At a glance.
- Dating apps expose users' content.
- Amnesty International criticizes privacy implications of COVID-19 contact-tracing apps.
- Former eBay personnel face Federal charges related to cyberstalking.
Adult dating apps expose user information.
vpnMentor is reporting that researchers discovered that hundreds of thousands of users of “niche dating and hook-up apps” had their personal information exposed. 20,439,462 files totaling 845 gigabytes and including such photos (many of them described as “graphic” and “explicit”) screenshots of private chats and financial transactions, some audio, and a bit of personally identifiable information. The apps appear to have shared a developer. More importantly, they shared an AWS S3 bucket, and that bucket was misconfigured and exposed to the Internet.
More privacy issues found with contact-tracing apps.
Amnesty International this morning issued a report on COVID-19 contact-tracing apps, with an assessment of eleven tools in Algeria, Bahrain, France, Iceland, Israel, Kuwait, Lebanon, Norway, Qatar, Tunisia, and United Arab Emirates. Amnesty found that many of them threatened privacy, but three stood out as especially troubling surveillance tools: Bahrain’s BeAware Bahrain, Kuwait’s Shlonik, and Norway’s Smittestopp. The feature they had in common is "actively carrying out live or near-live tracking of users’ locations by frequently uploading GPS coordinates to a central server."
TechCrunch reports that Norway responded to Amnesty's report by suspending its app, even though the responsible Institute of Public Health disagrees with Amnesty's assessment. The Institute intends to delete personal data "as soon as possible." The BBC points out that Bahrain has an unusual approach to incentivizing people to shelter at home during the pandemic: link the BeAware Bahrain app to a game show, "Are You at Home?" where those who are in fact verifiably at home can win prizes.
We received comments from industry experts on contact-tracing apps. Paul Bischoff, privacy advocate with Comparitech, wrote:
“GPS tracking is not the most effective or safe way to go about contact tracing because it is not accurate enough in most cases to determine whether two people came within a close enough distance to spread disease. GPS data is also difficult to anonymize, impacting the privacy of data subjects. That's why more privacy-conscious contact tracing apps opt for Bluetooth, which is better for checking proximity. With Bluetooth, an app can see whether two people were in close contact without recording their exact locations. Google and Apple's combined approach uses Bluetooth and rotating anonymous identifiers to protect users' privacy. GPS might be useful for quarantine enforcement, but is less effective for contact tracing.“
And Pixel Privacy's consumer privacy champion Chris Hauk commented as follows:
“Amnesty International's investigation uncovers the unfortunate fact that many governments have absolutely no respect for the privacy of their citizens. These countries have chosen to exploit the COVID-19 pandemic, seeing it as an opportunity to increase the tracking and surveillance of their citizens. These apps go far beyond what is required to perform COVID-19 contact tracing, violating the privacy of all users. This sadly discourages users from installing contact tracing apps on their devices, limiting the effectiveness of such apps.”
Cyberstalking charges brought against former eBay employees.
The US Attorney for the District of Massachusetts has charged six former eBay employees with "conspiracy to commit cyberstalking and conspiracy to tamper with witnesses" in an unusually egregious case of cyberstalking. They are alleged to have harassed and doxed a Natick, Massachusetts, couple who ran an e-commerce blog and newsletter, EcommerceBytes, that sometimes posted critical reviews of eBay. The harassment included anonymous and disturbing deliveries (a bloody pig mask, a book on mourning a spouse's death, live cockroaches, nasty pornography apparently intentionally misdelivered to a neighbor’s house, a fetal pig, etc.). It even involved physical visits to the victims' home (disrupted by the Natick police, who subsequently asked eBay what was going on).
The six defendants, all of whom eBay fired last September after an internal investigation prompted by the Natick PD, included some senior and middle managers. The US Attorney’s office says the defendants were, until eBay parted ways with them, the Senior Director of Safety & Security, the Director of Global Resiliency, Senior Manager of Global Intelligence, the manager of eBay’s Global Intelligence Center (or GIC), a contractor who worked as an intelligence analyst in the GIC, a Senior Manager of Special Operations for eBay’s Global Security Team.
Thus managers at a well-resourced Fortune 500 company decided to go after two small-town bloggers with strong-arm tactics. The planners allegedly intended to escalate the pressure, then send one of their number to visit the victims in Natick, appearing as an eBay representative, sympathetically prepared to help get them out from under all the harassment. This would generate good will toward eBay, and favorable stories on the victims’ blog.
Two members of eBay’s C-suite left in September. The Chief Communications Officer was “terminated” as a result of the company’s internal investigation, and the CEO, Devin Wenig, also left that month, not because he was shown to have known of the harassment campaign, but “over a number of considerations,” which Mr. Wenig said at the time were disagreements with eBay’s board.
What did EcommerceBytes write to attract this degree of odium? According to the Wall Street Journal, there was one blog post entitled, “eBay CEO Devin Wenig Earns 152 Times That of Employees,” a post linked in a text by an unnamed eBay executive which said simply, “We are going to crush this lady.” Mr. Wenig subsequently texted, “Take her down,” in reaction to another, unspecified story.
eBay said that “while Mr. Wenig’s communications were inappropriate, there was no evidence that he knew in advance about or authorized the actions that were later directed toward the blogger and her husband.” And, of course, eBay deplores the ethical lapse, which no doubt it does. But when this sort of conduct extends that far up the chain, it’s difficult to dismiss it as “rogue.”