One important detail from this week's admission from Doordash that they'd suffered (and remained silent about) a breach of 4.9 million records: Doordash, by its nature, includes the home addresses of people who otherwise avoid disclosing where they live. Read the rest

An investigation by Propublica and Bayerischer Rundfunk found 187 servers hosting more than 5,000,000 patients' confidential medical records and scans (including a mix of Social Security numbers, home addresses and phone numbers, scans and images, and medical files) that were accessible by the public, "available to anyone with basic computer expertise." Read the rest

Well, pretty much everyone saw this lawsuit coming. Read the rest

For decades, people (including me) have predicted that cyberinsurers might be a way to get companies to take security seriously. After all, insurers have to live in the real world (which is why terrorism insurance is cheap, because terrorism is not a meaningful risk in America), and in the real world, poor security practices destroy peoples' lives, all the time, in wholesale quantities that beggar the imagination. Read the rest

The Canadian activist group Open Privacy Research Society has discovered that Vancouver, BC hospitals routinely wirelessly broadcast patient telemetry and admissions data, without encryption to doctor paging systems. It is trivial to intercept these transmission. Read the rest

Apple and Google have been ordered by the U.S. government to hand over names, phone numbers and other identifying data of at least 10,000 users of a single gun scope app, Forbes reports Friday in an investigative feature. Read the rest

Last summer, we published a comprehensive look at the ways that Facebook could and should open up its data so that users could control their experience on the service, and to make it easier for competing services to thrive. Read the rest

You're fretting about hackers, political shenigans and data breaches. Then your creepy uncle shares photos of your newborn baby, complete with its location, to his thousands of fake facebook "friends". The call is coming from inside the house.

“Older folks, certainly, there’s a learning curve because this is new,” said Amy Nofziger, who, as director of fraud victim support for AARP, helps older people parse the new rules of the internet. “People who are grandparents or great-grandparents today are the first people to have color TVs in their homes, and now they have this thing called the internet.”

“My mom has a public profile and posts several times a day on her page and has tons of interactions, often with people she doesn’t necessarily know,” said Danielle. “Because I want to be more private about photos of my son, I have had to ask her to please not post his picture — or, if she’s going to, that she please change the privacy settings for that specific post. For the most part she has done what I’ve asked, but I could tell she was really annoyed about it. One time she posted a photo that straight-up had our home address on it, and she couldn’t understand why I was so upset!”

The posting of it is the small part of the problem. The resentful-boomer "how dare you tell me not to" is the bigger part. Read the rest

If you fill in this form, Equifax will send you $125 as part of its settlement with the Consumer Finance Protection Bureau, the FTC, and 48 out of 50 states. Read the rest

Oops! Facebook says allowing Sony and Microsoft access was “our mistake.”

Equifax doxed virtually every adult in America as well as millions of people in other countries like the UK and Canada. The breach was caused by an acquisition spree in which the company bought smaller competitors faster than it could absorb them, followed by negligence in both monitoring and responses to early warnings. Execs who learned of the breach used it as an opportunity to engage in insider trading, while failing to take action to alert the public. Equifax nonconsensually gathers dossiers on everyone it can, seeking the most sensitive and potentially damaging information to record. The company was founded as part of a corporate spy-ring employed to root out and identify political dissidents and sexual minorities. Read the rest

If you only look at porn with your browser in incognito mode, your browser will not record your porn-viewing history; but the porn sites themselves overwhelmingly embed tracking scripts from Google and Facebook in every page: 93% of 22,484 porn sites analyzed in a New Media & Society paper had some kind of third-party tracker, with Google in the lead, but also including trackers from some of the worst privacy offenders in Silicon Valley, like Oracle. Read the rest

After a leak revealed that the British Ambassador to the USA had called Trump "inept, insecure and incompetent" (leading to the ambassador's resignation and a round of Twitter insults between Trump and senior Tory officials), London's Metropolitan Police Assistant Commissioner Neil Basu publicly warned journalists not to publish government leaks, threatening to imprison them if they do: "The publication of leaked communications, knowing the damage they have caused or are likely to cause may also be a criminal matter. I would advise all owners, editors and publishers of social and mainstream media not to publish leaked government documents that may already be in their possession, or which may be offered to them, and to turn them over to the police or give them back to their rightful owner, Her Majesty's Government." Read the rest

Many large-scale data-breaches involve attackers gaining access to administrators' database logins; from there, they can clone the whole database and plunder it at will; but leading nosql database vendor Mongodb proposes to add another layer of security it's calling "Field Level Encryption" which encrypts the data in database fields with its own key -- possibly a different key for every user or every field. That means that attackers will have to compromise a lot of cryptographic keys as well as breaking into a server. Read the rest

In Online Tracking and Publishers’ Revenues: An Empirical Analysis, a trio of researchers from U Minnesota, UC Irvine and CMU report out their findings from a wide-ranging (millions of data-points) study of the additional revenues generated by behaviorally targeted ads (of the sort sold by Facebook and Google) versus traditional, content-based advertising (that is, advertising a piano to you because I spied on you when you searched for pianos yesterday, versus showing you an ad about pianos next to an article about pianos). Read the rest

Binding arbitration is a way for corporations to force you to surrender your legal rights as a condition of doing business, relegating you to seeking redress for breaches and harms by going before a paid arbitrator who is in the employ of the company that harmed you, and who almost always sides with their employer. Read the rest

If Facebook is broken for you in some way large or small, you can't call them to complain -- the company doesn't have a customer service number, it has a "support portal" for people suffering with the service, which combines the worst of autoresponders with the worst of underpaid, three-ring-binder constrained support staff to make a system that runs like a cost-conscious version of Kafka's "The Trial." Read the rest