Industry News

The U.S. military used biometric devices en masse to capture people in Afghanistan. Some devices were left behind during the hasty withdrawal of NATO troops. CCC researchers found large amounts of biometric and other personal data when analyzing such devices. In the wrong hands, this data is life-threatening for people in Afghanistan and Iraq.

In recent years, plaintiff attorneys throughout the country have filed lawsuits alleging that modern website technologies that track user visits violate state privacy laws. Many of these lawsuits have focused on the use of session replay software on websites. Session replay software permits companies to track user interactions while browsing a website, including mouse clicks, keystrokes, and content viewed by the user. In 2020 and 2021, many companies using this type of software suddenly found themselves immersed in class action litigation analogizing this software to an illegal wiretap.

France’s data protection watchdog, the CNIL, has issued updated guidance on use of Google Analytics following a decision earlier this year that found a local website’s use of the tool to be in breach of European Union law. It has also confirmed that it has since issued formal notices to other organizations to bring their use of Google Analytics into compliance.

The Austrian Data Protection Authority (DPA) decided in a recent groundbreaking decision (22nd of December 2021, D155.027 2021-0.586.257) that the use of Google Analytics is currently violating the GDPR. The DPA held that the transfer of personal data to the US in light of the Schrems II decision is particularly problematic. This is the first decision on the 101 model complaints filed by noyb. Soon similar decisions are to be expected in other EU member states.

Yet another court has rejected such a theory of liability—making it even more likely that this trend has already peaked. In this instance, the U.S. District Court for the Northern District of California ruled (for the second time) that a user who accepted the website’s Privacy Policy had consented to have his information collected. Javier v. Assurance IQ, No. 20-cv-02860, 2021 U.S. Dist. LEXIS 158236 (N.D. Cal. Aug. 6, 2021).

The web’s security model allows a website to either fully trust a third party (by including the third-party script in a first party context) or not at all (by isolating the third party resource in an iframe). Unfortunately, this model does not capture the range of trust relationships that we see on the web. Since many third parties cannot provide their services (such as analytics) if they are isolated, the first parties have no choice but to give them full privileges even though they do not trust them fully.

DuckDuckGo Tracker Radar is a best-in-class data set about trackers that is automatically generated and maintained through continuous crawling and analysis. This data set is now publicly available to use for research and for generating tracker block lists. And, the code behind it is now open source.

Apple is telling app developers to remove or properly disclose their use of analytics code that allows them to record how a user interacts with their iPhone apps — or face removal from the app store, TechCrunch can confirm. In an email, an Apple spokesperson said: “Protecting user privacy is paramount in the Apple ecosystem. Our App Store Review Guidelines require that apps request explicit user consent and provide a clear visual indication when recording, logging, or otherwise making a record of user activity.”

–An overview slide deck from PrivacyCon.

The password-harvesting bug stemmed from a change to the open source React JavaScript library that clashed with how Mixpanel's Autotrack feature works.

When internet users visit Walgreens.com, a software company may record every keystroke, mouse movement, and scroll, potentially exposing medical conditions such as alcohol dependence, or the names of drugs a user has been prescribed, according to Princeton researchers.

You may know that most websites have third-party analytics scripts that record which pages you visit and the searches you make. But lately, more and more sites use “session replay” scripts. These scripts record your keystrokes, mouse movements, and scrolling behavior, along with the entire contents of the pages you visit, and send them to third-party servers. Unlike typical analytics services that provide aggregate statistics, these scripts are intended for the recording and playback of individual browsing sessions, as if someone is looking over your shoulder.