Cross-Browser Tracking: It’s time to update your Privacy Policy!

by Paul Rubell, Esq.

It is remarkable that many companies do not know the vastness of private information they obtain from their social media and website.  It is essential for every business to understand its legal responsibility to protect their customers’ personal information.

OLD NEWS:  Web browsers can follow your voyage through the Intdnt1_thumb2ernet. Firefox, Internet Explorer, Chrome and Safari can watch you jump from one website to the next as you journey across the hyperlinks. A company can incur legal liability when its social media, mobile apps and website obtain personal information while tracking you, and you run the risk of losing your legal right to maintain your privacy.

NEW NEWS:  Web browsers have learned how to track your hyperlinks across browser platforms. Some of us keep browser windows open in multiple browsers at the same time to expedite surfing. For instance, I often run Firefox, Chrome and Safari  at the same time. I like to study different subjects in alternate browsers but sometimes a hyperlink in one browser’s window will send me to the other browser’s window. This is important because suddenly two browsers can monitor your web movement  as well as your jumps from, say, Firefox to Chrome and back. For example, Firefox will leave a digital “fingerprint” on a computing device when it visits a website. Through cross-browser tracking, another browser like Chrome can detect and use Firefox’s fingerprint when it runs on the same mobile device or computer.  In this way, a company can continue to targeting advertisements to its users even if they change browsers.

Web tracking presents significant privacy law issues. A company can face business risks and legal responsibilities when it obtains personally identifiable information (PII) from people who visit its social media or website. This was true with older website tracking and it is just as true and even more important today with the advent of multiple-browser tracking. More and more private information will become susceptible to online harvesting and analysis.

United States and international lawsct-biz-do-not-track_ctmain 1202 sr protect individuals’ most private information including healthcare records, financial secrets and students’ education records. Your name, address, Social Security number and date of birth are unquestionably private and need to be protected. In

contrast, some personal information may not seem private or important to you — but in the hands of a bad actor, your vacation schedule, your nephew’s name or the names of your online “friends” can become very valuable. Advertisers and consumer product companies want to obtain information about you. They see your world very differently than you do. They see your world as a dark secret waiting to be uncovered and sold for lawful reasons as well as for illegal purposes.

How can a business avoid liability for obtaining web tracking data from its social media or website?  Full disclosure is the best way to avoid liability. It is essential to inform your customers and media users that your business collects private information from them. Once they have been notified, your customers will not be able to claim ignorance of your Internet practices and data retention policies. For this reason, your business needs a good Privacy Policy that specifically notifies users about what data your company collects and what it does with the data. firefox_screenshot

Do Not Track is an opt-out setting in most browsers that allows a user to electronically inform companies that she does not want to be tracked across the web on websites and social media. By turning on this setting, a user’s mobile device or computer will send a digital signal to websites and social media to inform them that she does not want to be tracked. According to Google, some websites respect Do Not Track requests and others do not. Compliance with Do Not Track is voluntary, not mandatory. As a result, even when a user send a digital no-track request, many websites will ignore the request and continue to collect all sorts of browsing data.  A user is not able to force a website to stop tracking her or to know whether her digital footprints are being followed. 

Today’s new cross-browser tracking technique is just another indication that data harvesting is here to stay. The challenge for any business is to avert online legal liability. One of the best ways for a company to protect itself from liability is by updating its Privacy Policy.  With an enhanced policy in place, every mobile user and social media consumer will understand the extent of a company’s collection of personal data. By disclosing this information to the public in a customized Privacy Policy, companies can mitigate their risk of litigation and adverse publicity.

Advertisements

The Internet of Things is not especially secure

by Paul Rubell, Esq.

Cameras and other surveillance devices are supposed to protect your home. It’s kind of bittersweet, then, that these devices are not especially secure themselves. Hackers can turn home protective devices such as cameras against their owners.  IoT cameras can unlock the door to your home instead of safeguarding it.welcome-mat

Samsung’s SmartCam home security cameras have gained widespread popularity due to their smartphone control, ease of use, and versatility to connect and communicate with many IoT-enabled devices in one’s home. Unlike many competing cameras, Samsung’s computer memory stores home-based sensor data and video files locally on the device, and not in the cloud. (Recently Samsung launched a SmartCloud program to offer optional Internet storage.)

samsung-smartcam-hack

Despite corporate promises of security, Samsung’s cameras have been hacked by a group known as Exploitee.rs. The cameras contain computer code that is vulnerable to remote access. As a result, it is possible to control the camera from a faraway location and worse, to download and view video files that were intended to remain private on the device’s local hard drive.

The privacy law implications of these kinds of vulnerabilities are profound. What responsibility would Samsung have, if a home that is supposedly protected by a SmartCam is actually burglarized because of the information that the camera sent to the burglar? What if the burglary deteriorated into assault or murder or rape or kidnapping? Would Samsung be adjudged responsible by a judge? Will liability insurance protect Samsung from a lawsuit by an injured customer?

The problem facing Samsung is that it knows all about the hack. If you can program code, you can hack the camera easily. A video how-to guide shows you how to write the specific computer code needed to exploit the camera’s vulnerability and more importantly, how to debug the hack. All that is needed to take over the camera is the administrator’s password. The hack allows one to change the admin password without knowing the original password. By bypassing the password reset process, the camera can be accessed and used by a false administrator located thousands of miles away — or across the street from your home.

Exploitee.rs has created an entire webpage devoted to the Samsung SmartCam and its vulnerabilities. A word to the wise: before you entrust your home’s security to a camera, be sure that the camera itself is secure.data-privacy1.jpg

The legal implications of security vulnerability are only beginning to emerge. The Internet of Things is a game-changer in terms of challenging people’s privacy. The law needs to catch up with technology or bad actors will be free to harm our society.

 

 

 

 

Is the Internet of Things secure? United States say no, sues D-Link

by Paul Rubell, Esq.

Baby monitors, wi-fi routers and security cameras have one thing in common. These devices connect our homes to the Internet. We lock the doors to our houses. We close curtains in our living rooms and bedrooms to avert the gaze of peeping-Toms and criminals. Manufacturers of connected devices including D-Link advertise their built-in security features to demonstrate how their products protect consumers’ privacy. In January 2017 the Federal Trade Commission instituted a lawsuit against D-Link for false advertising. The FTC charged that D-Link’s “security” is weak and leaves consumers’ front doors wide open to hackers and thieves.

mark-zuckerberg-tape-facebook-instagram-1-796x398

Widespread concerns about the insecurity of the Internet of Things spiraled in 2016 when Mark Zuckerberg disclosed that he covers the camera and microphone on his home laptop. If Mark is concerned about Big Brother and criminals snooping into his living room, we should probably all share his concern.

mydlink_home_comp_winners

 

 

D-Link’s website headlined its IoT products as “EASY TO SECURE” and “ADVANCED NETWORK SECURITY.” The FTC has alleged that D-Link did not deploy even the most basic kinds of privacy features in its camera and router software. As examples, the devices contain hard-wired default usernames and passwords: username GUEST, password GUEST. According to the FTC:

“Hackers could exploit these vulnerabilities using any of several simple methods. For example, using a compromised router, an attacker could obtain consumers’ tax returns or other files stored on the router’s attached storage device. They could redirect a consumer to a fraudulent website, or use the router to attack other devices on the local network, such as computers, smartphones, IP cameras, or connected appliances.”

D-Link’s mobile app is called mydlink Lite. The app requires a user to enter a username and password the first time she deploys the app on a mobile device. After that first occasion, the app stores the user’s login credentials on her mobile device, so that the device keeps her logged on to the app. What’s more, the login information is stored in plain text so that it can be easily and clearly read by anyone snooping on the device.

In apassword similar case brought in 2016, the FTC sued Asus for its failure to employ reasonable security practices for its routers and cloud-enabled services and devices. The lawsuit charges that Asus:

“subjected consumers to substantial injury. Unauthorized access to sensitive personal information stored on attached USB storage devices, such as financial information, medical information, and private photos and videos, could lead to identity theft, extortion, fraud, or other harm….Consumers had little, if any, reason to know that their sensitive personal information and local networks were at risk.”

Asus’ devices contain a firmware upgrade tool to allow consumers to check whether their routers are using the most current firmware. When consumers click on the “Check” button, the tool indicates that the “router is checking the ASUS server for the firmware update.” However, the FTC found that the tool inaccurately notifies consumers that the router’s firmware is the latest version when in fact newer firmware with critical security updates is available. Asus settled the FTC’s enforcement action and agreed to establish and maintain a comprehensive security program subject to independent audits for the next 20 years.

Technology invites itself into our homes to make life easier and more enjoyable. Tech companies advertise that they add layers of security to protect consumers’ most private information such as finances and the most private places such as their babies’ nurseries and their own bedrooms. Do they? The US government does not think so.

sdr

 

 

 

 

News flash: Facebook hosts fake news. The Presidential election is hacked.

by Paul Rubell, Esq.

The “real” media has been broadcasting the woes of so-called “fake” news. What is fake news? Can any news story really be accurate yet unbiased? Is it possible for a reporter to write or read stories like Walter Cronkite once did, without giving them a spin or bias?

Fake news is not new. It has been around for hundreds of years since the dark days of the Gutenberg printing press. Yellow journalism in the mid-1800s used fake interviews, false experts and bogus stories to spark sympathy and rage as the media moguls desired.

In the 1950s, the villainous Senator Joseph McCarthy manipulated the media to report his own skewed version of newsworthy facts.1835_sun_first_notice

In 1835, the New York Sun claimed there was life on the Moon.

Benjamin Franklin wrote fake propaganda stories about British and Native American violence towards American settlers to stir up popular sentiment.

The National Enquirer has routinely reported sensational news for decades that is flat-out untrue.

So whanational-enquirer-cover-180t is different about today’s fake news and the false reporting that we have witnessed for centuries? Social media has made fake news more widespread. Many of Facebook’s 1.6 billion users look to social media as their primary source of information and news. The reach of fake news is long and so is its effect, just as it was in the 2016 Presidential election.

We have a President-elect who tweets and a voting public that takes the easy route to learning about the world around them. Facebook is not The New York Times. News is not supposed to be social, and the media is not supposed to socialize with newsworthy subjects. Social media is not news. It is neither educational nor reliable.

Here in America, Land of the Free, the 1st Amendment any restrictions on the content of a news article or any other written or verbal statement. For instance, a fictional novel is by definition fake; it is not real. Whafirst-amendment-719591t else could the genre Fantasy and Science Fiction mean otherwise? Fake, false, made-up. The 1st Amendment’s broad umbrella also protects the free exercise of religious beliefs. Is the Bible or Koran fake, just because not everyone buys into the story? Some consider holy books to be literal; others learn from their parables, whether factually correct or instead symbolic lessons.

Is Russia the real problem with fake news? Or are we our own worst enemy? As a society, we are relying more and more upon social media to obtain news to help us make important decisions in an informed way. Maybe it is time to question why we spend so much time studying those Facebook feeds, texts, Snapchat streams and Twitter feeds.twitter-logofacebook_logo

 

 

Pebble Watch closes its doors for the last time

What a disappointment for the pioneer in wearable technology.  My Pebble Time Steel is on my wrist every day. I like it when my watch vibrates when my phone is ringing and when I receive a text message. In crowded places when you can’t hear your cellular device ring and can’t feel it vibrate — there’s nothing more useful than the vibration notification on your arm. Pebble’s tool pre-dates Apple WatchOS.

hero-6d0f0a3ccc2f6128557265735724cfc80ead065c9f00700f76cb16f2574c4da0Pebble reminds me of the dot-com 1990s. A KickStarter success story, Pebble shipped more than 2 million watches around the world. Flying on top of the world as a wearable tech leader, Pebble turned down a $740 million offer from old-school watchmaker Citizen in 2015. Later, Intel offered to buy Pebble for $70 million. (The 90% decline in valuation was a harbinger of the north winds yet to come.) Ultimately, in a fire sale for about $35 million, FitBit purchased some of Pebble’s assets and its remaining business. How deja vu. I rode the tide of so many idea-to-billions-to-nothing cool tech companies during the Bubble that burst in 2000. Now, 16 years later, the song remains the same.
steve-jobs-seiko-wristwatch-computer
One of the reasons developers, makers and enthusiasts liked Pebble was that it ran open source software. Pebble’s platform was easy to build apps on, and in my experience, the apps ran quickly and smoothly. Unfortunately one of the downsides to open source code is that by definition is cannot be owned by anyone. The source code is in the public domain; good for developers and consumers but bad for investors. For Pebble, this means that there is no proprietary code that can be sold. Its cool technology is out there for the taking. Pebble does not own any code or apps that it can sell in liquidation.

Why did Pebble fail? Probably for the same reason that some great companies like Kodak failed. Was Kodak a camera (hardware) company? Was it a film (software) company? Or was it an image company (the Kodak moment, Simon and Garfunkel’s Kodachrome song)? Lesson learned:  You cannot rest your company’s laurels on its past success. New products that are nothing more than newer, smarter versions of prior products are not going to stop large companies with greater resources from passing you by on the highway to success. Another lesson learned: You can’t lose sight of your company’s self-identity. Who you are today is not who you will be tomorrow.

press

Pebble’s warranty is void. I hope my watch will never need repair. It’s been great for a long time.

 

 

Apple opens iOS 10 code: Why?

One of the guiding principles at Apple Inc. is to keep its software proprietary, closed and secret. Apple’s code is the antithesis to open source software. Steve Jobs zealously and jealously guarded Apple’s operating systems especially to prevent hackers, jailbreakers and the US and foreign governments from understanding exactly how Apple products function and operate. Tim Cook has followed in Steve’s path, securing Apple’s code and locking the door to outsiders.ios-10-nimblechapps

Now comes the iPhone 7 and with it, a new mobile telephone operating system: iOS 10. To great surprise, the heart (called the kernel) of the computer program (called code) has been released without encryption. The kernel is a crucial part of the operating system. It manages security and restricts the ways that apps can access the hardware of the device.

The computing community initially thought that Apple had made a mistake by releasing its newest mobile iOS without imbedded security. Apple announced this week that it had not made a mistake.

According to the company’s spokesperson:

“The kernel cache doesn’t contain any user info, and by unencrypting it we’re able to optimize the operating system’s performance without compromising security.”

Was the open kernel approach really taken for the purpose of optimization? Some industry observers don’t think so. With decryption,

APPLE VS FBI pictureApple wants to eliminate the United States government’s numerous requests and court orders directing it to create “back doors” that would allow the FBI to peer deeply into an iPhone and locate personally identifiable information about the iPhone’s owner. Court orders were issued in the aftermath of the San Bernardino massacre during 2015. Apple does not want to re-live that experience. It does not want to run the risk once again of a judge directing it to assist the government with accessing customers’ protected and personal information.

What better way to deter the government from compelling Apple to dig deep into iPhones and furnish protected information, than for computer gurus around the world to inspect the kernel code and write fixes and patches? Apple hopes that its code and  encryption will be stronger with the input of outsiders.

The stronger the encryption, the more protected is the data that rests on the phone. In addition, if code is open and freely available, the FBI will not have to go to court seeking intrusive writs and orders directed against Apple, with all the notoriety and publicity that goes along with it.

For the sake of being complete and clear, Apple has not made iOS an open source computer language. It would be illegal and infringing to copy the code and use it for one’s own products.

Apple owns the code. Now, you can look at it.

100598586-tim-cook-xlarge_trans++ucPQyB5DSy5hMSlzWQTtsHV7h9cfQz9x3ouY_0mJ-Xs

 

 

Yahoo patents are for sale

Yahoo owns thousands of patents that are at the crossroads of the Internet. For decades Yahoo has dominated web marketing, search engine, social media, mobile and cloud technology. Yahoo was born at the inception of the 1990s dot-com book. Jerry Yang and David Filo founded Yahoo in 1994 while they were electrical engineering students at Stanford University.logo-yahoo

As a software development company, Yahoo is constantly designing new products and disruptive technologies. It is a prolific patent owner, having filed 112 patents between January and June 2016 alone!

In April 2016, Yahoo sold a vast patent portfolio to its subsidiary company Excalibur IP. The 3,000 patents are the backbone of Internet technology. You can buy them yourself for about $3 billion or so.

image-20150728-13725-tg9wugA patent troll would have a great time with Yahoo’s patents. Think of all the companies which could be sued for allegedly having infringed these foundational patents.

Hopefully an operating company with sufficient working capital will purchase the patents. We may witness the deployment of Yahoo’s software to build new and disruptive technologies.

The Internet of Things lies beyond. Yahoo, into whatever it eventually morphs , has done ourplanet a real service. Its patent portfolio will survive the likely demise of the moribund company. Yahoo lost sight of the goal line and lost its way.

Move over, Kodak. It’s time for another great company to lose its patents as its death knell approaches.instaflash104

 

 

 

 

 

(c) Copyright 2016. Paul Rubell. All rights are reserved.