Warning on how data from women’s’ apps is being used, a penalty for using facial recognition in a school and careless document filing leads to data breach.
Welcome to Cyber Security Today. It’s Wednesday September 11th. I’m Howard Solomon, contributing reporter on cyber security for ITWorldCanada.com.
To hear the podcast click on the arrow below:
Free mobile apps seem like a good deal. But if an app is free to use, how does the company behind it get revenue to pay employees? Often by selling data the app collects about you to another company, which then gets used for targeted ads. I’m telling you about this after news of a study by Privacy International, which found the health data of women who use two apps for tracking their periods was being sent to Facebook. In fact some apps started notifying Facebook a new user opened the app before she had a chance to agree to any data sharing policy. If you use apps like these, data you enter like the last time you had sex, or whether it was unprotected sex, may go to Facebook or other partners of the app. The question is, why?
Women may or may not have understood this is going on if they read the apps’ privacy policies. Some policies are vague and don’t specify who gets the data. According to the report, this is big business: Knowing an app user is pregnant, for example, is worth a lot to an advertiser.
One app studied is called Maya. Shown the report before publication, the company quickly updated the software remove some but not all of what it sends to Facebook. It insists no personally identifiable data or identifiable medical data is sent to Facebook’s ad service. It also says those using the paid version of Maya can opt out of seeing ads.
If you’re a woman and you use an app like this you may be interested in what it collects and where it goes. You can find the report on web site at PrivacyInternational.org.
Facial recognition technology, which scans your face for a match, can be legitimate in certain circumstances. For example, limiting access to an organization’s sensitive financial applications or to places like a data centre. But what about wider use of facial recognition for all employees, like in hallways of companies or schools? A fine recently levied against a school in Sweden by the privacy regulator there should make organizations think carefully. Essentially the ruling says even if students agree to the broad use of facial recognition in school, it isn’t freely informed consent — because they’re students. Teachers have power over them. That same logic will likely to apply to company employees. They can’t freely consent to the broad use of facial recognition because management has power over them. Privacy laws in Canada and the U.S. may be different than in Europe, but as the use of facial recognition technology spreads organizations have to think carefully where and when it should be used.
Another one of those oopsy moments. A security researcher named Daley Bee discovered a vulnerability in the web page numbering at Verizon Wireless. If a hacker could access the password-protected site — and Bee did because someone’s password wasn’t strong enough — they could have accessed copies of subscriber contracts with their names, addresses and cellphone numbers. The problem was the web page address of each document had a unique number for each contract. Change the number and you see a different subscriber’s information. According to SecurityWeek that bug has now been fixed. It’s something I’ve warned about before: Even if access is password-protected, documents available on the Internet have to be stored in a way that someone can only see what they are allowed to.
By the way, Bee got into the Verizon Wireless system by using what’s called a brute force attack. It’s an automated attack that tries combinations of hundreds of thousands of stolen usernames and passwords until one is right. Companies should have defences that stop automated attempts like this. That includes setting up multi-factor authentication so passwords alone don’t get you into a web site. You, listener, have a responsibility, too. Make sure you don’t use the same password on more than one site. That way if your credentials for one are stolen they can’t be used to help a hacker break in elsewhere. Use a password manager to keep track of all your passwords.
That’s it for Cyber Security Today. Links to details about these stories can be found in the text version of each podcast at ITWorldCanada.com. That’s where you’ll also find my news stories aimed at businesses and cyber security professionals. Cyber Security Today can be heard on Mondays, Wednesdays and Fridays. Subscribe on Apple Podcasts, Google Podcasts or add us to your Flash Briefing on your smart speaker. Thanks for listening. I’m Howard Solomon