Архив рубрики: Privacy

Auto Added by WPeMatico

Sunshine Contacts may have given out your home address, even if you’re not using the app

A third-party contacts app you’re not using may be handing out your home address to its users. In November, former Yahoo CEO and Google veteran Marissa Mayer and co-founder Enrique Muñoz Torres introduced their newly rebranded startup Sunshine, and its first product, Sunshine Contacts. The new iOS app offers to organize your address book by handling duplicates and merges using AI technology, as well as fill in some of the missing bits of information by gathering data from the web — like LinkedIn profiles, for example.
But some users were surprised to find they suddenly had home addresses for their contacts, too, including for those who were not already Sunshine users.
TechCrunch reached out to Sunshine to better understand the situation, given the potential privacy concerns.

We understand there are several ways that users may encounter someone’s home address in the Sunshine app. A user may already have the address on file in their phone’s address book, of course, or they may have opted in to allow Sunshine to scan their inbox in order to extract information from email signature lines. This is a feature common to other personal CRM solutions, too, like Evercontact.
In the event that someone had signed an email with their home address included in this field, that data could then be added to their contact card in the Sunshine app. In this case, the contact card is updated in the Sunshine Contacts app, which then syncs with your phone’s address book. But this data is not distributed to any other app users.

Image Credits: Sunshine

The app also augments contact cards with information acquired by other means. For example, it may use the information you do have to complete missing fields — like adding a last name, when you had other data that indicated what someone’s full name is, but hadn’t completed filling out the card. The app may also be able to pull in data from a LinkedIn profile, if available.
For home addresses, Sunshine is using the Whitepages API.
The company confirmed to TechCrunch it’s augmenting contact cards with home addresses under some circumstances, even if that contact is not a Sunshine Contacts user. Sunshine says it doesn’t believe this to be any different from a user going to Google to look for someone’s contact information on the web — it’s just automating the process.
Of course, some would argue when you’re talking about automating the collection of home addresses for hundreds or potentially thousands of users — depending on the size of your personal address book database — it’s a bit different than if you went googling to find your aunt’s address so you can mail a Christmas card or called your old college roommate to find out where to send their birthday gift.
However, Sunshine clarified to TechCrunch that it won’t add the home address except in cases when it determines you have a personal connection to the contact in question.
Here, though, Sunshine enters a gray area where the app and its technology will try to figure out who you know well enough to need a home address.
Before adding the address, Sunshine requires you to have the contact’s phone number on file in your address book, not just their email. That would eliminate some people you only have a loose connection with through work, for instance. And it only updates with the home address if the partner API is able to associate that address with a phone number you have.

Image Credits: Sunshine

In addition, Sunshine says that it’s generally able to understand the type of phone number you have on file — like if it’s a residential or business line, or if it’s a landline or mobile number. (It uses APIs to do this, similar to StrikeIron’s though not that particular one.) It also knows who the phone number belongs to. Using this information and further context, the app tries to determine if a phone number is a personal or a professional number and it will try to understand your relationship with the person who owns that number.
In practice, what this means is that if all the information you had on file for a contact was professional information — where they worked, a job title, a work email and a phone number, perhaps — then that person’s contact card would not be updated to include their home address, too.
And because many people use their personal cell for work, Sunshine won’t consider someone a “personal” relationship just because you have their mobile phone number. For example, if you had only a contact’s name and a cell number, you wouldn’t be able to use the app to get their home address.
The result of all this automated analysis is that Sunshine, in theory, only updates contact cards with home addresses where it’s determined there’s a personal relationship.
This, of course, doesn’t take into account some scenarios like bad exes, stalking or a general desire for privacy. Arguably, there are times when someone may have a lot of personal information for a contact in their address book, but the contact in question would rather not have their home address distributed to that person.
The only way to prevent this, presumably, would be to opt out at the source: Whitepages.com. (Once you have your profile URL from the Whitepages website, you can use this online form to have your information suppressed.)

Image Credits: Sunshine

The way the app functions raises questions about what is truly private information these days.
Sunshine points out that people’s home addresses are not as hidden from the world as they may think, which makes them fair game.
It’s true that our home addresses are often publicly available. Although it’s been years since most of us have had a telephone directory dropped on our doorstep with phone and address listings for people in our city, home addresses today are relatively trivial to find when you know where to look online.
In addition to public records — like voter registration databases — there are web-based people finders, too.
Sunshine’s partner, Whitepages.com, makes visitors pay for its data, but others like TruePeopleSearch.com don’t have the same paywall. With someone’s first and last name and city, its website provides access to someone’s home address, prior addresses, cell phone, age and the names of family members and other close associates. (TruePeopleSearch is not a Sunshine partner, we should clarify.)

Marissa Mayer’s startup launches its first official product, Sunshine Contacts

Even though this data is “public,” it’s uncomfortable to see it casually distributed in an app, as that makes it even easier to get to than before.
Plus, after years of being burned by data breaches and data privacy scandals, people tend to be more protective of their personal information than before. And, had they been asked, many would probably decline to have their home addresses shared with Sunshine’s user base. Generally speaking, people appreciate the courtesy of having someone come ask for a home address, when it’s needed — they may not want an app creeping the web to find it and hand it out.
Sunshine Contacts is in an invite-only beta in the U.S., so the company has time to reconsider how this feature is implemented based on user feedback before it becomes widely available.

Sunshine Contacts may have given out your home address, even if you’re not using the app

Apple’s IDFA gets targeted in strategic EU privacy complaints

A unique device identifier that Apple assigns to each iPhone for third parties to track users for ad targeting — aka the IDFA (Identifier for Advertisers) — is itself now the target of two new complaints filed by European privacy campaign not-for-profit, noyb.
The complaints, lodged with German and Spanish data protection authorities, contend that Apple’s setting of the IDFA breaches regional privacy laws on digital tracking because iOS users are not asked for their consent for the initial storage of the identifier.
Noyb is also objecting to others’ being able to access the IDFA without prior consent — with one of its complainants writing that they were never asked for consent for third-party access yet found several apps had shared their IDFA with Facebook (per their off-Facebook activity page).

We’ve reached out to the data protection agencies in question for comment. Update: Spain’s AEPD confirmed it has received noyb’s complaint and said it will investigate — making no further comment at this stage.
While Apple isn’t the typical target for digital privacy campaigners, given it makes most of its money selling hardware and software instead of profiling users for ad targeting, as adtech giants like Facebook and Google do, its marketing rhetoric around taking special care over user privacy can look awkward when set against the existence of an Identifier for Advertisers baked into its hardware.
In the European Union there’s a specific legal dimension to this awkwardness — as existing laws require explicit consent from users to (non-essential) tracking. Noyb’s complaints cite Article 5(3) of the EU’s ePrivacy Directive, which mandates that users must be asked for consent to the storage of ad-tracking technologies such as cookies. (And noyb argues the IDFA is just like a tracking cookie but for iPhones.)
Europe’s top court further strengthened the requirement last year when it made it clear that consent for non-essential tracking must be obtained prior to storing or accessing the trackers. The CJEU also ruled that such consent cannot be implied or assumed — such as by the use of pre-checked “consent” boxes.

Europe’s top court says active consent is needed for tracking cookies

In a press release about the complaints, noyb’s Stefano Rossetti, a privacy lawyer, writes: “EU law protects our devices from external tracking. Tracking is only allowed if users explicitly consent to it. This very simple rule applies regardless of the tracking technology used. While Apple introduced functions in their browser to block cookies, it places similar codes in its phones, without any consent by the user. This is a clear breach of EU privacy laws.”
Apple has long controlled how third parties serving apps on its iOS platform can use the IDFA, wielding the stick of ejection from its App Store to drive their compliance with its rules.
Recently, though, it has gone further — telling advertisers this summer they will soon have to offer users an opt-out from ad tracking in a move billed as increasing privacy controls for iOS users — although Apple delayed implementation of the policy until early next year after facing anger from advertisers over the plan. But the idea is there will be a toggle in iOS 14 that users need to flip on before a third-party app gets to access the IDFA to track iPhone users’ in-app activity for ad targeting.
However, noyb’s complaint focuses on Apple’s setting of the IDFA in the first place — arguing that since the pseudonymised identifier constitutes private (personal) data under EU law they need to get permission before creating and storing it on their device.
“The IDFA is like a ‘digital license plate’. Every action of the user can be linked to the ‘license plate’ and used to build a rich profile about the user. Such profile can later be used to target personalised advertisements, in-app purchases, promotions etc. When compared to traditional internet tracking IDs, the IDFA is simply a ‘tracking ID in a mobile phone’ instead of a tracking ID in a browser cookie,” noyb writes in one complaint, noting that Apple’s privacy policy does not specify the legal basis it uses to “place and process” the IDFA.
Noyb also argues that Apple’s planned changes to how the IDFA gets accessed — trailed as incoming in early 2021 — don’t go far enough.
“These changes seem to restrict the use of the IDFA for third parties (but not for Apple itself),” it writes. “Just like when an app requests access to the camera or microphone, the plans foresee a new dialog that asks the user if an app should be able to access the IDFA. However, the initial storage of the IDFA and Apple’s use of it will still be done without the users’ consent and therefore in breach of EU law. It is unclear when and if these changes will be implemented by the company.”
We reached out to Apple for comment on noyb’s complaints but at the time of writing an Apple spokesman said it did not have an on-the-record statement. The spokesman did tell us that Apple itself does not use unique customer identifiers for advertising. Update: The company has now sent us this statement:
The claims made against Apple in this complaint are factually inaccurate and we look forward to making that clear to privacy regulators should they examine the complaint. Apple does not access or use the IDFA on a user’s device for any purpose. Our aim is always to protect the privacy of our users and our latest software release, iOS 14, is giving users even greater control over whether or not they want to allow apps to track them by linking their information with data from third parties for the purpose of advertising, or sharing their information with data brokers. Our practices comply with European law and support and advance the aims of the GDPR and the ePrivacy Directive, which is to give people full control over their data.
In a separate but related recent development, last month publishers and advertisers in France filed an antitrust complaint against the iPhone maker over its plan to require opt-in consent for accessing the IDFA — with the coalition contending the move amounts to an abuse of market power.
Apple responded to the antitrust complaint in a statement that said: “With iOS 14, we’re giving users the choice whether or not they want to allow apps to track them by linking their information with data from third parties for the purpose of advertising, or sharing their information with data brokers.”
“We believe privacy is a fundamental human right and support the European Union’s leadership in protecting privacy with strong laws such as the GDPR (General Data Protection Regulation),” Apple added then.
That antitrust complaint may explain why noyb has decided to file its own strategic complaints against Apple’s IDFA. Simply put, if no tracker ID can be created — because an iOS user refuses to give consent — there’s less surface area for advertisers to try to litigate against privacy by claiming tracking is a competitive right.
“We believe that Apple violated the law before, now and after these changes,” said Rossetti in another statement. “With our complaints we want to enforce a simple principle: trackers are illegal, unless a user freely consents. The IDFA should not only be restricted, but permanently deleted. Smartphones are the most intimate device for most people and they must be tracker-free by default.”
Another interesting component of the noyb complaints is they’re being filed under the ePrivacy Directive, rather than under Europe’s (newer) General Data Protection Regulation. This means noyb is able to target them to specific EU data protection agencies, rather than having complaints funnelled back to Ireland’s DPC — under the GDPR’s one-stop-shop mechanism for handling cross-border cases.
Its hope is this route will result in swifter regulatory action. “These cases are based on the ‘old’ cookie law and do not trigger the cooperation mechanism of the GDPR. In other words, we are trying to avoid endless procedures like the ones we are facing in Ireland,” added Rossetti.

Lack of big tech GDPR decisions looms large in EU watchdog’s annual report

Apple’s IDFA gets targeted in strategic EU privacy complaints

Apple will release macOS Big Sur on November 12

Apple’s upcoming desktop and laptop operating system, macOS Big Sur, will be released on November 12, the company announced today.
MacOS Big Sur — which stays with the company’s California-themed naming scheme — will arrive with a new and refreshed user interface, new features and performance improvements.
Many of the features in iOS 14 are porting over — including improved Message threading and in-line replies and a redesigned Maps app. The new Apple software also comes with a new Control Center, with quick access to brightness, volume, Wi-Fi and Bluetooth.
Safari also gets a much-needed lick of paint. It comes with new privacy and security features, including an in-built intelligence tracking prevention that stops trackers following you across the web, and password monitoring to save you from using previously breached passwords.
If you’re wondering what macOS Big Sir is like to work on, TechCrunch’s Brian Heater took the new software for a spin in August.
MacOS Big Sur will be supported on Macs and MacBooks dating back to 2013.
Read more:

Apple is building its own processors for future Macs
What we expect from Apple’s ‘One More Thing’ Mac event
macOS 11.0 Big Sur preview
More from Apple’s November Mac Event

macOS 11.0 Big Sur preview

Apple will release macOS Big Sur on November 12

Google launches the final beta of Android 11

With the launch of Android 11 getting closer, Google today launched the third and final beta of its mobile operating system ahead of its general availability. Google had previously delayed the beta program by about a month because of the coronavirus pandemic.
Image Credits: Google
Since Android 11 had already reached platform stability with Beta 2, most of the changes here are fixes and optimizations. As a Google spokesperson noted, “this beta is focused on helping developers put the finishing touches on their apps as they prepare for Android 11, including the official API 30 SDK and build tools for Android Studio.”
The one exception is some updates to the Exposure Notification System contact-tracing API, which users can now use without turning on device location settings. Exposure Notification is an exception here, as all other Android apps need to have location settings on (and user permission to access it) to perform the kind of Bluetooth scanning Google is using for this API.
Otherwise, there are no surprises here, given that this has already been a pretty lengthy preview cycle. Mostly, Google really wants developers to make sure their apps are ready for the new version, which includes quite a few changes.
If you are brave enough, you can get the latest beta over the air as part of the Android Beta program. It’s available for Pixel 2, 3, 3a, 4 and (soon) 4a users.

Google’s budget Pixel 4a addresses its premium predecessor’s biggest problem

Google launches the final beta of Android 11

UK gives up on centralized coronavirus contacts-tracing app — will ‘likely’ switch to model backed by Apple and Google

The UK has given up building a centralized coronavirus contacts-tracing app and will instead switch to a decentralized app architecture, the BBC has reported. This suggests its any future app will be capable of plugging into the joint ‘exposure notification’ API which has been developed in recent weeks by Apple and Google.
The UK’s decision to abandon a bespoke app architecture comes more than a month after ministers had been reported to be eyeing such a switch. They went on to award a contract to an IT supplier to develop a decentralized tracing app in parallel as a backup — while continuing to test the centralized app, which is called NHS COVID-19.
At the same time, a number of European countries have now successfully launched contracts-tracing apps with a decentralized app architecture that’s able to plug into the ‘Gapple’ API — including Denmark, Germany, Italy, Latvia and Switzerland. Several more such apps remain in testing. While EU Member States just agreed on a technical framework to enable cross-border interoperability of apps based on the same architecture.
Germany — which launched the decentralized ‘Corona Warning App’ this week — announced its software had been downloaded 6.5M times in the first 24 hours. The country had initially appeared to favor a centralized approach but switched to a decentralized model back in April in the face of pushback from privacy and security experts.
The UK’s NHS COVID-19 app, meanwhile, has not progressed past field tests, after facing a plethora of technical barriers and privacy challenges — as a direct consequence of the government’s decision to opt for a proprietary system which uploads proximity data to a central server, rather than processing exposure notifications locally on device.
Apple and Google’s API, which is being used by all Europe’s decentralized apps, does not support centralized app architectures — meaning the UK app faced technical hurdles related to accessing Bluetooth in the background. The centralized choice also raised big questions around cross-border interoperability, as we’ve explained before. Questions had also been raised over the risk of mission creep and a lack of transparency and legal certainty over what would be done with people’s data.
So the UK’s move to abandon the approach and adopt a decentralized model is hardly surprising — although the time it’s taken the government to arrive at the obvious conclusion does raise some major questions over its competence at handling technology projects.
Michael Veale, a lecturer in digital rights and regulation at UCL — who has been involved in the development of the DP3T decentralized contacts-tracing standard, which influenced Apple and Google’s choice of API — welcomed the UK’s decision to ditch a centralized app architecture but questioned why the government has wasted so much time.
“This is a welcome, if a heavily and unnecessarily delayed, move by NHSX,” Veale told TechCrunch. “The Google -Apple system in a way is home-grown: Originating with research at a large consortium of universities led by Switzerland and including UCL in the UK. NHSX has no end of options and no reasonable excuse to not get the app out quickly now. Germany and Switzerland both have high quality open source code that can be easily adapted. The NHS England app will now be compatible with Northern Ireland, the Republic of Ireland, and also the many destinations for holidaymakers in and out of the UK.”
Perhaps unsurprisingly, UK ministers are now heavily de-emphasizing the importance of having an app in the fight against the coronavirus at all.
The Department for Health and Social Care’s, Lord Bethell, told the Science and Technology Committee yesterday the app will not now be ready until the winter. “We’re seeking to get something going for the winter, but it isn’t a priority for us,” he said.
Yet the centralized version of the NHS COVID-19 app has been in testing in a limited geographical pilot on the Isle of Wight since early May — and up until the middle of last month health minister, Matt Hancock, had said it would be rolled out nationally in mid May.
Of course that timeframe came and went without launch. And now the prospect of the UK having an app at all is being booted right into the back end of the year.
Compare and contrast that with government messaging at its daily coronavirus briefings back in May — when Hancock made “download the app” one of the key slogans — and the word ‘omnishambles‘ springs to mind…
NHSX relayed our request for comment on the switch to a decentralized system and the new timeframe for an app launch to the Department of Health and Social Care (DHSC) — but the department had not responded to us at the time of publication.
Earlier this week the BBC reported that a former Apple executive, Simon Thompson, was taking charge of the delayed app project — while the two lead managers, the NHSX’s Matthew Gould and Geraint Lewis — were reported to be stepping back.
Back in April, Gould told the Science and Technology Committee the app would “technically” be ready to launch in 2-3 weeks’ time, though he also said any national launch would depend on the preparedness of a wider government program of coronavirus testing and manual contacts tracing. He also emphasized the need for a major PR campaign to educate the public on downloading and using the app.
Government briefings to the press today have included suggestions that app testers on the Isle of Wight told it they were not comfortable receiving COVID-19 notifications via text message — and that the human touch of a phone call is preferred.
However none of the European countries that have already deployed contacts-tracing apps has promoted the software as a one-stop panacea for tackling COVID-19. Rather tracing apps are intended to supplement manual contacts-tracing methods — the latter involving the use of trained humans making phone calls to people who have been diagnosed with COVID-19 to ask who they might have been in contact with over the infectious period.
Even with major resource put into manual contacts-tracing, apps — which use Bluetooth signals to estimate proximity between smartphone users in order to calculate virus expose risk — could still play an important role by, for example, being able to trace strangers who are sat near an infected person on public transport.
Update: The DHSC has now issued a statement addressing reports of the switch of app architecture for the NHS COVID-19 app — in which it confirms, in between reams of blame-shifting spin, that it’s testing a new app that is able to plug into the Apple and Google API — and which it says it may go on to launch nationally, but without providing any time frame.
It also claims it’s working with Apple and Google to try to enhance how their technology estimates the distance between smartphone users.
“Through the systematic testing, a number of technical challenges were identified — including the reliability of detecting contacts on specific operating systems — which cannot be resolved in isolation with the app in its current form,” DHSC writes of the centralized NHS COVID-19 app.
“While it does not yet present a viable solution, at this stage an app based on the Google / Apple API appears most likely to address some of the specific limitations identified through our field testing.  However, there is still more work to do on the Google / Apple solution which does not currently estimate distance in the way required.”
“Based on this, the focus of work will shift from the current app design and to work instead with Google and Apple to understand how using their solution can meet the specific needs of the public,” it adds. 
We reached out to Apple and Google for comment. Apple declined to comment.
According to one source, the UK has been pressing for the tech giants’ API to include device model and RSSI info alongside the ephemeral IDs which devices that come into proximity exchange with each other — presumably to try to improve distance calculations via a better understanding of the specific hardware involved.
However introducing additional, fixed pieces of device-linked data would have the effect of undermining the privacy protections baked into the decentralized system — which uses ephemeral, rotating IDs in order to prevent third party tracking of app users. Any fixed data-points being exchanged would risk unpicking the whole anti-tracking approach.
Norway, another European country which opted for a centralized approach for coronavirus contacts tracing — but got an app launched in mid April — made the decision to suspend its operation this week, after an intervention by the national privacy watchdog. In that case the app was collecting both GPS and Bluetooth —  posing a massive privacy risk. The watchdog warned the public health agency the tool was no longer a proportionate intervention — owing to what are now low levels of coronavirus risk in the country.

UK gives up on centralized coronavirus contacts-tracing app — will ‘likely’ switch to model backed by Apple and Google