Today at a glance.
- Avast will close its market intelligence subsidiary Jumpshot.
- Facebook reaches a preliminary settlement in an Illinois privacy class-action suit.
- SpiceJet customer database brute-forced.
- Sprint customer care forum exposed to the Internet.
Avast decides to shut down its big data subsidiary.
In an incident that indicates how dangerous the collection and use of even anonymized data can be, Prague-based antivirus firm Avast was caught on the wrong foot earlier this week when its sale of anonymized data through its Jumpshot subsidiary came to light. Avast seems to have seen nothing troublesome about selling anonymized data about user online behavior to large corporate customers, and initially sought to reassure its users that it was taking all the right measures to keep their data private. As the company put it in a blog post Tuesday, “We want to reassure our users that at no time have we sold any personally identifiable information to a third party.” Avast also pointed to their practice of having obtained user consent through an opt-out system, but that they had concluded opt-out wasn't enough, and planned to move to an opt-in mechanism.
It turns out opt-in wasn't good enough either. Late yesterday Avast’s CEO, Ondrej Vlcek, announced that both data collection and the Jumpshot subsidiary would be closed down. He and the Board decided that continuing with the Jumpshot business was incompatible with the company’s core mission of security. “For these reasons, I – together with our board of directors – have decided to terminate the Jumpshot data collection and wind down Jumpshot’s operations, with immediate effect.”
Avast has learned this lesson the hard way twice. Google and Mozilla excluded Avast’s and subsidiary AVG’s extensions from their store back in mid-December when they determined those extensions were collecting information about users' browsing behavior. After a few days’ suspension, the extensions were restored after Avast halted collection. 9to5Google quoted Avast on December 20th as saying, “Privacy is our top priority and the discussion about what is best practice in dealing with data is an ongoing one in the tech industry. We have never compromised on the security or privacy of personal data. We are listening to our users and acknowledge that we need to be more transparent with our users about what data is necessary for our security products to work, and to give them a choice in whether they wish to share their data further and for what purpose.”
Both episodes suggest how dangerous it's become to collect personal data, not only for the people whose data are collected, but for the organizations that do the collecting.
Facebook's record privacy class-action settlement.
Avast is far from alone in struggling with privacy and data collection. The Wall Street Journal reports that Facebook yesterday reached a tentative $550 million settlement in a class-action lawsuit in which the plaintiffs alleged that the social network violated an Illinois law against collection of biometric data without permission. The Journal says this is the largest cash award in a privacy class action lawsuit. Facebook's defense rested on two contentions, first, that its use of templates to tag faces in images didn't really violate the 2009 Illinois law against nonconsensual collection of biometric information, and, second, that the opt-out mechanism it provided users in fact meant that they'd consented anyway. The opt-out line in particular didn't fly with the court, and it seems increasingly clear that if you must collect data, you should get clear, unambiguous, fully informed, opt-in consent.
Brute-forcing SpiceJet.
Indian airline SpiceJet had data on 2.1 million passengers in a database secured by what TechCrunch’s report characterizes as an easily guessed password that was brute-forced by unnamed, self-described white hats. The publication doesn’t name the white hats because brute-forcing a system without permission the way they did is probably a violation of US law, and of who knows how many other jurisdictions’ laws. SpiceJet has since taken steps to better secure the data.
Customer care forum exposed to the Internet.
KrebsOnSecurity found that Sprint’s Social Care forum, a place for customers to address issues with the telco, was being indexed by search engines, an indication that it was exposed to the Internet. He informed Sprint, which acknowledged that the forum should have been private, and which then secured the exposed portion of its network.