At a glance.
- GAO calls for dedicated privacy leadership in executive branch.
- Dropbox data breach stems from phishing scam.
- NLRB’s top lawyer focuses on curbing employee surveillance.
- TikTok policy update confirms Chinese employee access to user data.
GAO calls for dedicated privacy leadership in executive branch.
A recent report from the US Government Accountability Office (GAO) says departments and agencies of the executive branch need leadership dedicated to focusing on privacy issues, CSO Online reports. Among the approximately sixty individual recommendations outlined in the document, the GAO is calling for Congress to consider legislation that would require these executive branch organizations to name a senior-level official who would be responsible for privacy. Many of the twenty-four entities reviewed already have privacy staff, but frequently they do not have IT backgrounds, and privacy is often just one of the individual's many duties, making it difficult for them to give it the attention it warrants. In a podcast released after the report, GAO Director of Information Technology and Cybersecurity Jennifer Franks stated, “The time is right to make sure privacy receives a sufficient amount of attention at the highest levels of all of our agencies leadership; and that all of our agencies are fully considering privacy at every step so that when new technologies are deployed and that we are collecting personal information, that we’re considering all of the appropriate safeguards.”
Dropbox data breach stems from phishing scam.
File hosting service Dropbox has disclosed it suffered a data breach in which an intruder gained access to data contained in their internal GitHub code repositories after a developer at the company fell victim to a phishing scam. Posing as a representative from CircleCI, a popular CI/CD platform used internally at Dropbox, the scammer lured the employee to a fraudulent CircleCI login page where the user entered their GitHub credentials, GitGuardian Blog explains. Equipped with this info, the bad actor infiltrated the developer’s GitHub account and, in turn, approximately one hundred thirty internal code repositories. While Dropbox says these repositories contained internal tools and were not connected to their core applications, the company did confirm that some sensitive data, including API keys and other credentials, along with a “few thousand names and email addresses belonging to Dropbox employees” were exposed. The full scope of the breach has not been disclosed, but Dropbox said in a statement, “We believe the risk to customers is minimal. Because we take our commitment to security, privacy, and transparency seriously, we have notified those affected and are sharing more here…We also reviewed our logs, and found no evidence of successful abuse.” Still, experts say the fact that the hacker knew Dropbox used CircleCI demonstrates a high level of sophistication, and that users should be on the alert for any suspicious activity in their accounts.
NLRB’s top lawyer focuses on curbing employee surveillance.
On Monday General Counsel Jennifer Abruzzo of the American National Labor Relations Board (NLRB) issued a memo calling for the organization to crack down on electronic surveillance and automated management practices that infringe on workers’ labor rights. Spurred by worries that employers could use such tech to interfere with union organizing or other federally-protected activities, Abruzzo wrote, “An issue of particular concern to me is the potential for omnipresent surveillance and other algorithmic-management tools to interfere with the exercise of Section 7 rights by significantly impairing or negating employees' ability to engage in protected activity and keep that activity confidential from their employer, if they so choose.” As Vice notes, the NLRB has already stated that workplaces aren’t allowed to target workers engaged in actions protected by the National Labor Relations Act with surveillance tech. However, issues persist even at high-profile companies like Amazon, where warehouse workers say surveillance tech has suppressed their desire to unionize and drivers say in-vehicle tracking devices push them to work at dangerous rates. (Amazon says the tech is necessary to maximize employee safety.) Abruzzo is pushing for a framework that would require employers to disclose details about such technology to NLRB, allowing the board to ensure employee rights are not being abused.
TikTok policy update confirms Chinese employee access to user data.
Amid political and regulatory concerns about Chinese access to user information on TikTok, as well as an ongoing investigation led by Ireland’s Data Protection Commission (DPC), the popular video streaming app has confirmed that European user data can be accessed by employees outside the continent, including in China, the Guardian reports. In an update to its privacy policy that will go live in UK, the European Economic Area, and Switzerland in December, TikTok states that staff in China as well as Brazil, Canada, the US, and Singapore are allowed to access user data to ensure their experience of the platform is “consistent, enjoyable and safe.” TikTok, which is owned by Chinese company ByteDance, added that its security controls consist of system access restrictions, encryption, and network security, and noted that it doesn't collect precise location information from European users, the HackerNews reports. The DPC told TechCrunch that its TikTok data transfers investigation will progress to the next stage in the coming months and a draft decision is expected to be sent to other EU DPAs for review in the first quarter of 2023. Whether TikTok’s privacy policy update is related to the probe is unclear, but experts say the move could be an effort by the company to preempt regulatory enforcement over its data transfers by demonstrating it has already made an effort to increase its transparency with European users.