Privacy of mobile apps questioned, models at risk on adult sites, medical images poorly protected and no hiding from this court
Welcome to Cyber Security Today. It’s Friday January 17th. I’m Howard Solomon, contributing reporter on cyber security for ITWorldCanada.com.
To hear the podcast click on the arrow below:
The world is awash with mobile apps promising to help make your life better, but at what price? A report out this week by the Norwegian Consumer Council suggests too many apps give away too much of your personal data to companies you may not know about. It looked at 10 apps including the dating app Grider, a makeup app called Perfect365 and a women’s period tracker called MyDays and found problems: Almost all sent personal and location data to advertising and analytics firms. In one case an app sent out user opinions on sexuality, drug use and politics.
There are two questions raised in this report: Do these practices violate the rules of the European Union’s new privacy regulations and do subscribers know what is being collected about them and where it goes? The report argues the online marketing and ad industry is out of control, that comprehensive tracking and profiling of consumers is exploitive and possibly illegal. One of the apps studied objected to the conclusions; others said they follow industry best practices. You should ask every time you downloaded an app if it is needed, does the app let you limit what data can go to third parties and what the developer does with your data. A link to the full report is in the text version of this podcast at ITWorldCanada.com.
Some people think it’s fine to earn money by posing naked or semi-undressed on adult websites. That may be okay if the site has iron-clad security. But if it doesn’t, participants could be embarrassed, or worse. This week researchers at the security firm vpnMentor found an unsecured database holding personal data, photos and videos on over 4,000 models from around the world belonging to a company that hosts several of these viewing sites. Some of these sites demand a model release document with personal details proving proof of age. So imagine what can happen if someone sinister gets hold of sensitive images along with names, birthdates, drivers’ licences, social security numbers, passport numbers and the like. I don’t know who’s more foolish: These so-called models could now be impersonated or blackmailed. It isn’t known if criminals were also able to find and access this database.
Speaking of companies that don’t protect personal data very well, they may include your doctor’s office, medical imaging labs and hospitals. That’s the conclusion of an updated global study by a German company called Greenbone Networks of Internet-connected servers holding x-rays and other image scans. The original study released last year found over 100 poorly secured systems with tens of thousands of images that could have been copied by anyone. Having been given a warning, some countries acted: The latest search found 172 of these vulnerable servers have been taken off line. The bad news is 129 more vulnerable servers have been found holding tens of millions of data records. Among the countries with the most unprotected servers: The United States, India, South Africa, Brazil and Ecuador.
What should hospitals, clinics and medical service providers do? Make a list of all computers, servers and devices linked to the Internet and make sure they are password protected. Devices that hold medical information should be encrypted.
The Internet allows users anonymity: You don’t have to use your real name in email, forum postings and texts. But that doesn’t mean you can get away with smearing someone. A Canadian judge ruled this week that 12 people will have to pay thousands of dollars in damages for making defamatory comments about two officials of a drug company on an investment forum. The thing is, the victims don’t know the real names of all the posters, who used aliases. However, using a court order they did get the email addresses from the company hosting the forum for all but one of them. Then the victims sent notices of a lawsuit to each. Only one responded. Usually statements of claim have to be served personally. However, the judge in this case ruled that email communications was enough. Now the victims may not be able to track down the real posters and may not be able to collect the damages. And this case only applies in the Canadian province of Ontario. But it serves as a warning: You may be held to account for what you write online.
That’s it for Cyber Security Today. Links to details about these stories can be found in the text version of each podcast at ITWorldCanada.com. That’s where you’ll also find my news stories aimed at businesses and cyber security professionals. Cyber Security Today can be heard on Mondays, Wednesdays and Fridays. Subscribe on Apple Podcasts, Google Podcasts or add us to your Flash Briefing on your smart speaker. Thanks for listening.