When I call my bank, the greeting now says my voice will be recorded for verification purposes. There is no opt-out.

I remain silent and refuse to speak to the bot now. I sometimes need to push buttons to get a human. The question is-- are they also recording my chatter with the human in order to collect a #voiceprint?

What’s the counter measure? Should we all use a voice disquising tool to sound like Abraham Lincoln or Elvis?

cross-posted from: https://links.hackliberty.org/post/125466

My credit card issuer apparently never gets to know what I purchased at stores, cafes, & restaurants -- and rightfully so. The statement just shows the shop name, location, and amount.

Exceptionally, if I purchase airfare the bank statement reveals disclosures:

• airline who sold the ticket
• carrier
• passenger name
• ticket number
• city pairs

So that’s a disturbing over-share. In some cases the airline is a European flag carrier, so IIUC the GDPR applies, correct? Doesn’t this violate the data minimization principle?

Airlines no longer accept cash, which is also quite disturbing (and illegal in jurisdictions where legal tender must be accepted when presented for PoS transactions).

Has anyone switched to using a travel agent just to be able to pay cash for airfare?

UPDATE

A relatively convincing theory has been suggested in this other cross-posted community:

https://links.hackliberty.org/comment/414338

Apparently it’s because credit cards offer travel insurance & airlines have incentive to have another insurer involved. Would be useful if this were documented somewhere in a less refutable form.

Hi all

I decided to add some new post categories because there where some discussion posts where it does not make sense to tag a country. To further organize the community the following tags can now be used:

• [ARTICLE] or [CH], etc: Sharing articles, blog posts etc, as before use country tags, or if not country specifig declare as article.
• [DISCUSSION]: Everything, that as the name suggests, should or will be discussed.
• [SEARCHING]: Looking for activists or supporters for privacy events/initiatives/referendums etc. If country specific combine with country tag.
• [GUIDE]: Explaining processes, laws or other how to's.
• [UPDATE]: News for our community, at the moment only for me as I'm the only moderator.

If there are other categories you would like to see, leave a comment.

The collection of DNA and other biometric idendity data can lead to a scary reach of surveillance.

What are the laws in other (your) countries regarding this? In 2008 the EU court of human rights already mentioned concerns regarding laws:

A summary of the current global situation and issues for debate highlights: (1) a growing global consensus on the need for legislative provisions for the destruction of biological samples and deletion of innocent people’s DNA profiles, following the European Court of Human Rights’ judgement on this issue in 2008; (2) emerging best practice on scientific standards and standards for the use of DNA in court which are necessary to prevent miscarriages of justice; (3) ongoing debate regarding the appropriate safeguards for DNA collection from suspects; restrictions on access, use and data sharing across borders; and data protection standards. Conclusion: There is an ongoing need for greater public and policy d

Source: Forensic DNA databases–Ethical and legal standards: A global review

cross-posted from: https://fedia.io/m/privacy/t/312963

There’s a huge chain of ATMs in Netherlands called Geldmaat which is a partnership of Ing, Rabobank, ABN AMRO, possibly others.

So I have several questions w.r.t privacy:

• when you draw money out, do all those banks have access to the transaction?

• if you use a Rabobank card, does Ing see the transaction?

• if you use a foreign card that is not associated to any of the partnered banks, which bank handles the transaction?

This trend is picking up in other countries as well and it seems no articles that announce these changes are talking about the #privacy consequences.

I went to a cafe in Amsterdam which turned out to not only be cashless, but their payment processor was “Zettle”. Zettle is owned by #PayPal (who shares customer data with over 600 corporations).

So my question is, apart from the expected privacy consequence of your bank & the recipient’s bank recording your transaction, what does Paypal walk away with? Paypal is a data-abusing US-based company. But OTOH the shop is in a #GDPR region. Does the GDPR give any protection in this case?

IIUC, customers consent by default to their data being processed by the merchant & whoever the merchant hires (Paypal), and from there whoever paypal shares with & on down the endless chain. The only notable GDPR protection I can think of is that the data must remain in the EU. So the transaction data cannot be sent to Paypal’s servers in the USA -- correct?

BTW, I asked the owner why he trusts Zettle & also why he does not accept cash. He conceded right away that he didn’t like it either. He said he’s cashless for security and that when he looked at a number of electronic payment systems, Zettle was the cheapest. For me, “cheapest” is a red flag. It’s probably cheap because the data is probably being monetized.

Concrete question: if an American feeds a US-issued credit card into a #Zettle terminal to buy a creme-filled artery-hardening pastry in Amsterdam, is there anything to stop Paypal from doing the processing on the US-side of the transaction before selling that info to a US health insurance company?

The U.K. Parliament has passed the Online Safety Bill (OSB), which says it will make the U.K. “the safest place” in the world to be online. In reality, the OSB will lead to a much more censored, locked-down internet for British users. The bill could empower the government to undermine not just the privacy and security of U.K. residents, but internet users worldwide.

It was clear that the parlament would pass this terrible bill. The only thing to do now, is to hope that the EU does not follow the UK, but I'm rather pessimistic.

Time to prepare fallback technologies in case the now used services are delcared unlawfull and get forbidden or are forces to put backdoors in place.

Today I got a notification from WhatsApp about the new Privacy Policy. for the European Region.

In that notification it mentions:

When we rely on legitimate interests, you have a right to object to our use of your information. You can do this here. You can also find out more information on how to exercise your rights.

For the fun of it, I filled out the form to object. Now I received a Mail asking for:

• Against which type of data processing are you objecting?
• How does this data processing affect you?
• Add more information which should be considered in this request

People with experience with data privacy, what basis and argumentation can I add here to support my request?

P.S.: I have no confidence that this will prevent WhatsApp to spy on me and I know I need to get rid of it. I am objecting because I feel people should do and if nothing else, then just to keep the WhatsApp Lawyer busy.

A privacy policy can lay out a lot of important information that you cannot find anywhere else. Here’s a breakdown of the most useful details contained in most policies, and how to find them.

What information are they collecting?

Look for a section with a title like “Personal information we collect” or “How We Collect and Use Your Personal Data.” This will list types of data the company gathers both “automatically” and from you directly. You may see disclosures that the company collects your location, IP address, biometrics, or information from your web browser, such as cookies or trackers. Be on the lookout for hints that the company uses a tracking technique called fingerprinting, which can identify you even when you go out of your way to decline cookies or block trackers. It does so based on information about your device such as the operating system, manufacturer, or even screen resolution, so keep an eye out for whether that data is being collected.

It is sometimes impossible to know whether the collection described in sections like this is actually happening, said Sebastian Zimmeck, an assistant professor of computer science at Wesleyan University, who studies privacy. “The reason why many privacy policies are not meaningful is because companies ‘may’ collect your information. Or they may not,” Zimmeck wrote in an email.

Location, location, location

In the information collection section, you may see terms related to your whereabouts such as “geolocation,” “geofencing,” or “geotargeting.” This signals that the company is collecting one of the most sensitive categories of data. Researchers have repeatedly shown that the unique nature of our movements can reveal private information about our lives that we may not want others to have, including places of worship, medical providers, or even political protests.

Keep an especially close eye out for the term “precise geolocation,” which the California Consumer Privacy Act defines as “a geographic area that is equal to or less than the area of a circle with a radius of 1,850 feet.”

Why are they collecting this information, and how do they use it?

Anonymization/aggregation might not be as good as it sounds. Sometimes a company might say that any data it shares has all identifying information removed. Its privacy policy might use terms like “de-identified” data in addition to “anonymous” or “aggregated” data. This sounds as if it makes information sharing more private, but there has been a great deal of research showing that it is possible and in some cases quite easy to re-identify personal data even after it has been masked or combined. It doesn’t matter if a company anonymizes your data if its “business partners” are just going to undo that work when they get it.

Code words for “ad targeting”

When a company says it uses your data to “personalize” or “enhance” your experience or “improve our services,” that can often mean it is analyzing your data for ad targeting. “Measuring the effectiveness” of advertisements or other activities can mean tracking what you click on or buy. Also look out for mentions of “interest-based advertising,” which means the company is analyzing your activity on the service and allowing third parties to infer your interests for the purpose of targeted advertising, in some cases even away from the site you’re on. If the policy talks about tracking you on other online services, this also means the company is tracking your browsing activity across the internet, not just on its service. It might do this directly or purchase the information from a third party.

...

Ordinance on the Protection of Minors in the Fields of Film and Video Games (JSFVV)

The law for the protection of minors, which was passed last year, caused a lot of controversy afterwards. Unfortunately, however, the referendum did not materialize. An interpellation by National Councilor Jörg Mäder also failed to provide more clarity. Now, the preliminary draft for an ordinance on the Protection of Minors Act has been published.

Edit: translation of summary from German to English by deepl.com

In late January 2023, almost 45 GB of source code from the Russian search giant Yandex was leaked on BreachForums by a former Yandex employee. While the leak itself did not contain user data, it reportedly contained the source code for all major Yandex services, including Metrika, which collects user analytics through a widely used SDK, and Crypta, Yandex’s behavioral analytics technology.

I got involved when a fellow privacy researcher reached out to verify what he’d found in a different part of the codebase. After spending the week digging around and verifying his findings, on Friday night I sat down with a glass of wine and decided to dig into something I was curious about. While there has been lots of speculation about what Yandex could do with the massive amounts of data it collects, this is the first time outsiders have been able to peek behind the curtain to confirm it, and what I’ve found is both fascinating and deeply unsettling.

Open source project Moq (pronounced "Mock") has drawn sharp criticism for quietly including a controversial dependency in its latest release.

Distributed on the NuGet software registry, Moq sees over 100,000 downloads on any given day, and has been downloaded over 476 million times over the course of its lifetime.

Moq's 4.20.0 release from this week quietly included another project, SponsorLink, which caused an uproar among open source software consumers, who likened the move to a breach of trust.

Seemingly an open-source project, SponsorLink is actually shipped on NuGet as closed source and contains obfuscated DLLs that collect hashes of user email addresses and send these to SponsorLink's CDN, raising privacy concerns.