May 202018
 May 20, 2018  Posted by  Breaches, Online, Surveillance, Youth & Schools

Zack Whittaker reports:

At least one server used by an app for parents to monitor their teenagers’ phone activity has leaked tens of thousands of accounts of both parents and children.

The mobile app, TeenSafe, bills itself as a “secure” monitoring app for iOS and Android, which lets parents view their child’s text messages and location, monitor who they’re calling and when, access their web browsing history, and find out which apps they have installed.

Read more on ZDNet.

May 202018
 May 20, 2018  Posted by  Business, Featured News, Laws, Non-U.S.

Jon Baines writes:

I suspect everyone is now fed up to the back teeth of emails from long-forgotten and sometimes never-known businesses and organisations claiming they need us to renew our consent to receive electronic marketing from them. In many cases we never wanted the marketing in the first place and therefore almost certainly never consented to receive it, according to how “consent” has been construed in the operative law (the Data Protection Act 1998 (DPA), and, specifically, the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR)). Everyone is probably equally fed up with similar emails from businesses and organisations we do have a relationship with, and from whom we do want to hear. I’m not going to rehash the law on this – I’ve written and commented multiple times elsewhere (search “Jon Baines +banging head against a brick wall”), as have other, more sage people (try Tim Turner, Adam Rose or Matt Burgess).

But I did notice that the Information Commissioner’s Office (ICO) recently issued a broadly helpful corrective to some of the misinformation out there. I say “broadly helpful” because it is necessarily, and probably correctly, cautious about giving advice which could be potentially interpreted as “do nothing”. Nonetheless, it makes clear that in some cases, do nothing is precisely the right thing to do: although the definition of “consent” from the General Data Protection Regulation (GDPR) will drop into PECR, replacing the definition which currently applies (the one at section 11 (3) of the DPA), this does not represent a significant reconfiguring. In general, if you had proper consent before GDPR, you’ll have proper consent under GDPR, and if you didn’t, well, you probably don’t have consent to send an email asking for consent.

Read more on Information Rights and Wrongs.

May 182018
 May 18, 2018  Posted by  Breaches, Business, Featured News, U.S.

Brian Krebs reports:

LocationSmart, a U.S. based company that acts as an aggregator of real-time data about the precise location of mobile phone devices, has been leaking this information to anyone via a buggy component of its Web site — without the need for any password or other form of authentication or authorization — KrebsOnSecurity has learned. The company took the vulnerable service offline early this afternoon after being contacted by KrebsOnSecurity, which verified that it could be used to reveal the location of any AT&T, Sprint, T-Mobile or Verizon phone in the United States to an accuracy of within a few hundred yards.

Read more on  KrebsOnSecurity.com.

May 182018
 May 18, 2018  Posted by  Business, Non-U.S.

Matthew Braga reports:

A joint venture between Canada’s three largest telecom companies has been selling the real-time location of its subscribers to third parties — as long as they have your consent, the company says.

EnStream, a joint venture between Rogers, Telus and Bell, isn’t new. It was originally formed in 2005 to develop ways for subscribers to make purchases with a mobile phone. Now, it’s in the business of providing “identity verification and authentication services,” helping third-party companies such as banks and insurance companies confirm you are who you say you are — and where you are.

It makes money, in part, by charging companies a fee to provide a user’s location.

Read more on CBC.