Last month was rich in privacy and security related headlines.
Twitter, like Facebook many times before, did a major disservice to its users by taking their phone numbers used for Two-Factor Authentication and serving them to advertisers, which didn’t go well with users and the public tech scene.
Next, we had two confessions, from NordVPN and Avast, with companies revealing they were both breached. The first breach happened back in March 2018 while Avast suffered a continuous breach that took place between May and October of this year.
And finally, Sen. Ron Wyden (D-Ore.) known for his law that enabled sites to host user-created content without being accountable for it, proposed a new bill called "Mind Your Own Business Act of 2019," aimed at protecting private data held by tech companies.
Let’s start with Twitter embarrassment.
Twitter mishandled phone numbers and email addresses used for 2 factor-authentication
2 factor-authentication is a useful security measure.
Today, literally everyone can be hacked and chances are at least one of your many online account details leaked in some security breach. With 2FA you can use your phone number, email, or advanced measures such as physical security keys as a secondary layer during log-in for any online account.
And while phone numbers and email addresses can also be hacked, physical security keys are perfect 2FA tools at the moment.
Well, Twitter, unlike most other sites, requires users to provide their phone numbers even if they use other 2FA measures. In case you switch to a security key or a third-party authenticator app removing your phone number from Twitter 2FA will also make you ineligible for 2FA on Twitter, which is illogical but that’s how Twitter 2FA works.
This unnecessary requirement can also be seen as an attack on user privacy.
If you have a personal security key there’s no need to provide a phone number to a site because security keys work flawlessly as 2FA tools. And now Twitter managed to make matters worse by using some of those phone numbers, as well as email addresses used for Twitter accounts, for advertisement purposes.
The company matched users to marketing lists provided by advertisers and it did so unintentionally, at least according to Twitter.
The company released a statement that reads “We recently discovered that when you provided an email address or phone number for safety or security purposes (for example, two-factor authentication) this data may have inadvertently been used for advertising purposes, specifically in our Tailored Audiences and Partner Audiences advertising system,” with company officials explaining that “We cannot say with certainty how many people were impacted by this, but in an effort to be transparent, we wanted to make everyone aware. No personal data was ever shared externally with our partners or any other third parties.”
The issue was fixed and phone numbers and emails are no longer used for “accidentally for advertisement purposes.”
This is a major mishandling of user data and isn’t the first time Twitter ill-treated private data from its users.
Back in May 2018, the company revealed it has been storing user passwords in plaintext, with zero protection.
NordVPN and Avast suffered breaches
NordVPN, one of the biggest and most popular VPN service providers has suffered a breach.
The breach happened in May 2018 when one of the data centers of the company rents its servers from was “accessed with no authorization,” according to NordVPN PR, Laura Tyrell. Luckily, the server didn’t contain any private data such as usernames or passwords.
And since NordVPN doesn’t keep any user-related data such as browsing history or activity logs the attacker (or attackers) couldn’t access or steal private data. Still, the breach is a security issue and is a troubling sign showing that the company didn’t employ high enough security measures.
What’s especially worrisome is the fact that breach has been performed by abusing an insecure remote management system about which existence NordVPN was unaware of. NordVPN should do better background checks of its data center providers in the future.
The second breach is tied to Avast, one of the most popular antivirus solutions in the world.
It took place between May and October 2019 and it infected CCleaner, a Windows utility tool developed by Avast.
The company pulled CCleaner downloads page down, invalidated all certificates used to activate old versions of the tool, and pushed a clean CCleaner update on October 15 followed by resetting all user credentials.
CCleaner is now back, it is clean and safe to use. “We found that the internal network was successfully accessed with compromised credentials through a temporary VPN profile that had erroneously been kept enabled and did not require 2FA,” explained Jaya Baloo, Avast’s Chief Information Security Officer.
It seems that CCleaner wasn’t infected with malware and that no private data has been compromised.
“Mind Your Own Business Act of 2019” bill proposal seeks to hold tech CEOs personally responsible for mishandling users’ private data
Ron Wyden, a Democratic Senator from Oregon, allowed the rise of web platforms as we know them.
Back in 1996, he contributed to the Communications Decency Act with Section 230.
The act allowed websites to host user-generated content (such as user comments, tweets, or Facebook posts) without companies owning those websites being held personally responsible for said content. They cannot be regarded as publishers, only as platforms. Section 230 also allowed websites to freely moderate user-generated content and to take down material they see as inappropriate.
Now, Sen. Ron Wyden wants to make tech CEOs personally responsible for mishandling private data of said platforms.
Instead of receiving monetary fines that are often pocket change for their businesses’ overall revenue numbers tech companies’ CEOs could face jail time. As Wyden himself explained “Mark Zuckerberg won't take Americans' privacy seriously unless he feels personal consequences.
A slap on the wrist from the FTC won't do the job, so under my bill, he'd face jail time for lying to the government.” He then goes further by saying that "corporate executives need to be held personally responsible when they lie about protecting our personal information."
The bill would help address many privacy-related issued we face today.
It would enforce standards regarding user data privacy and security and allow users to access their private data and learn how companies are using it, similar to what the EU’s GPDR law enforces.
Next, the law would introduce stern reprimands for companies and CEOs of the same companies in case they go against the law and it would give the FTC (Federal Trade Commission) authority to enforce the law and to criminally prosecute companies and individuals that broke the law.
Finally, the proposed bill would introduce ways for companies to keep user data fully private and inaccessible via paid versions of free services they provide (like Gmail or Facebook) but it would keep those services free for low-income individuals in the US in order to show that privacy isn’t a luxury good.
When it comes to penalties first offense would cost a company up to 4 percent of annual revenue.
What’s interesting is that CEOs and other corporate officers would be held personally responsible and would be subject to monetary fines equivalent to 5 percent “of the largest amount of annual compensation received during the previous 3-year period,” or $1 million (whichever is larger) and up to 10 years in prison.
In case a CEO or a corporate officer is found to have lied intentionally regarding breaches and mishandling of private user data they could pay up to 25 percent “of the largest amount of annual compensation received during the previous 3-year period,” or $5 million and could face up to 20 years of prison time.
While the proposed law looks and sounds like a stern deterrent that could prevent companies exploit their users and their private data the question is whether the “Mind Your Own Business Act of 2019” has any realistic chance of being approved.
It goes against corporate interests and corporations are ready to shell out billions in lobbying efforts to stop the law from being approved.
On the other hand, the US desperately needs a federal-level privacy law and this one looks like by far the best candidate.
Maybe if things go in the other direction (at the moment the GOP is firmly at corporative side and holds the majority in the Senate) after the presidential election in 2020 the US might finally hold CEOs of companies residing in the US responsible for privacy-related issues and exploitations that affect users from around the world.