Pete Recommends – Weekly highlights on cybersecurity issues – October 8, 2022

Subject: Does Biometric Verification Violate Workers Rights?

To help employers better understand this trade-off between privacy and security, we spoke to businesses currently using the technology (as well as some that have recently ditched it), to understand the ethical, practical, and legal implications of using biometrics in the workplace.

Compared to other types of personal data, biometric information is permanent and unchangeable. This places it at higher risk of being used for identity theft, identity-based attacks, and tracking and surveillance. This contradiction is summed up by Collado again, who adds “The irony of using biometrics is it both increases the security of your work access and risks the security of your personal information”.


Subject: Russians dodging mobilization behind flourishing scam market
Source: BleepingComputer

Ever since Russian president Vladimir Putin ordered partial mobilization after facing setbacks on the Ukrainian front, men in Russia and the state’s conscript officers are playing a ‘cat and mouse’ game involving technology and cybercrime services. More specifically, many Russian men eligible for enlistment have resorted to illegal channels that provide them with fabricated exemptions, while those fleeing the country to neighboring regions turn to use identity masking tools.

This situation has created a highly lucrative environment for sellers of illicit services to flourish. Similarly, scammers and fraudsters also see an excellent opportunity to exploit panicking people in a great hurry.


Subject: Your Router Is Collecting Data. Here’s What to Know, and How to Protect Your Privacy
Source: CNET via beSpacific

CNET – Ry Crist: “Your home’s Wi-Fi router is the central hub of your home network, which means that all of the traffic from all of the Wi-Fi devices under your roof passes through it on its way to the cloud. That’s a lot of data — enough so to make privacy a reasonable point of concern when you’re picking one out. The problem is that it’s next to impossible for the average consumer to glean very much about the privacy practices of the companies that make and sell routers. Data-collection practices are complicated to begin with, and most privacy policies do a poor job of shedding light on them. Working up the will to read through the lengthy legal-speak that fills them is no small task for a single manufacturer, let alone several of them. Even if you make it that far, you’re likely to end up with more questions than answers. Fortunately, I have a strong stomach for fine print, and after spending the last few years testing and reviewing routers here on CNET, most manufacturers tend to respond to my emails when I have questions. So, I set out to dig into the details of what these routers are doing with your data — here’s what I found…”

Subject: Google Only Tweaks Location History Description After Lawsuit
Source: Gizmodo

Two years ago, the Arizona Attorney General sued Google for allegedly tricking people into giving up their location data, even after they tried to turn off the company’s location data settings. Google agreed to pay $85 million to settle the lawsuit this week and fix an incorrect description of what its Location History setting actually does. The search giant tried to demystify its handling of your location data a bit. Experts and Gizmodo’s own attempts suggest the company’s success was middling at best and intentionally confusing at worst.

Google has a setting called Location History. It controls whether or not Google makes a nice little map you can look at with a list of where you’ve been. What it doesn’t control is whether Google collects your location data. It used to be pretty hard to figure that out; for years the company’s help page said “With Location History off, the places you go are no longer stored.” If you wanted to stop location data collection altogether, though, you had to adjust a second setting, called Web & App Activity.

That’s still true. Location History still doesn’t turn off location data collection, the only thing that’s changed is Google’s description of what the setting does. Google did not respond to a request for comment.

Now when you turn off Location History, you see a popup—which starts by telling you about all reasons you should leave the setting on—and then mentions in paragraph three of six that “This setting does not affect other location services on your device.”

The real problem for privacy fans is there are very few laws about how companies handle your data in the United States. The government has come closer than ever to passing a comprehensive privacy law this year, but it’s stalled in Congress, and it’s likely to get watered down if it ever passes.

For now, it’s business as usual. Companies can basically do whatever they want with your data. They can’t lie to you about it, but they can make it quite difficult to determine the truth.

Subject: Uber’s former security chief guilty in data breach coverup

Oct. 6 (UPI) — Uber Technologies Inc.’s former security chief has been convicted of criminal obstruction for failing to report a massive data breach to federal authorities six years ago.

A jury in San Francisco federal court found Joseph Sullivan guilty Wednesday following a three-week trial that focused on how cybersecurity teams respond to hacking incidents, as well as Sullivan’s decision not to disclose the ride share giant’s security lapse in 2016.

Sullivan, who was convicted of both charges against him, faces five years in prison for obstructing a government investigation and up to three years in prison for concealing the breach that compromised the personal data of 50 million customers and 7 million drivers.Sullivan’s lawyers argued that he actually protected the millions of customer and driver records after they were accessed by an anonymous hacker who demanded $100,000. The money was paid by Sullivan’s team as a “bug bounty” to prevent the hackers from disclosing they had stolen the data. Sullivan claimed other executives at Uber knew about the hack, but chose not to tell regulators for more than a year.

Posted in: Cybersecurity, Economy, Legal Research