Data Security

ICO Highlights Prevalence of GDPR Myths

Posted on by Andy Miller

The Information Commissioner’s Office (ICO) has reported taking 500+ calls per week reporting GDPR data breaches, but one-third of the calls appear to be based on myths and misunderstandings or over-reporting about GDPR matters.

Update After Freedom of Information Request

The update by the ICO about how things appear to be going just three months after the introduction of GDPR came shortly after a Freedom of Information (FOI) by law firm EMW yielded figures that showed that the number of complaints between 25th May and 3rd July 2018 rose to 6,281 versus 2,417 during the same period in 2017.

Over-Reporting

A key problem highlighted by the ICO is that many companies feel that in order to achieve compliance and avoid being penalised, they have to be transparent to the degree that they “over-report” by reporting everything. Also, many of the reports are incomplete.

One common misconception highlighted by the ICO that is leading to unnecessary calls is that instead of reporting suspected data breaches to the ICO within 72 hours ‘from the point of discovery’, many companies appear to believe that the mandatory reporting period is 72 ‘working’ hours.

Fine Fears Unfounded

Another key point that the ICO was keen to make was that even though there have been some high profile cases that have involved big companies receiving big fines since the introduction of GDPR, many thousands of incidents are closed each year without financial penalty but with advice, guidance and reassurance offered instead. Another point that the ICO would like to make known is that the real norm of the work they do is simply audits, advisory visits and guidance sessions.

In fact, ICO Deputy Commissioner James Dipple-Johnstone has been quoted as saying that businesses that take their data protection responsibilities seriously “have nothing to fear from an ICO inspection or investigation”.

Cyber Crime Reports

The ICO has said that almost half of the calls that it received weekly involve some cyber element, and around one-third of calls relate to phishing attacks.

Phishing attacks are still such a popular method of cyber-crime because many companies have been focusing on malware detection and may not have trained and educated their staff about the risks, how to spot phishing attacks, and what to do about them.

What Does This Mean For Your Business?

Of course, organisations need to take their data protection responsibilities seriously to protect customers and the company itself, but part of dealing with that responsibility correctly is being clear on what GDPR actually requires a company to do; how and when. This is why GDPR requires (via mandatory appointment under Article 37) organisations / companies to have a data protection officer (DPO) i.e. someone tasked with the responsibility and security leadership role to oversee data protection strategy and implementation, and to ensure proper compliance with GDPR requirements. Part of the responsibilities of a DPO are to educate the company and train employees about GDPR and how it applies to them and their work. A DPO is required to have expert knowledge of data protection law and practices, and having a person on hand to consult about GDPR matters would be a good way to prevent unnecessary calls and complaints being made to the ICO, and to prevent unnecessary concerns, misunderstandings and mistaken beliefs prevailing within the company that could lead to other problems.

Only 32% of Emails Clean Enough To ‘Make It’

Posted on by Andy Miller

A bi-annual study by FireEye has found that less than a third of over half a billion emails analysed were considered clean enough not to be blocked from entering our inboxes.

Phishing Problem Evident

The study found that even though 9 out of 10 emails that are blocked by email security / anti-virus didn’t actually contain malware, 81% of the blocked emails were phishing attacks. This figure is double that of the previous 6 months.

Webroot’s Quarterly Threat Trends Report data, for example, shows that 1.39 million new phishing sites are created each month, and that this figure was even as high as 2.3 million in May last year. It is likely that phishing attacks have increased so much because organisations have been focusing too much of their security efforts on detecting malware. Also, human error is likely to be a weak link in any company, and phishing has proven to be very successful, sometimes delivering results in a second wave as well as the first attack. For example, in the wake of the TSB bank system meltdown, phishing attacks on TSB customers increased by 843% in May compared with April.

A recent KnowBe4 study involved sending phishing test emails to 6 million people, and the study found that recipients were most likely to click on phishing emails when they promised money or threatened the loss of money. This highlights a classic human weakness that always provides hope to cyber-criminals, and the same criminals know that the most effective templates for phishing are the ones that cause a knee-jerk reaction in the recipient i.e. the alarming or urgent nature of the subject makes the recipient react without thinking.

Increase In Malicious Intent Emails

The FireEye study also highlighted the fact that there has been an increase over the last 6 months in the emails sent to us that have malicious intent. For example, the latest study showed that one in every 101 emails had malicious intent, whereas this figure was one in every 131 in the previous 6 months.

Biggest Vulnerability

As FireEye noted after seeing the findings of their research, email is the most popular vector for cyber attacks, and it is this that makes email the biggest vulnerability for every organisation.

What Does This Mean For Your Business?

It is very worrying that we can only really trust less than one third of emails being sent to businesses as being ‘clean’ enough and free enough of obvious criminal intent to be allowed through to the company inbox. It is, of course, important to have effective anti-virus / anti-malware protection in place on email programs, but phishing emails are able to get past this kind of protection, along with other methods such as impersonation attacks like CEO fraud. Organisations, therefore, need to focus on making sure that staff are sufficiently trained and educated about the threats and the warning signs, and that there are clear procedures and lines of responsibility in place to be followed when emails relating to e.g. transfer of money (even to what appears to be the CEO) are concerned.

Cyber-criminals are getting bolder and more sophisticated, and companies need to ensure that there is no room for weak ‘human error’ links of the front line.

Microsoft Launches ‘AccountGuard’ Email Service For Election Candidates

Posted on by Andy Miller

A new kind of pilot secure email service called ‘AccountGuard’ has been launched by Microsoft, specifically for use by election candidates, and as one answer to the kind of interference that took place during the last US presidential election campaign.

Ready For The Midterm Elections

The new, free email service (which people must useOffice 365 to register for) is an off-shoot of Microsoft’s ‘Defending Democracy’ Program. This program was launched in April with the aim of protecting campaigns from hacking, through increased cyber resilience measures, enhanced account monitoring and incident response capabilities.

The AccountGuard pilot has been launched in time for the US Midterm elections which are the general elections held in November every four years, around the midpoint of a president’s four-year term of office.

Who Can Use AccountGuard?

Microsoft says that its AccountGuard service can be used by all current candidates for federal, state and local office in the United States and their campaigns; the campaign organisations of all sitting members of Congress, national and state party committees, any technology vendors who primarily serve campaigns and committees, and some non-profit organisations and non-governmental organizations. Microsoft AccountGuard is offered free of charge and is full service, coming with free email and phone support.

Three Core Offerings

AccountGuard has three core offerings. These are:

  1. Unified threat detection and notification across accounts. This means providing notification about any cyber threats in a unified way across both email systems run by organisations and the personal accounts of these organizations’ leaders and staff who opt in. This part of the service will only be available only for Microsoft services including Office 365, Outlook.com and Hotmail to begin with, and Microsoft says it will draw on the expertise of the Microsoft Threat Intelligence Center (MSTIC / MSTIC).
  2. Security guidance and ongoing education. Registering for Microsoft AccountGuard gives organisations best practice guidance and materials. These are in the form of off-the-shelf materials and in-depth live sessions.
  3. Early adopter opportunities. This means access to private previews of the kind of security features that are usually offered by Microsoft to large corporate and government account customers.

Similar To Google

Some commentators have highlighted similarities between the AccountGuard idea and Google’s Advanced Protection Program (APP), also launched this year, although APP is open to anyone, requires log in with hardware authentication keys, and locks out third-party app access.

What Does This Mean For Your Business?

When you think about it, what Microsoft appears to be admitting is that its everyday email programs are simply not secure enough to counter many of the threats that now look likely to come from other states when elections are underway. Microsoft’s other, non-political business customers who are also at risk from common cyber attacks e.g. phishing, may feel a little left out that they are apparently not being offered the same level of security.

Also, protecting democracy sounds like quite a grand aim for a service provider offering an email service. Microsoft does, however, accept that it can’t solve the threat to US democracy on its own and that it believes this will require technology companies, government, civil society, the academic community and researchers working together. Microsoft also acknowledges that AccountGuard is limited to protecting those using enterprise and consumer services, and that attacks can actually reach campaigns through a variety of other ways. Microsoft also appears to be hinting that it may be thinking of expanding AccountGuard to industry as well as government depending on how the pilot works.

BA Security Fallout

Posted on by Andy Miller

A discovery of the file containing the code used in the recent hack of the British Airways website and app that affected 380,000 transactions has revealed that it only took 22 lines of JavaScript to cause the massive data breach.

Skimming

The hack that took place on 21st August and caused disruption into September is now believed to be down to the injection of a digital skimming file designed to steal financial data from the online payment forms of BA’s website and app. The small skimming file, which was discovered by a cyber-security firm RiskIQ, was used to grab data from BA’s online payment form and then send it to the hacker’s server when the customer hit the ‘submit’ button.

Targeted

The researcher concluded that this was a highly targeted attack where the malicious page in the app was built using the same components as the real website, thereby giving a very close match to the design and functionality of the real thing.

The RiskIQ researcher has described the 22 line digital skimming file implanted by the hackers as “simple but effective”.

Magecart Suspected

The finger of suspicion is now being pointed at a group of hacking operatives known as Magecart. The suspicion is based upon a close match with their modus operandi as highlighted in a recent attack on the Ticketmaster websites where Madgecart also used a similar digital skimmer hidden in a third-party element of the payment process.

More To Come

The attacks on Tacketmaster and BA are believed to be part of a larger campaign by the Magecart hacking group to target big brands, and it is thought, therefore, that more big names will be hitting the headlines soon for data breaches.

Vulnerable

According to some security commentators, the weakest link in payment processes is an obvious place for hackers to strike e.g. by putting older systems or third-party code into a payment chain.

The apparent ease of the attack, which led to the theft of names, email addresses and full credit card details, has led to obvious anger from those affected and criticism of BA by security commentators and professionals.

Big Fine Possible Under GDPR

There is now the real possibility that BA could face a massive £500 million fine (4% of global turnover based on 2017) under GDPR, and this breach is believed to be one of the first really big tests of the new law.

What Does This Mean For Your Business?

Even though the hackers in this case had gone to great lengths to closely tailor their code to the BA site and used a Secure Socket Layer (SSL) certificate, suggesting a serious level of planning and targeting, it still remains a relatively simple method of attack that has exposed vulnerabilities in the payment systems of a big company. The dependable image of BA, the fact that it is such a big brand, and the scale and scope of the theft have caused shock and anger among customers, and there will undoubtedly be substantial costs to BA’s finances and reputation.

As some security commentators have pointed out, there are ways to preventing third-party code taking data from sensitive web pages, and BA should really have been wise to this. In BA’s defence, even encryption of data used in the payment system would not have been effective because the data was intercepted before it had reached the company’s servers.
One positive thing to be taken from this case is that it has alerted more companies to the possibility of this kind of attack, thereby giving them time to build-in defences against it.

Criminals ‘Invest’ More Than Businesses

Posted on by Andy Miller

Research shows that one reason why organisations face constant, serious security threats is that cyber criminals, fuelled by a new cybercrime-based economy are spending much more on cyber attacks than organisations are spending on cyber security.

Cyber Criminals Spending and Reinvesting $Trillions!

Back in 2017, Gartner predicted that organisations would collectively be spending around $96 billion on their cyber-security. Although this is a big number, it is dwarfed by the figures relating to the proceeds of crime.

For example, last year, Cyber Security Ventures predicted that cyber-crime will cost the world $6 trillion annually by 2021, and Bromium’s independent study from April this year showed that the booming cyber-crime economy has generated $1.5 trillion in illicit profits. This figure is the equivalent to the GDP of Russia, meaning that if cyber-crime was a country, it would have the 13th highest GDP in the world!

Although some of these profits have been simply acquired, laundered, and spent, much has been ‘reinvested’ by cyber criminals. This means that there is potentially a great deal more being spent by cyber-criminals on cyber-attacks than is being spent by organisations on cyber security.

Revenues Exceed Those of Companies

In fact, cyber-crime revenues have been found to often exceed those of (mainly SME-sized) legitimate companies, although they can reach the levels of large, multi-national organisations of over $1 billion.

Greater Spending Forecast

Some commentators have forecast hope in the form of much greater security spending by organisations in the not-too-distant future. For example, research company Gartner has noted that, with the average cost of a data breach at $3.86 million (Ponemon Institute figures), and with the recent string of highly publicised data breaches, privacy concerns are becoming the catalyst for increased security spending for organisations. Skills shortages and GDPR are also driving demand for security services.

Gartner predicts that privacy concerns will drive at least 10% of the market demand for security services through 2019 as security and risk management are recognised as being critical part of any digital business initiative. Gartner also predicts that at least 30% of organisations will be spending on GDPR-related consulting and implementation services through 2019.

What Does This Mean For Your Business?

The huge sums being made and re-invested in their activities by cyber-criminals are evidence of a big change in the environment that poses a major threat to data security for businesses. Security commentators have noted that in a world where data has become a valuable commodity, a professional cybercrime-based economy has grown and become self-sustaining system and a platform of criminality that mirrors the platform capitalism model used by big companies. The economic relationships and agents in this criminal system can generate and maintain huge revenue streams that can be used to fund more cyber-crime and other crime such as human trafficking, drugs and terrorism.

The wealth of states is also being used to fund cyber-crime as hacking gangs carry out more state-sponsored attacks (e.g. Russia, China and North Korea) thereby threatening many parts of the UK economy. Clearly, this is a challenging time for UK businesses in terms of planning and spending on security.

Apple Apps Taken Down For Spying

Posted on by Andy Miller

The Mac App Store has taken down a number of well known security apps for the Apple Mac after it was discovered that they are being used to spy on the browsing habits of their users.

Which Apps?

It has been reported that Dr Unarchiver, Dr Cleaner, Adware Medic, Adware Doctor and App Uninstall have all been removed from the Apple-curated Mac App Store on the grounds of spying on users.

Rumbled

A researcher in Germany, identified only by their @privacyis1st twitter identity is credited with alerting the Mac App Store to the fact that the Adware Doctor app attributed to a company called Yongming Zhang (the name of a well-known Chinese serial killer) and the Trend Micro apps were linked to the same suspect IP address in China.

It has also been reported that suspicions and concerns about the apps go back some years. For example, online reports about Adware Doctor from 2016 indicate that the app was using AppleScript to perform actions in violation of Apple’s App Store Guidelines. It has also been alleged that the glowing reviews of Adware Doctor and other applications by the same developer may have been faked.

How?

It has been reported that the suspect apps were able to spy by first tricking the user into giving them macOS home directory access with virus scanning and clear cache options. When this permission was granted, the apps were able to abuse access privileges by gathering browser-history data from Chrome, Firefox and Safari. This data was then sent back to suspected malicious operators.

What Does This Mean For Your Business?

This is not the first time that there have been reports of dodgy apps lurking in legitimate stores. For example, back in January, 36 fake and malicious apps for Android that could harvest your data and track your location, masquerading as security tools were discovered in the trusted Google Play Store. All had reassuring names such as Security Defender and Security Keeper, and many performed some legitimate tasks on the surface, such as cleaning junk, saving battery, scanning, and CPU cooling, but all were found to be hiding malware, adware and tracking software.

Apple generally has a good brand reputation with regards to security so it will undoubtedly be very unhappy to have its name and the store that it curates associated in any way with any malicious apps.

This story is another reminder that, when it comes to apps, even though the obvious advice is to always check what you are downloading and the source of the download, the difference between fake apps and real apps can be subtle, and even Apple (in this case) didn’t immediately spot the hidden aspects of the apps. Also, we often don’t have the time to make checks on the apps that we download, and good reviews and the ‘halo effect’ of the good name of the store that they’re in are often enough of a recommendation for us to act.

The fact that many of us now store most of our personal lives on our smart phones makes reports such as these all the more alarming, and can undermine our confidence in (and cause costly damage to) the brands that are associated with such incidents.

To minimise the risk of falling victim to suspect apps, users should check the publisher of an app, check which permissions the app requests when you install it, delete apps from your phone that you no longer use, and contact your phone’s service provider or visit the High Street store if you think you’ve downloaded a malicious / suspect app.

The bad publicity from this story may also make Apple keen to review its systems and procedures for checking the apps that are offered in the store that it curates.

Google To Kill Dodgy Tech Support Ads

Posted on by Andy Miller

A rise in the number of adverts appearing in Google placed by scammers offering fake tech support has led Google to announce the rollout of a new advert verification programme.

Can’t Tell The Good From The Bad

Google’s Director of Global Product Policy, David Graff, made the announcement on the Google blog. Mr Graff said that, after seeing a rise in misleading ad experiences stemming from third-party technical support providers, Google had taken the decision to begin restricting ads in that category globally. Mr Graff also said that, because the fraudulent activity takes place off the Google platform, it has made it difficult to separate the bad actors from the legitimate providers, and this has necessitated the roll out in the coming months of a verification program to ensure that only legitimate providers of third-party tech support can use the Google platform to reach consumers.

The Scam Adverts

According to Google, last year it took down more than 3.2 billion ads that violated its advertising policies. Google has banned ads for payday loans and bail bonds services, and has introduced verification programmes to fight fraudulent ads for other services such as local locksmith services and addiction treatment centres. It now appears that the scammers have moved into the tech support category to find their victims.

How The Scam Works

According to FBI’s Internet Crime Complaint Centre (IC3), it received approximately 11,000 complaints related to tech support fraud in 2017. This kind of fraud can use several methods for the initial contact with the victim e.g. telephone, search engine adverts, pop-up messages or locked screens (accompanied by a recorded, verbal message to contact a phone number for assistance), or a warning in a phishing e-mail.

The way the fake tech support scam works using search engine adverts, which is the method that Google has highlighted is that:

  • Criminals pay to have fraudulent tech support company links and ads show higher in search results. Victims click on the links / ads, and the ads provide a phone number.
  • When the victim calls the fake tech support company, a representative criminal attempts to convince the victim to provide remote access to their device. If the device is a tablet or a smart-phone, the criminal usually try to make the victim connect the device to a desktop computer.
  • When a remote connection has been made, the criminal will claim to find expired licenses, viruses, malware or other (bogus) issues and will tell the victim that there will be a charge to remove the issue.
  • The criminal will then request payment through personal/electronic check, bank/wire transfer, debit/credit card, prepaid card, or virtual currency.

The scam has other variations which can also involve re-targeting previous victims by posing as government officials / police, offering assistance in recovering losses from a previous tech support fraud incident.

What Does This Mean For Your Business?

For those companies legitimately offering tech support services online using advertising, as well as for the many previous and potential victims, this announcement by Google will be welcomed. It is also in Google’s interest to police its own advertising platform because it provides a significant source of revenue.

We can all take precautions to stop ourselves / our businesses from falling victim to this type of scam. These precautions include:

  • Remembering that any legitimate tech support company are unlikely to initiate unsolicited contact with you / your company.
  • Installing ad-blocking software to eliminate / reduce pop-ups and malvertising (online advertising to spread malware), and making sure that all computer anti-virus, security, and malware protection is up to date.
  • Being very cautious of any support numbers that have been obtained via open source searching i.e. via sponsored links /
  • Google ads.
  • Not giving any unverified people remote access to any devices or accounts.

Is Google Getting Details of YOUR Purchases From MasterCard?

Posted on by Andy Miller

Reports of a data-sharing deal with credit company MasterCard could mean that some details of your credit card purchases could be shared with Google, and used to improve their online advertising service.

What Deal?

According to reports from Bloomberg, after four years of negotiations, Alphabet Inc.’s Google and MasterCard Inc. have brokered a “business partnership”. The deal, not surprisingly, is reported to have cost Google millions of dollars.

It has been reported that this alliance between the two companies may have given Google access to data that would allow it to get a much clearer view of retail spending by enabling the tracking of whether the Google ads run online actually led to a sale at a physical store in the U.S.

How Could This Work?

Some commentators have envisaged that the way the deal could work for Google is that, if an (anonymous) Google account clicks an advert, and goes on to purchase the product offline within 30 days, Google could include that potentially useful information in a summary to the advertiser in question. In other words, Google gets to offer its advertisers another layer of information about the effectiveness of their advertising.

What Do Google and MasterCard Say?

According to Bloomberg, Google has said this is a beta product that was only launched last year, and has double-blind encryption technology built-in to it anyway, thereby stopping Google or MasterCard from viewing their respective users’ personally identifiable information. A spokeswoman for Google is also reported to have said that there is no revenue sharing agreement with its partners.

MasterCard is reported to have said that it offers its own media measurement services to retailers, but that it relies upon the merchant supplying their own advertising campaign details and spending data for the duration of any campaign. MasterCard is reported to have said that it only supplies merchants and their designated service providers with trends that are based on aggregated and anonymised data e.g. average ticket size and sales volumes.

Both Google and MasterCard have said that any data used as part of this alliance is anonymised.

What Does This Mean For Your Business?

In an omni-channel retail environment, it would make some sense that retailers / advertisers would like to extend the scope of how they can measure their advertising and its ultimate effectiveness. For Google, it’s important to find another way to use its power, data assets, and financial might to find another way to add value, another point of differentiation, and an extra competitive advantage to its online advertising services.

To consumers, however, the thought of any of the credit / private purchasing details shared with another private company without their initial express consent may be somewhat alarming. Even with assurances of anonymised data being used, many people’s trust may not extend that far, and may have been damaged by continuous news stories about data breaches at big companies, and the revelations about the Facebook / Cambridge Analytica data sharing scandal. Google was also recently discovered to be recording the locations of its users via their mobile devices, even when they have requested not to be tracked by turning their “Location History” off.

Even though Google has said that Google users can opt-out with their Web and App Activity controls, at any time, you can’t opt-out of your credit card company receiving information from them if you still owe them money.

All-in-all, on the face of it, you could be forgiven for thinking that this looks like a good deal for Google and MasterCard, a good deal for Google’s merchant advertisers, a potentially bad deal for consumers, and hopefully not a good deal for cyber-criminals.

Superdrug Customers Informed of Hack

Posted on by Andy Miller

Superdrug is reported to have advised online customers to change their passwords after it was targeted by hackers who claim to have stolen the details of approximately 20,000 Superdrug customers.

Hundreds Compromised – Could Be More

To date, Superdrug has confirmed that 386 customer accounts are known to have been compromised, but that it is still working to try to establish the exact number. It is possible, therefore, that the number could be many more.

Contacted By Hackers

Superdrug is reported to have been contacted by a person representing a hacking group and claiming to have hacked their systems, and this person provided stolen customer information as proof. Superdrug was able to confirm the authenticity of the information from their own record of customer email and log-in details. The hacker is reported to have claimed that the details belonging to 20,000 customers were stolen, and has asked for a ransom from Superdrug.

May Have Got From Elsewhere

Even though the assumption is that the mystery hackers got into Superdrug’s systems to get the customer data, Superdrug is claiming this is not the case and that the hackers got the customer login details from other websites and then used those credentials to access accounts on the Superdrug website.

What Kind of Details?

Superdrug has said that, of the compromised accounts that it knows about, names, addresses, some dates of birth, and some telephone numbers may have been stolen, but that no customer payment card details have been accessed.

Actions

Superdrug has said that it has contacted the Police and Action Fraud (the UK’s national fraud and cyber-crime arm) and is offering them all the information they need for an investigation.

Informed Customers

Those customers whose accounts had been compromised were sent an email by Superdrug explaining the situation, asking them to change their passwords, and advising them to change them regularly in future.

Anger Over Tweet

A tweet sent by Superdrug to confirm that the emails received by affected customers was genuine provoked anger, mostly because it failed to include an apology.

What Does This Mean For Your Business?

Although exact numbers of those affected and exact details of how customer data was obtained and accounts accessed have not yet been confirmed, the fact is that at least several hundred customers of a trusted high street brand have ended up being victims of crime, and Superdrug has (at the very least) a PR battle on its hands.

Sadly, Superdrug is one of many well-known companies with data breaches that have made the headlines, affected many customers, and damaged their own company reputations. For example, a Dixons Carphone breach from last year saw the theft of 10 million customer records.

Not just because of possible fines under GDPR, businesses and organisations should be putting customer data protection very high on the list of their business priorities, as strong data security policies, procedures, practices, and defences protect both the customer, the company and its reputation, and a vital and valuable bond of trust between merchant and customer, and send a message that customer security concerns are taken seriously.

Google Location Tracking, Even When Switched Off?

Posted on by Andy Miller

An Associated Press report has accused Google of recording the locations of its users via their mobile devices, even when they have requested not to be tracked by turning their “Location History” off.

Discovered

The apparent tracking without permission was discovered as part of research, when a Princeton privacy researcher noticed in his account that Google has tracked his many different locations along a route after he had been travelling for several days, despite his Location History being turned off.

Also, research has revealed that, even when Location History is paused / switched off, some Google apps store time-stamped location data without specifically asking your permission. For example, Google stores data about where you are when you simply open the Maps app, automatic daily weather updates on Android can discover roughly where you are, and some searches apparently unrelated to your location can also pinpoint your exact latitude and longitude, and save it to your Google account.

Could Affect Billions

It is thought that this could affect around two billion Android and Apple devices which use Google for maps or search.

What Is “Location History” and Why Have It Anyway?

According to Google, Location History is one of several ways to improve the experience of users, and works for features such as Google Maps e.g. if you agree to let Google Maps record your location over time, it will display that history for you in a “timeline” that maps out your daily movements.

Google says that Location History helps you to find the places you’ve been and the routes you’ve travelled. Google states that, when you choose to enable Location History, it records your location data and places in your Google Account, even when you’re not using Google Maps.

What’s The Problem?

The problem is that Google also states that “You can turn off Location History at any time. With Location History off, the places you go are no longer stored.”

Also, researchers have discovered that two things (rather than one) need to be opted-out in order to prevent tracking. Users need to disable both “Location History” and “Web & App Activity” in order to opt-out. Some commentators feel that this has not been made clear by Google.

The Issues

The issues with this are that:

– In the UK, for example, this may constitute a lack of transparency, openness and fairness under GDPR about what users are being told is happening to their data and what is actually happening.

– Users appear to have chosen to opt-out of something / not give their consent to something that relates to their privacy and the security of their personal data, and yet have not been opted-out completely by the company (possible issues of GDPR compliance).

– Some commentators have described it as ‘sneaky’ and it could certainly be an issue that affects the trust of users.

– Location data of this kind has been used by police (in the US) to track suspects, and could also potentially be used by other players e.g. cyber criminals if they had access to the user’s account. This could put users at risk.

– Location data can also be used to target people with location-based advertising. This may be something that users would like to avoid.

What Can You Do To Avoid Being Tracked In This Way?

The Associated Press has produced a guide which details what actions you can take to avoid being tracked by Google, even if your Location History on your mobile device is paused / turned off: The guide can be found here: https://www.apnews.com/b031ee35d4534f548e43b7575f4ab494/How-to-find-and-delete-where-Google-knows-you’ve-been

What Does This Mean For Your Business?

This story should be a reminder, particularly since the introduction of GDPR, that people value their privacy and security, and that businesses now have a strong legal responsibility to take this seriously. Transparency, fairness, and openness are vital when telling your customers what you’re doing /what you plan to do with their data. The issue of consent i.e. your customers choosing to withdraw consent and your business complying fully with those requests should be now be treated very seriously, and there must be consistency with what your company says it is going to do and what actually happens.

Sadly, it appears that all too often, large organisations / companies don’t appear to be handling our data in a way that we would like or have requested. For example, Facebook’s sharing of the personal data of 87 million users with Cambridge Analytica caused widespread outrage, and recently the ‘Deceived By Design’ report by the Norwegian government-funded Consumer Council has accused tech giants Microsoft, Facebook and Google of being unethical by leading users into selecting settings that do not benefit their privacy.

It may be that we have to wait a little longer and see a few more big tech companies being properly held to account before things start to really change for the better for users.