At a glance.
- Update on the MSU MOVEit data breach.
- Zoom backtracks on recent data privacy changes in its terms of service.
- More on the massive Northern Ireland police data leak.
- A campaign against VPNs.
- Yandex and its data handling practices.
Update on the MSU MOVEit data breach.
As we noted previously, US college Michigan State University (MSU) disclosed it was impacted by the breaches of National Student Clearinghouse (NSC) and Teachers Insurance and Annuity Association of America (TIAA) as a result of the mass-hack targeting the MOVEit file transfer application. The Michigan Department of Attorney General reports that NSC and TIAA will be providing MSU with a list of students or retirees who might have been affected by the breach. As well, NSC has created a webpage for students looking for information on the breach, and TIAA’s partner, Pension Benefit Information, LLC, created a similar site with information for retirees. Attorney General Nessel stated, “These kinds of attacks are becoming more common and wider-reaching, and the broad community of MSU students, staff, and retirees should take very seriously any indication that their data was stolen. Any Michigan resident who believes their information might have been compromised or that they are the victims of identity theft can contact the consumer protection team in my office.”
Zoom backtracks on recent data privacy changes in its terms of service.
The pandemic forced nearly every remote worker to become experts in using Zoom, and now the videotelephony software program is facing scrutiny for its data privacy practices. In March Zoom quietly updated its Terms of Service (ToS), giving the platform the rights to users’ video, audio, and chat data for its artificial intelligence programs. The terms state, "Zoom may redistribute, publish, import, access, use, store, transmit, review, disclose, preserve, extract, modify, reproduce, share, use, display, copy, distribute, translate, transcribe, create derivative works, and process Customer Content." When the changes came to light, ZDNet reports, users began to express their concerns on public forums, one person likening Zoom’s actions to those of “dystopian overlords.”
In an effort to alleviate these worries, Zoom recently revised the ToS, which now read, "Notwithstanding the above, Zoom will not use audio, video, or chat Customer Content to train our artificial intelligence models without your consent." Zoom's Chief Product Officer Smita Hashim also published a blog post saying the company will not actually employ user content for the practices stated in the ToS, but legal experts say this last-minute shift is nothing more than an attempt to appease the masses. Sean Hogle, a business and intellectual property attorney, explains, “Zoom's lawyers are trying to pull a fast one with these revised Terms. The new sentence on user consent being required to train AIs applies only to 'Customer Content,' not 'Service Generated Data.' … This 'clarification' does nothing meaningful to assuage the serious data privacy concerns posed by Zoom's use of captured user video content."
(Added 4:45 PM ET, August 10th, 2023.) Allen Drennan, Co-Founder & Principal at Cordoniq, sees the incident as a foreshadowing of similar conflicts to come. "As major companies are rushing to add AI relevance to their product portfolio and thereby boost their overall value in the marketplace, businesses whose primary source of information is customer derived are going to be caught in a struggle between doing what is right in protecting their own customers’ privacy and the demand from shareholders to aggressively attack emerging AI opportunities. We are going see more of these issues over the next year that pit user content and content creators against big tech."
More on the massive Northern Ireland police data leak.
As we saw yesterday, the Police Service of Northern Ireland (PSNI) has disclosed that the private info of all 10,000 of the force's serving officers and staff were accidentally leaked to the public when an employee made an error in responding to freedom of information (FoI) request. BBC News explains that on August 3 a member of the public simply asked for the number of officers at each rank and the number of staff at each grade. Instead of simply responding with the requested numbers, a PSNI employee supplied a detailed Excel spreadsheet complete with the officers names, ranks, and locations, which was then published on a public FoI website. When the error was discovered two-and-a-half hours later, PSNI had the info taken down, but it’s unclear who might have seen the data during that window. Lawyer and data protection expert Ibra-Him Hasan explains, "It's important to bear in mind all public sector organisations receive such requests for information… usually these are routinely dealt with quite easily without disclosing any personal data.”
As CNN notes, the leak is especially damaging because Northern Ireland police are regularly the targets of violence due to conflict over British rule in the region, and just last February a serving Northern Irish police officer was shot multiple times by members of the paramilitary group the Irish Republican Army. Chris Todd, PSNI’s senior information risk owner, stated in a news conference on Tuesday, “We operate in an environment at the moment where there is a severe threat to our colleagues from Northern Ireland-related terrorism, and this is the last thing that anybody in the organization wants to be hearing this evening.”
Dark Reading adds that the breach occurred just a day after a cyberattack on the Electoral Commission, which raises major questions about the effectiveness of cybersecurity protections in the UK. Channel 4 News spoke with Information Commissioner John Edwards about both incidents. When asked what actions will be taken in response to the PSNI leak, he stated, “It’s a little bit early to start talking about penalties when we haven’t actually established culpability, and it’s really important that we allow PSNI to examine the situation themselves and that we extend to them the natural justice we expect.”
A police source says impacted police officers working with the UK’s security service MI5 might have to change jobs or relocate in order to protect themselves from the fallout of the leak. Dozens of officers located at MI5’s Northern Irish headquarters at Palace Barracks, Holywood, assist MI5 on raids and surveillance operations and supply the service with local intel, and some of them might even be forced to leave their positions, as they were completely confidential up until now. The source told the Telegraph, “This could be dynamite in the wrong hands.” Comparing the recent leak to the massive 2002 breach at Castlereagh, one of Northern Ireland's most fortified police bases, the source stated, “It makes Castlereagh look like Mickey Mouse.”
As if this leak weren’t enough, the Belfast Telegraph reports that a PSNI-issued laptop and documents containing data on officers and staff were stolen last month. PSNI Senior Information Risk Owner (SIRO), Assistant Chief Constable Chris Todd explained, "Police are investigating the circumstances surrounding the theft of documents, including a spreadsheet containing the names of over 200 serving officers and staff.” The Information Commissioner's office has confirmed they were informed of the theft and are investigating.
A campaign against VPNs.
In its morning situation report the UK's Ministry of Defence described the Russian government's renewed campaign against virtual private networks. "Over the last week, the Russian authorities have likely increased their ongoing efforts to disrupt Russian citizens’ access to Virtual Private Networks (VPNs). Reports suggest many of the most popular VPNs have become unusable in some regions of Russia. VPNs allow users to obfuscate their access to the internet, to maintain privacy and to bypass state-imposed censorship. VPNs are hugely popular in Russia, despite being illegal since 2017. They allow users to access objective international news sources, including about the war in Ukraine. VPNs likely represent the greatest single vulnerability within the Russian state’s attempts at pervasive domestic information control. As well as increased technical disruption, the Russian state has also launched a public information campaign, attempting to scare citizens into avoiding VPNs by claiming they put their personal data at risk."
Yandex and its data handling practices.
Finnish and Norwegian regulators, the Wall Street Journal reports, have warned that data transfers into Russia may violate privacy regulations. They've directed the ride-hailing service Yango to stop transferring customer data to Russia. It's part of a larger problem. Yango is owned by Yandex, often called "the Russian Google," and the data it collects are in principle accessible to the FSB. Yandex denies, the Record reports, that the FSB would have access to data collected in other countries, but that reassurance hasn't allayed concerns about data security. Like other search companies who realize revenue from advertising, Yandex collects a great deal of user data. A leak of the company's source code early this year, WIRED says, shows how extensive that collection is.