic Unemployment Assistance program.

()

Klobuchar, Moran Introduce Legislation to Protect Seniors from Scams During Coronavirus Pandemic (News Releases - U.S. Senator Amy Klobuchar) The Protecting Seniors from Emergency Scams Act would help prevent scammers from taking advantage of seniors during the coronavirus pandemic and future emergencies

Four agencies warn banks and customers of COVID-19 scams (Fifth Domain) Criminals are using COVID-19 lures to trick banks and customers into providing personal and financial information.

Avoid Scams Related to Economic Payments, COVID-19 (CISA) The Cybersecurity and Infrastructure Security Agency (CISA), U.S. Department of the Treasury, the Internal Revenue Service (IRS), and the United States Secret Service (USSS) urge all Americans to be on the lookout for criminal fraud related to these economic impact payments—particularly fraud using coronavirus lures to steal personal and financial information, as well as the economic impact payments themselves—and for adversaries seeking to disrupt payment efforts.

Warning after increase in cyber and doorstep scams in Perthshire during lockdown (Daily Record) Cold callers offering cleaning kits and medical products

Indonesia probes breach of data on more than two million voters (Reuters) Indonesia's election commission is investigating the release of 2.3 million voters' private information on a hacker website along with a threat to release of the data of about 200 million people, the agency said on Friday.

Facebook Scraped Data Issue Surfaces in Vietnam (SafetyDetectives) The security research team, led by Anurag Sen, at Safety Detectives has uncovered a significant leak of Facebook data. As much as 3 gigabytes of scraped Faceboo

Hacker leaks 40 million user records from popular Wishbone app (ZDNet) UPDATE: The Wishbone database leaks online after a hacker began selling it earlier this week.

A 2017 Magento Bug is Opening Up Online Shops for Hackers (Computer Business Review) Hackers are exploiting a 2017 Magento bug that allows them to take over a user’s e-commerce website and embed malicious code.

Mathway investigates data breach after 25M records sold on dark web (BleepingComputer) A data breach broker is selling a database that allegedly contains 25 million Mathway user records on a dark web marketplace.

Germany's Fresenius Medical Care confirms data leak in Serbia after hacker attack (Reuters) German dialysis provider Fresenius Medical Care (FMC) confirmed on Thursday that patient data from some of its dialysis centres in Serbia leaked after a recent hacker attack.

Hacked Law Firm May Have Had Unpatched Pulse Secure VPN (Data Breach Today) A recent ransomware attack that targeted a law firm that serves celebrities may have been facilitated by a Pulse Secure VPN server that was not properly patched and

Twitter lets users limit who can reply to their tweets (The Telegraph) People who can't reply to posts as part of the new test will still be able to see and share them

Facebook rolls out feature to help women in India easily lock their accounts (TechCrunch) Facebook has rolled out a new safety feature in India that will enable users to easily lock their account so that people they are not friends with on the platform cannot view their posts and zoom into and download their profile picture and cover photo. The feature is especially aimed at women to gi…

Facebook leverages AI to improve kids’ safety in Messenger (VentureBeat) Facebook is rolling out an AI feature that gives users under the age of 18 tips on interacting with unfamiliar adults and avoiding scams.

Why Privacy Notices Turn Off Shoppers (HBS Working Knowledge) It seems counterintuitive, but website privacy notices appear to discourage shoppers from buying, according to Leslie John.

Letter to ByteDance on TikTok Data Privacy Concerns, Ties to Chinese Communist Party (Energy and Commerce Committee) “We are living through an unprecedented time due to the ongoing COVID-19 crisis. As a result of this pandemic, millions of our citizens, through no fault of their own, have no choice but to stay home. In doing so, they rely on the Internet to connect them to families, friends, and vital services. As a …

Grandmother ordered to delete Facebook photos (BBC News) Privacy laws mean a grandmother needs her daughter's permission to post photos of her grandchildren.

How Nextdoor Courts Police and Public Officials (CityLab) The hyper-local social media platform Nextdoor is winning over local law enforcement and other government officials in the U.S., alarming civil rights advocates.

GPS-Tracking Richard Simmons Not Free Speech, Tabloid Told (Law360) A California state appellate court Thursday agreed with a lower court that the former owner of In Touch Weekly can't use free speech protections to knock out a suit from fitness guru Richard Simmons accusing the tabloid owner of paying a private investigator to place a GPS-tracker on his car.