At a glance.
- Automated neighborhood watch.
- Twitter exploit may have compromised personal data associated with more than 5 million accounts.
- Proposed scrutiny of an acquisition on grounds of privacy.
Automated neighborhood watch.
The Ring security doorbell has attracted attention for the ways in which it collects images of who's out and about in the neighborhood, and for the agreements it's reached to share some of those data with law enforcement. Wired reports on the data that Ring doorbell cameras collect, and it starts with the information it collects from its customers. Most of that information is foreseeable: "Ring gets your name, phone number, email and postal address, and any other information you provide to it—such as payment information or your social media handles if you link your Ring account to Facebook, for instance," which one would expect in most e-commerce transactions. "The company also gets information about your Wi-Fi network and its signal strength, and it knows you named your camera 'Secret CIA Watchpoint,' as well as all the other technical changes you make to your cameras or doorbells." It also maintains records of doorbell activity--rings, nearby motion, nearby sounds. It doesn't collect those last two categories of data continuously, but only when triggered by sound or motion in proximity to the system. Ring's terms of service explain the uses to which it may put the data, but of course the casual passerby holding a conversation (Ring is able to record sounds at least as far away as twenty feet) aren't parties to the EULA.
Twitter exploit may have compromised more than 5 million accounts.
On Friday Twitter disclosed a cyberattack that compromised some users' personal information. "In January 2022, we received a report through our bug bounty program of a vulnerability in Twitter's systems. As a result of the vulnerability, if someone submitted an email address or phone number to Twitter’s systems, Twitter's systems would tell the person what Twitter account the submitted email addresses or phone number was associated with, if any. This bug resulted from an update to our code in June 2021. When we learned about this, we immediately investigated and fixed it. At that time, we had no evidence to suggest someone had taken advantage of the vulnerability." But it turned out that a threat actor had exploited the vulnerability to collect personal information before Twitter applied the patch, and was now offering the stolen data for sale. Twitter is in the process of notifying affected users. BleepingComputer reports that some 5.4 million accounts were scraped for personal data before the vulnerability was fixed.
Progressive advocacy group urges official scrutiny of Amazon's One Medical acquisition.
Public Citizen, a progressive advocacy group founded by Ralph Nader (but with which Mr. Nader is no longer associated) sent the Centers for Medicare and Medicaid Services, the Federal Trade Commission (FTC), the US Justice Department, and Congressional leaders a letter asking that they investigate a proposed merger of Amazon and healthcare provider One Medical. Managed Healthcare Executive outlines six of Public Citizen's objections. Five of them are foreseeable concerns about monopoly, workers' rights, consumer protection, and the equity and effectiveness of healthcare delivery that might be raised about almost any merger. But the sixth concern is for personal privacy, and the effect the merger could have on it.
One Medical operates some two-hundred primary care facilities in the United States, NPR notes, and then points out that some of the uneasiness felt about the acquisition is connected with the concentration of two different classes of personal information--purchasing history and behavior, and then medical records--in one company's hands. Drawing attention to the data Amazon already collects on consumers, Public Citizen's letter reads in part:
"Amazon gathers a vast amount of data from consumers through its online marketplace, Alexa voice assistant, Kindle e-readers, Fire tablets, Audible audiobooks, Prime video and music platforms, Ring security cameras and fitness trackers. It uses this data to direct individualized advertising, including based on health status that the company is able to infer. Even prior to the One Medical merger, there was reason to worry about privacy incursions becoming worse due to Amazon acquiring health data. For example, the company touts a new initiative to 'enable senior living and health care providers to integrate Alexa into their properties.' Amazon promises that it will protect consumer privacy in the process – but this is merely a promise, from a gargantuan company with a weak track record on personal privacy."
Public Citizen thinks that HIPAA (the Health Insurance Portability and Accountability Act) will prove gossamer against whatever inroads the company might be tempted to make into medical information.
"First, Amazon will be well positioned to secure privacy waivers from One Medical patients, perhaps simply by offering a Prime discount. Such waivers may be intentional – but consumers may have little awareness of what they are sacrificing for modest price discounts. Second, regulators should scrutinize the possibility that Amazon may be able to secure inadvertent waivers of patients’ HIPAA protections and mandate protections against such deceptive activities. The Federal Trade Commission is reportedly investigating Amazon for use of “dark patterns” – manipulative online tactics that trick or trap consumers into subscription services. Amazon has been accused of extensive use of dark patterns, in response to which the European Union has forced Amazon to change subscription cancellation practices. Third, it is even conceivable that Amazon might position its Prime business as a “business associate” under HIPAA entitled to access One Medical data. It would be a mistake to underestimate the corporation’s ability to navigate around the law creatively."
Whatever the outcome of the proposed acquisition turns out to be, and whether or not appeals like Public Citizen's have any effect on lawmakers and regulators, it's interesting to see data privacy raised as one of the principal concerns advocacy groups see in evaluating this particular consolidation.