Privacy News: December 5

Killer robots, a new deadline for Real ID, effective privacy organizing, security cameras with a data leak, Mastodon, and more!

DHS resets the clock on its threat to stop flyers without ID

Edwad Hasbrouck on Papers Please (papersplease.org)

Department of Homeland Security (DHS) has pushed back the requirment to use a “Real ID” license for boarding domestic flights to May 7, 2025.

“The change announced today — only the most recent in a seemingly endlessseries of postponedempty REAL-ID threats — again postpones, but does not withdraw, the DHS threat to start preventing people without ID from traveling by airline within the US.”

When I was discussing this with a Congressional staffer before Thanksgiving, I mentioned that I’ve been involved in activism against Real ID for over 20 years – back in 2005, Stop Real ID Now was one of the first privacy activism campaigns to use social networks, and there was such a flurry of last-minute comments that it overwhelmed the Federal Register’s fax machines.   In Real ID requirement for air travel delayed, again on the Washington Post, Luz Lazo reports that as of a fwe months ago, only 49% of state-issued IDs are Real-ID compliant.  Mine most emphatically is not!

ALSO: DHS Announces Extension of REAL ID Full Enforcement Deadline | Homeland Security, Department of Homeland Security (dhs.gov)

It’s Not Science, Just Surveillance (and it’s Under Your Desk)

Max von Hippel, Tech Workers Coalition (techworkerscoalition.org)

In October, Northeastern University installed motion sensors installed under all the desks in the Interdisciplinary Science & Engineering Complex (ISEC) at Northeastern University – without letting students know in advance, let alone getting IRB approval or students’ consent.  Von Hippel writes:

“The alleged reason for the sensors was to conduct a study on desk usage. Reader, we have assigned desks, and we use a key-card to get into the room, so, they already know how and when we use our desks. Most likely the sensors were installed as part of a coordinated effort to push us out of our existing work-space, or to make us share our desks with other students via a hotelling system, an en-vogue new cost-saving measure that’s terrible for research.”

Unsprurpsingly, students pushed back.  Von Hippel’s Twitter thread has a good timeline.  Students removed all the sensors and turned them into a public art piece.  Eventually, the university backed down.

ALSO: ‘NO’: Grad Students Analyze, Hack, and Remove Under-Desk Surveillance Devices Designed to Track Them, Edward Ongweso Jr on VICE Motherboard (vice.com)

Maria Diaz on ZDNET (zdnet.com)

Eufy’s home page tells customers they can “keep privacy in their own hands” … but no.  Security researcher Paul Moore has discovered that Eufy uploads video thumbnails and photos of the faces of people detected in the video to the cloud – even when the option to use cloud storage was disabled.  Not only that, it turns out that anybody could potentially access a Eufy camera without authentication or encryption by using VLC remotely.  Yikes.

ALSO: Anker’s Eufy security cameras hit with new privacy brouhaha, Ben Patterson on TechHive (techhive.com)

Mastodon

How secure a Twitter replacement is Mastodon? Let us count the ways

Dan Goodin, Ars Technica (arstechnica.com)

A good look at the security issues related to Mastodon, with perspectives from a range of experts – including me!  Goodin discusses the impact of Mastodon not having a security team, the lack of any security auditing, the recent misconfiguration vulnerability in multiple instances that allowed for the downloading and deleting of all files stored on the server and replacing every user’s profile picture, and other issues as well.

“On personal security, there aren’t a lot of protections against harassment,” said Jon Pincus of the Nexus of Privacy. “Many instances aren’t well-moderated (including mastodon.social, which [Mastodon creator] Eugen [Rochko] runs). Even well-moderated instances can be overwhelmed by determined attacks.”

Obviously, I’m still using Mastodon despite the security issues.  I see it pretty much the same way as Kevin Beaumont, a security professional and admin for the cyberplace.social instance Goodin also quotes:

“My take is the same as Twitter. Don’t write anything on social media you wouldn’t write in public. Much like Twitter handles direct messages without encryption, Mastodon messages aren’t encrypted either.”

Mastodon privacy: you can’t really opt out of search engine indexing

Jon Pincus, The Nexus of Privacy (privacy.thenexus.today)

There are a lot of reasons people might not want their posts on a social network to be indexed by search engines.   Too bad Mastodon’s “opt out” doesn’t actually opt you out.

And …

Chinese security firm advertises ethnicity recognition technology while facing UK ban

Alex Hern on The Guardian (theguardian.com)

Campaigners concerned that ‘same racist technology used to repress Uyghurs is being marketed in Britain’

Effective Altruism Is Pushing a Dangerous Brand of ‘AI Safety’

Timnit Gebru on WIRED (wired.com)

This philosophy—supported by tech figures like Sam Bankman-Fried—fuels the AI research agenda, creating a harmful system in the name of saving humanity

Meredith Whittaker Shares What’s Next for Signal

Billy Perrigo on Time (time.com)

Whittaker spoke to TIME about the state of the tech landscape, where Signal is going next and the crypto meltdown.

Dal Garante privacy 2 milioni di multa a Clubhouse, il social delle chat vocali

on Garante Privacy (gpdp.it)

Why automating trucking is harder than you think

David Zipper on The Verge (theverge.com)

Autonomous trucks are probably further out than we think.

Buddi Limited – Immigration Enforcement’s favourite tracking buddy

on Privacy International (privacyinternational.org)

Since early 2021, PI have been investigating and challenging the latest stride in the UK’s cruel migration policies: the roll-out of GPS ankle tags to monitor migrants released on immigration bail, a dehumanising,

CCTV in classrooms does not violate right to privacy: Delhi govt to HC

IANS on Business Standard (business-standard.com)

The Delhi government recently told the High Court that one major reason behind its 2017 decision is to save and secure students from sexual abuse and bullying

Let Data Breach Victims Sue Marriott

Adam Schwartz and Cindy Cohn on Electronic Frontier Foundation (eff.org)

A company harvested your personal data, but failed to take basic steps to secure it. So thieves stole it. Now you’ve lost control of your data, and you’re at greater risk of identity theft. But when you sue the negligent company, they say you haven’t really been injured, so you don’t belong in…

France’s CNIL Fines Discord €800,000 for GDPR Violations

Scott Ikeda on CPO Magazine (cpomagazine.com)

Though the fine is not one of the largest issued by CNIL (or for general GDPR violations across the bloc), the case is noteworthy in that Discord is mostly being taken to task for not providing default or built-in security options rather than the fallout of a specific data breach.

Contending with data privacy concerns in 5 charts

Sara Lebow on Insider Intelligence (insiderintelligence.com)

Apple’s AppTrackingTransparency, Google’s cookie deprecation, and the impending threat of regulation are challenging data collection. Trust in social platforms is declining. As consumers shy from sharing information, marketers need to meet customers where they’re comfortable.

Companies use design to take our time, money and personal data

Øyvind Kaldestad on Forbrukerrådet (forbrukerradet.no)

Many companies use deceptive design to hold on to customers, increase sales, or acquire personal data. In many cases, this is illegal, the Norwegian Consumer Council says.

Can the U.S. and Europe Agree on Rules for AI?

Caitlin Hamilton on Techonomy (techonomy.com)

As EU and U.S. leaders meet in Washington at a joint Trade and Technology Council, there is great need for a proposed “transatlantic accord on artificial intelligence.” But the two sides have differing agendas, and agreement is uncertain.

Data-driven Health Marketing Surveillance in the U.S.

on Center for Digital Democracy (democraticmedia.org)

Making Government Data Publicly Available: Guidance for Agencies on Releasing Data Responsibly

Hugh Grant-Chapman, Hannah Quay-de la Vallee on Center for Democracy and Technology (cdt.org)

Government agencies rely on a wide range of data to effectively deliver services to the populations with which they engage. Civic-minded advocates frequently argue that the public benefits of this data can be better harnessed by making it available for public access. Recent years, however, have also…

International Coalition of Rights Groups Call on Internet Infrastructure Providers to Avoid Content Policing

Paige Collings on Electronic Frontier Foundation (eff.org)

San Francisco—Internet infrastructure services—the heart of a secure and resilient internet where free speech and expression flows—should continue to focus their energy on making the web an essential resource for users and, with rare exceptions, avoid content policing. Such intervention often…

How to Make a Mastodon Account and Join the Fediverse

Rory Mir on Electronic Frontier Foundation (eff.org)

The recent chaos at Twitter is a reminder that when you rely on a social media platform, you’re putting your voice, your privacy, and your safety in the hands of the people who run that system. Many people are looking to Mastodon as a backup or replacement for Twitter, and this guide will walk you t…

The EU AI Act: A discussion with MEP and co-rapporteur Dragoș Tudorache

on International Association of Privacy Professionals (iapp.org)

IAPP Editorial Director Jedidiah Bracy speaks with EU AI Act Co-rapporteur and Romanian MEP Dragoș Tudorache about the state of play of the proposed legislation

Consumers in three recent biometric data privacy cases seek class action status

Jim Nash on BiometricUpdate.com (biometricupdate.com)

Three proposed U.S. class actions involving alleged biometric privacy violations are churning between Chicago and New Orleans.

Privacy Rights in a Remote Work World: Can My Employer Monitor My Activity?

Bonnie Henry on The National Law Review (natlawreview.com)

The rise in remote work has brought with it a rise in employee monitoring.  Between 2019 and 2021, the percentage of employees working primarily from home tripled.  As “produ

The biggest security risks of using fitness trackers and apps to monitor your health

Cheryl Winokur Munk on CNBC (cnbc.com)

Fitness trackers and apps from Google’s Fitbit to Apple Watch and Strava help stay on top of health and wellness, but secure personal data before sporting them.

How to stop Facebook Messenger spam from reaching you

Dave Johnson on Insider (businessinsider.com)

You can reject most or all spam messages in Facebook Messenger automatically by adjusting your privacy settings.

Brave starts showing “privacy-preserving” ads in search results

Sergiu Gatlan on BleepingComputer (bleepingcomputer.com)

Brave Software announced that, as part of a global beta program, it is now displaying “privacy-preserving ads” in-between results shown by its web search engine to select users.

Medibank faces formal privacy investigation

Staff Writer on iTnews (itnews.com.au)

And prospect of penalties.

India Requires Internet Services to Collect and Store Vast Amount of Customer Data, Building a Path to Mass Surveillance

Karen Gullo on Electronic Frontier Foundation (eff.org)

Privacy and online free expression are once again under threat in India, thanks to vaguely worded cybersecurity directions—promulgated by India’s Computer Emergency Response Team (CERT-In) earlier this year—that impose draconian mass surveillance obligations on internet services, threatening…

HHS Proposes to Align Federal Substance Use Disorder Law with HIPAA

Jennifer J. Hennessy on The National Law Review (natlawreview.com)

Proposed changes to the federal substance use disorder law will increase provider efficiency and alignment with the Health Insurance Portability and Accountability Act (HIPAA).

ICE data dump reveals PII of 6,000+ asylum seekers

Jessica Lyons Hardcastle on The Register (theregister.com)

Your tax dollars at work