AT&T, Verizon and WhatsApp Flunk Privacy

An Electronic Frontier Foundation survey published last week gave AT&T, Verizon and WhatsApp the thumbs down when it comes to protecting user privacy. Google and Twitter also got a black eye.

The five were among 24 companies the EFF evaluated on criteria worked out over the past four years.

WhatsApp, now owned by Facebook, also took criticism in the EFF’s fifth annual report, Who Has Your Back?

On the plus side, nine companies — Adobe, Apple, Credo, Dropbox, Sonic, Wickr, Wikimedia, WordPress.com and Yahoo — received the top rating, five stars, in each category.

“While we’re happy that the tech industry has made great strides over the last few years, there’s still much to be done,” said EFF staff attorney Nate Cardozo.

The EFF’s Criteria

The EFF used five criteria to assess the practices and policies of the 24 participating companies:

  1. whether the company implements industry-accepted best practices, such as whether the company requires demands for customer data to be accompanied by a signed court warrant before handing over information, whether the company publishes a transparency report, and whether it publishes guides explaining how it responds to such demands;
  2. whether the company tells users about government requests for their data unless prohibited by law, or only in very narrow and defined emergency situations, or unless doing so would be futile or ineffective;
  3. whether the company publicly discloses its data retention policies;
  4. whether the company discloses how many times government bodies ask it to remove user content or accounts and how often it complies; and
  5. whether the company opposes backdoors.

Twenty-one of the 24 companies evaluated publicly opposed backdoors.

The Telco Walk of Shame

Verizon Wireless and AT&T scored especially poorly, continuing a years-long trend of telcos lagging behind the rest of the tech sector, the EFF noted.

“It’s great that AT&T and Verizon are releasing transparency reports in the wake of Snowden,” said EFF’s Cardozo, referring to NSA whistle-blower Edward Snowden’s massive leaks.

Still, “there’s absolutely no excuse for their silence on the issue of encryption and government-mandated backdoors,” he told the E-Commerce Times.

The companies’ behavior reflects a long-established pattern. Back in 2012, Verizon was blasted for bragging it was monitoring subscribers’ app usage and browsing habits.

In 2014, there was an uproar when news surfaced that Verizon Wireless and AT&T were using supercookies. Public outrage led both carriers to stop.

Further, AT&T readily handed over user data to the Bush administration on request.

“Both companies operate in heavily regulated areas and recognize that the government has unusual power over them,” explained Rob Enderle, principal at the Enderle Group.

“They are therefore used to complying with requests like this in order to avoid escalations that could massively damage their business models,” he told the E-Commerce Times.

WhatsApp, Doc?

The criticism of WhatsApp’s privacy practices also might have been expected.

The United States Federal Trade Commission last year warned Facebook and WhatsApp about their obligation to protect consumers’ privacy in advance of Facebook’s buying the smaller firm.

Facebook in 2011 settled FTC charges that it deceived consumers by not keeping its privacy promises.

Naked Security in January reported that WhatsApp’s then-new service, WhatsApp Web, had privacy holes that could expose photos sent from a user’s mobile device and then deleted.

The firm in February revealed that a WhatsApp feature let people track users’ status and any changes they made to their content and settings, even if they changed their privacy settings.

Reports in March indicated that WhatsApp’s 800 million users’ phones could be hijacked through the application.

Facebook should take the heat, Enderle said, because it’s the parent company, but “nothing should stop WhatsApp from taking action on its own.”

Richard Adhikari has written about high-tech for leading industry publications since the 1990s and wonders where it's all leading to. Will implanted RFID chips in humans be the Mark of the Beast? Will nanotech solve our coming food crisis? Does Sturgeon's Law still hold true? You can connect with Richard on Google+.

1 Comment

  • I think that none of those companies is really concerned with your privacy, they are all starting up as secured or private and next thing you know we see them getting busted. SnapChat and WhatsApp can’t be trusted, there is no such a thing as private text message its all stored! Everyone who is till concerned with the privacy or their email communications should try ShazzleMail. Its free private email, they also have business and medical emails (hipaa).

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

More by Richard Adhikari
More in Privacy

TechNewsWorld Channels

PII of Many Fortune 1000 Execs Exposed at Data Broker Sites

Research released Monday by a cybersecurity services provider reveals how widespread the risks are to executives and the organizations they ramrod from data brokers collecting sensitive data about them.

The provider, BlackCloak, published in a blog the results of an analysis of 750 of its customers, most of them executives and board members at Fortune 1000 or other large institutions. Among the company’s findings:

  • 99% of our executives have their personal information available on more than three dozen online data broker websites, with a large percentage listed on more than 100;
  • 70% of executive profiles found on data broker websites contained personal social media information and photos, most commonly from LinkedIn and Facebook;
  • 95% of executive profiles contained personal and confidential information about their family, relatives, and neighbors;
  • On average, online data brokers maintained more than three personal email addresses for every executive record.

“While maintaining data on three personal email addresses may not seem that significant to the novice eye, access to any personal email address raises the risks of unauthorized access, fraud and impersonation emails, among other digital threats,” wrote BlackCloak Director of Marketing Evan Goldberg.

Home as Soft Underbelly

The research also found that 40% of online data brokers had the IP address of an executive’s home network. “Not only could you use address information held by the broker to physically go to an executive’s home, but you could use the IP address to digitally break into their home from anywhere in the world,” observed BlackCloak Founder and CEO Chris Pierson.

“We see corporate executives targeted all the time in their personal lives,” he told TechNewsWorld. “If you’re targeting the CEO of GE, are you going to hack him at his GE email address, where he’s protected by corporate cybersecurity, or are you going to target him at his Gmail account or his wife’s account or his kids’ accounts, and get a foothold in his home?”

“Because everyone has been working from home for the past two years, it’s created the home as the soft underbelly of the corporation,” he said.

“Data broker information has been leveraged to commit identify theft and unemployment fraud over the past two years,” he added.

Some of the risks cited by BlackCloak are overblown, maintained Daniel Castro, vice president of the Information Technology & Innovation Foundation, a research and public policy organization in Washington, D.C.

“Data brokers are often selling data that is already public, such as information on voting records or campaign contributions,” he told TechNewsWorld.

“Similarly,” he continued, “information that is publicly accessible on social networks or on websites is not particularly sensitive.”

However, he acknowledged that cybercriminals can use that information to perpetrate phishing attacks and impersonate an executive.

Danger to Top Brass

“The reality is that data brokers present fertile grounds for hackers, abusers and stalkers,” observed Liz Miller, vice president and a principal analyst at Constellation Research, a technology research and advisory firm in Cupertino, Calif.

“Where else could you pay $29 for a complete dossier on an ex-girlfriend including current address and phone number, current associates residing in the same location and basic detail about that person?” she told TechNewsWorld. “When you actually think about what this intensely sensitive data can mean in the hands of someone with no moral or ethical compass, it should terrify people.”

Data brokers have only one reason for being, noted Greg Sterling, co-founder of Near Media, a news, commentary and analysis website. “Their raison d’etre is to collect as much data on as many households and people as possible,” he told TechNewsWorld.

“By definition then, they expose and transfer information that individuals might not want exposed or sold, or that might be sold non-consensually or without knowledge of the individuals involved.”

Armen Najarian, chief identity officer at Outseer, a provider of payment fraud protection solutions in Bedford, Mass. maintained that data brokers present significant risks to executives. “In the digital era, data is power,” he told TechNewsWorld. “It’s dangerous for any company to have such detailed profiles of highly influential business professionals.”

“Often these profiles will include highly personal information, like income and assets, which are used by cybercriminals to target and steal a victim’s identity,” he continued.

“By studying the online behavior of these executives, fraudsters have an intimate look at what’s going on in these individuals’ lives, making it easier for them to deploy highly targeted attacks,” he added.

Not So Anonymous Anonymity

Some data brokers and applications justify their voracious appetite for data by claiming they only share anonymized information, a claim disputed by the Electronic Frontier Foundation in a July 2021 article on its website written by Gennie Gebhart and Bennett Cyphers.

“Data brokers sell rich profiles with more than enough information to link sensitive data to real people, even if the brokers don’t include a legal name,” they wrote. “In particular, there’s no such thing as ‘anonymous’ location data. Data points like one’s home or workplace are identifiers themselves, and a malicious observer can connect movements to these and other destinations.”

“Another piece of the puzzle is the ad ID, another so-called ‘anonymous’ label that identifies a device,” they added. “Apps share ad IDs with third parties, and an entire industry of ‘identity resolution’ companies can readily link ad IDs to real people at scale.”

While governments in some other regions of the world have taken a harder line toward data brokers, that hasn’t been the case in the U.S. “It’s an area where the laws in the United States are not as robust as they could be,” Pierson said. “Over time, there have been a number of different legal proposals, but there have been no meaningful restrictions in what data brokers can do in the United States.”

“The best way to regulate data brokers would be to create a federal data privacy law that establishes basic consumer data rights, especially for sensitive personal data,” Castro advised. “Federal law is the best way to ensure that Americans have control of their information and avoids creating a complicated state-by-state patchwork of laws.”

“The U.S. government should absolutely consider enacting legislation to regulate data brokers,” added Najarian. “This is an issue that extends beyond Fortune 1000 executives. It affects every single person who uses the internet.”

John P. Mello Jr. has been an ECT News Network reporter since 2003. His areas of focus include cybersecurity, IT issues, privacy, e-commerce, social media, artificial intelligence, big data and consumer electronics. He has written and edited for numerous publications, including the Boston Business Journal, the Boston Phoenix, Megapixel.Net and Government Security News. Email John.

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

Related Stories

US-Led Seizure of RaidForums May Defy Lasting Effect on Security

The U.S. Department of Justice on Tuesday announced it seized the website and user database for RaidForums, a popular English-language cybercrime forum that sold access to more than 10 billion consumer records stolen in some of the world’s largest data breaches since 2015.

The DOJ also charged the alleged administrator of RaidForums — 21-year-old Diogo Santos Coelho, of Portugal — with six criminal counts, including conspiracy, access device fraud, and aggravated identity theft.

Coelho was arrested in the United Kingdom on Jan. 31, at the request of U.S. officials. He remains in custody pending the resolution of his extradition proceedings.

Court records unsealed Tuesday indicate that the United States recently obtained judicial authorization to seize three domains that long hosted the RaidForums website. These domains were “raidforums.com,” “Rf.ws,” and “Raid.lol.”

Officials unsealed a six-count indictment against Coelho in the Eastern District of Virginia in connection with his role as the chief administrator of RaidForums. According to the indictment, between Jan. 1, 2015, and on or about Jan. 31, 2022, Coelho allegedly controlled and served as the chief administrator of RaidForums, which he operated with the help of other website administrators.

Illegal Online Marketplace

Coelho and his co-conspirators are alleged to have designed and administered the platform’s software and computer infrastructure, established and enforced rules for its users, and created and managed sections of the website dedicated to promoting the buying and selling of contraband. They included a subforum titled “Leaks Market” that described itself as “[a] place to buy/sell/trade databases and leaks.”

According to the affidavit filed in support of these seizures, from in or around 2016 through February 2022, RaidForums served as a major online marketplace for individuals to buy and sell hacked or stolen databases containing sensitive personal and financial information of victims in the U.S. and elsewhere. The data included stolen bank routing and account numbers, credit card information, login credentials, and social security numbers.

“The takedown of this online market for the resale of hacked or stolen data disrupts one of the major ways cybercriminals profit from the large-scale theft of sensitive personal and financial information,” said Assistant Attorney General Kenneth A. Polite, Jr. of the Justice Department’s Criminal Division.

“This is another example of how working with our international law enforcement partners has resulted in the shutdown of a criminal marketplace and the arrest of its administrator,” he added.

Massive International Take Down

Prior to its seizure, RaidForums members used the platform to offer for sale hundreds of databases of stolen data containing more than 10 billion unique records for individuals residing in the United States and internationally.

At the time of its founding in 2015, RaidForums also operated as an online venue for organizing and supporting forms of electronic harassment, including by “raiding” — posting or sending an overwhelming volume of contact to a victim’s online communications medium — or “swatting” — the practice of making false reports to public safety agencies of situations that would necessitate a significant, and immediate armed law enforcement response.

The seizure of these domains by the government will prevent RaidForums members from using the platform to traffic in data stolen from corporations, universities, and governmental entities in the United States and elsewhere, including databases containing the sensitive, private data of millions of individuals around the world, according to the DOJ.

“Our interagency efforts to dismantle this sophisticated online platform — which facilitated a wide range of criminal activity — should come as a relief to the millions victimized by it, and as a warning to those cybercriminals who participated in these types of nefarious activities,” said U.S. Attorney Jessica D. Aber for the Eastern District of Virginia.

“Online anonymity was not able to protect the defendant in this case from prosecution, and it will not protect other online criminals either,” she asserted.

The law enforcement actions against RaidForums and Coelho resulted from an ongoing criminal investigation by the FBI’s Washington Field Office and the U.S. Secret Service.

Seizure of the RaidForums website and the charges against the marketplace’s administrator show the strength of the FBI’s international partnerships, noted Assistant Director in Charge Steven M. D’Antuono of the FBI’s Washington Field Office.

RaidForums Seized notice

U.S. officials credited support from Joint Cybercrime Action Taskforce (Europol), National Crime Agency (U.K.), Swedish Police Authority (Sweden), Romanian National Police (Romania), Judicial Police (Portugal), Internal Revenue Service Criminal Investigation, Federal Criminal Police Office (Germany) and other law enforcement partners.

“Cybercrime transcends borders, which is why the FBI is committed to working with our partners to bring cybercriminals to justice — no matter where in the world they live or behind what device they try to hide,” said D’Antuono.

Operational Expertise Disclosed

To profit from the illicit activity on the platform, RaidForums charged escalating prices for membership tiers that offered greater access and features. The pricing structure included a top-tier “God” membership status.

RaidForums also sold “credits” that provided members access to privileged areas of the website and enabled members to “unlock” and download stolen financial information, means of identification, and data from compromised databases, among other items. Members could also earn credits through other means, such as by posting instructions on how to commit certain illegal acts.

According to the indictment, Coelho also personally sold stolen data on the platform and directly facilitated illicit transactions by operating a fee-based “Official Middleman” service. For that service, Coelho allegedly acted as a trusted intermediary between RaidForums members seeking to buy and sell contraband on the platform, including hacked data.

Notably, to create confidence among transacting parties, the Official Middleman service enabled purchasers and sellers to verify the means of payment and contraband files being sold prior to executing the transaction.

Long-Term Impact Questioned

The massive takedown of RaidForums might have little real impact against the large volume of hackers operating worldwide, according to Casey Ellis, founder and CTO at crowdsourced cybersecurity firm Bugcrowd.

“I question the long-term impact of this action on the cybercriminal industry. Cybercrime and its supporting criminal services are, by and large, incredibly successful, and profitable for those who operate them. Business models like this tend to find a way to continue to exist,” he told TechNewsWorld.

It definitely provides a deterrent aspect to people considering launching similar forums and marketplaces, he added. However, he suspects they will simply evolve the techniques used to maintain operational security and avoid detection.

“The other counter-intuitive consequence of this action is that it essentially burns a valuable tool used by those in CTI, who infiltrate forums like this one, build fake personas, and use them to gather tactical breach and risk intelligence,” he said.

Still, the arrest and seizure are important in as much as they disrupt a marketplace and create additional difficulty and cost for cybercriminals who are looking to monetize their services and stolen data.

“It is also a clear signal to other forum operators that they are in the DOJ’s crosshairs,” he said.

Disruption May Be Key Deterrent

The takedown of RaidForums will cause a natural power vacuum within the cybercriminal community. Many of Raid’s members are likely to flock to alternative platforms, suggested Chris Morgan, senior cyber threat intelligence analyst at risk protection firm Digital Shadows.

“The takedown of Raidforums is unlikely to result in a major disruption to overall cybercriminal activity. Cybercriminals are well versed to platforms being taken down by LEAs and so they remain agile and fluid as to where their next forum of choice is likely to pop-up,” he told TechNewsWorld.

The seizure of an individual forum will not have much long-term impact, agreed John Bambenek, principal threat hunter at digital IT and security operations firm Netenrich.

“However, if the justice department can keep up the pace of operations against many of these forums, it will provide a very strong disruption to the overall cybercrime ecosystem,” he predicted. “Just like a crime wave is not solved with individual prosecutions, cybercrime is no different.”

Jack M. Germain has been an ECT News Network reporter since 2003. His main areas of focus are enterprise IT, Linux and open-source technologies. He is an esteemed reviewer of Linux distros and other open-source software. In addition, Jack extensively covers business technology and privacy issues, as well as developments in e-commerce and consumer electronics. Email Jack.

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

Related Stories
More by Jack M. Germain
More in Security