privacy scandals – Techdirt (original) (raw)

Researchers Again Show How Major VPNs Quietly Undermine User Security

from the first-do-no-harm dept

Given the seemingly endless privacy scandals that now engulf the tech, telecom, and adtech sectors on a near-daily basis, many consumers have flocked to virtual private networks (VPN) to protect and encrypt their data. One study found that VPN use quadrupled between 2016 and 2018 as consumers rushed to try and protect themselves in the wake of scandals, breaches, and hacks.

Unfortunately, many consumers are flocking to VPNs under the mistaken impression that such tools are a near-mystical panacea, acting as a sort of bulletproof shield that protects them from any potential privacy violations on the internet. Not only is that not true (ISPs, for example, have a universe of ways to track you anyway), many VPN providers are even less ethical than privacy-scandal-plagued companies or ISPs.

A Consumer Reports study late last year took a look at 16 top VPN providers, and found that the majority of them misrepresented their products or their data retention practices, and many of the companies actually put consumer privacy at greater risk. Only a quarter of the VPNs looked at clearly indicated how long they retain user browsing and other data.

Other VPNs simply don’t provide particular stellar security, despite marketing claiming that’s the entire reason they exist. For example, Surfshark, TurboVPN, Sumrando VPN, and several other VPN providers were recently accused of installing a trusted root certificate authority (CA) cert on user devices, often without user knowledge or approval.

This risky root certificate opens the users of these VPNs to increased risk of man in the middle or other attacks:

The installation of an additional root CA cert potentially undermines the security of all your software and communications. When you include a new trusted root certificate on your device, you enable the third-party to gather almost any piece of data transmitted to or from your device.

Plus, an attacker who gets hold of the private key that belongs to a trusted root certificate authority can generate certificates for his own purposes and sign them with the private key.

For consumers, determining what VPN provides useful security and what VPN is a privacy and security dumpster fire isn’t easy, especially given how so many VPN reviews are little more than affiliate kickback blogspam. So while quality VPNs are still definitely useful, experts increasingly point out that unless you know what you’re buying and really need the protection, they’re often just not worth it.

Filed Under: consumers, privacy, privacy scandals, root cert, vpn

John Oliver Tries To Scare DC Into Doing Something About The Privacy Dumpster Fire That Is Adtech

from the incompetent-by-design dept

Tue, Apr 12th 2022 12:11pm - Karl Bode

We’ve noted for years that the adtech sector is a convoluted, unregulated hellscape, where consumer data is bought and sold with nothing remotely close to competent oversight. The end result is just about what you’d expect: a percussive parade of massive scandals in which location, financial, and other sensitive data is bought, sold, leaked, abused, hacked, and spread far and wide with little real recourse.

Despite this, the U.S. still hasn’t passed even a baseline privacy law for the Internet era. And while some folks will insist it’s because it’s too hard, the real reason is because there’s simply too much money being made; and wealth accumulation, if you hadn’t noticed in the United States, trumps all things.

Last week John Oliver did a fantastic bit explaining the (quite intentionally) complicated, ethics-optional mess that is adtech, with a specific focus on data brokers:

Oliver points out just some of the many scandals in the space (like that time Epsilon Data Management knowingly sold the data of 30 million elderly people to criminals who then scammed them repeatedly, or the time widely available cellular consumer location data was abused by stalkers).

But Oliver then does something entertaining: he reveals that his show directly approached data brokers and purchased the online behavior and location data of many people who are likely lawmakers working in or around the Capitol building. Oliver only makes a few vague nods to some of the questionable browsing activity he discovered, while hoping lawmakers are now motivated to do something about it:

“You might want to channel that worry into making sure that I can’t do anything,” he advised. “Sleep well!”

Again, I’d wager he may not have actually found much of anything about any specific lawmaker, but it’s an amusing feint all the same. And we desperately need something to motivate the entirety of DC, because what we’re doing now (inconsistent wrist slaps years after violations, fines that are a tiny fraction of the money made from the abuse — and, oh yeah, here’s some free credit reporting) isn’t working.

Again, if we actually cared about this stuff, it wouldn’t be that difficult to fix.

A fairly basic Internet privacy law, combined with actually funding and staffing regulators at the FTC, would go a long way toward addressing the issue. But we don’t do that. Again, not because it would be all that difficult or expensive (even though adtech is overly complicated by design to try and dodge oversight), but because the cash trough of consumer data monetization is just too lucrative.

Attempting to rein in just the telecom sector or just the airline sector is one thing (and you may have noticed we can’t even do that). But when you target the online consumer data space you’re going up against a massive coalition of industries with bottomless lobbying budgets, including “big tech,” telecom, software, health care, marketing, and more. All of which like things just the way they are: broken and hugely profitable.

What I still think will happen is eventually there will be a data scandal too massive and problematic to ignore, featuring a lot of very powerful and influential people. Likely a scandal that puts human lives at risk in some way. Only then will DC wake up to the perils of letting the adtech market run amok, and even then my faith in DC competently crafting helpful solutions in response remains shaky at best.

Filed Under: adtech, behavioral data, blackmail, congress, consumers, data brokers, ftc, hacking, hbo, john oliver, location data, privacy, privacy scandals