Here are the three consumer-privacy stories from the past month we think are worth your time, with clear next steps.

Discord age-verification images leaked

What happened
A third-party support/verification vendor working with Discord was compromised. Images people uploaded for age checks, such as driver’s licenses, passports, and face selfies, were copied. The core issue isn’t just the breach; it’s the practice of collecting and storing high-risk documents in the first place, often via vendors users never see.

What was exposed
Scans/photos of government IDs and matching selfies, plus typical metadata (full name, birth date, document number, issuing country, sometimes address). Even if Discord deletes uploads promptly, a vendor may retain copies in tickets, logs, or backups.

Who’s affected
Anyone who submitted ID for Discord age verification in the relevant period—including people who interacted with support and didn’t realize a separate vendor was involved.

Why age-verification laws can harm consumers

• They force mass collection of sensitive IDs. When the law pushes platforms to “prove” age, many default to document uploads. That creates huge databases of passports and driver’s licenses—prime targets for theft.

• Vendors multiply the risk. Platforms typically outsource verification. Each extra party adds storage, backups, employee access, and potential misconfigurations. Users rarely know who these vendors are or how long they keep data.

• “Delete after check” isn’t guaranteed. In practice, copies live on in support tickets, QA screenshots, caches, and backups. Once leaked, you can’t rotate a date of birth or ID number.

• Function creep. Photos and IDs collected “just for age” can be reused later—for marketing, fraud scoring, or law-enforcement fishing—unless tightly banned and audited.

• Anonymity suffers. Mandatory ID checks chill speech and participation, especially in sensitive communities (health, LGBTQ+, political dissent).

Better approaches (what we advocate)

• Privacy-preserving age assurance (on-device estimation, cryptographic “proof of age” tokens from trusted IDs without revealing identity or storing documents).

• Strict data-minimization and retention caps (no vendor retention beyond a brief verification window; independent audits).

• Real alternatives for users who can’t or shouldn’t upload IDs (supervised accounts, feature gating without identity, prepaid age-verified tokens).

• Clear vendor transparency (who handles your data, where it’s stored, how/when it’s deleted).

What you can do

1. Close your Discord account and Delete your data → https://yourdigitalrights.org/d/discord.com

2. Turn on 2FA for the email accounts tied to Discord; change your Discord password if reused anywhere else.

3. Watch for targeted phishing that references your real details (“re-verify your age”). Open Discord directly—don’t use links in messages.

4. Going forward, avoid ID uploads where possible; if unavoidable, ask for written retention limits and deletion confirmation.

Prosper breach exposed highly sensitive personal data

What happened
Prosper (peer-to-peer lending) disclosed a large breach discovered in late September/early October. Data was accessed from systems holding consumer and borrower information.

What was exposed
Contact details (name, email, phone, address), government-ID details (e.g., SSN/ID numbers, DOB), and in some cases income/employment information used for underwriting. Payment credentials are not the main concern here—the exposure is the dense identity profile.

Who’s affected
Current and past applicants/borrowers, as well as some individuals who were invited or pre-qualified. Even if you didn’t complete a loan, application data may still be in scope.

Why it matters

• This is precisely the mix that enables new-account fraud (credit cards/loans opened in your name).

• Expect targeted phishing that references your real employer/income or application status.

• Because SSNs/ID numbers don’t change easily, the risk persists for years, not weeks.

What you can do

1. Delete your data → https://yourdigitalrights.org/d/prosper.com

2. Place a credit freeze (free in many jurisdictions). It prevents new credit from being opened without your explicit lift.

3. Set fraud alerts with major bureaus; check your credit report over the next 12–24 months for unfamiliar inquiries or accounts.

4. Treat “we need to verify your identity/application” calls/texts as hostile by default. Hang up and call the institution via the official number in their app or on their card.

Qantas customer data posted after a third-party compromise

What happened
A vendor servicing multiple brands was breached; data sets for Qantas customers were among those posted. This is a classic supply-chain incident: you trusted the airline; the weak link was a contractor.

What was exposed
Personal profile fields such as name, email, phone, date of birth, and frequent-flyer details (membership numbers, sometimes status or points context). Payment card data was not the focus, but profile data is more than enough for convincing scams.

Who’s affected
Qantas customers whose profiles were synced or processed by the impacted vendor during the relevant window—this can include inactive accounts if data wasn’t purged.

Why it matters

• Phishing is easier when attackers know your airline and loyalty details (“your flight has changed”, “points expiring: confirm now”).

• If they can take your email account, they can reset everything else; travel accounts are attractive because of stored identities and rewards.

What you can do

1. Delete your data → https://yourdigitalrights.org/d/qantas.com

2. Don’t follow flight/account links from email/SMS. Open the airline app or type qantas.com yourself.

3. Enable 2FA on your email and your airline account; review security questions and recovery addresses/phones.

4. Check your frequent-flyer history for unfamiliar redemptions or name/phone changes.

5. If you shared passport details with any airline, consider renewing sooner if you encounter misuse (varies by country).

Product news — YourDigitalRights.org

New regulation support (October)

• Maryland (MD) — Maryland Online Data Privacy Act

• Indiana (IN) — Indiana Consumer Data Protection Act

• Kentucky (KY) — Kentucky Consumer Data Protection Act

• Rhode Island (RI) — Rhode Island Data Transparency and Privacy Protection Act

New regulation support (May)

• China (CN) — Personal Information Protection Law

• South Africa (ZA) — Protection of Personal Information Act

• Tennessee (TN) — Tennessee Information Protection Act

• Minnesota (MN) — Minnesota Consumer Data Privacy Act

• Australia (AU) — Australian Privacy Principles

• Jordan (JO) — Personal Data Protection Law

• Thailand (TH) — Personal Data Protection Act

Localization
YourDigitalRights.org now supports 30 languages so more people can use their rights in the language they’re most comfortable with.

Quick actions

• Delete your data from Discord → https://yourdigitalrights.org/d/discord.com

• Delete your data from Prosper → https://yourdigitalrights.org/d/prosper.com

• Delete your data from Qantas → https://yourdigitalrights.org/d/qantas.com

• Turn on 2FA (email first), use a password manager, and don’t reuse passwords.

• Clean up old accounts you no longer use; fewer accounts = smaller attack surface.

Please consider donating to Coscious Digital. By donating, or becoming a supporting member you can help ensure our long-term financial stability and independence.

Donate

Unfortunately, in the current geopolitical client, this situation is not unique to U.S. borders, as many other countries are following in the footsteps of the U.S. to enact stronger immigration laws and more prevalent inspections.

In the U.S., CBP agents operate under a special legal loophole known as the border search exception to the Fourth Amendment, which means they don’t need a warrant or probable cause to search travelers’ belongings at entry points. In fact, courts have not yet settled how this applies to our digital devices, so for now, CBP largely sets its own rules. Those rules give officers wide latitude: they can conduct a basic manual search of your phone at their discretion, and with any “reasonable suspicion” (or vaguely defined “national security” concern), they can perform an “advanced search” using forensic tools like Cellebrite to hack into your device and copy data.

Officers are supposed to only inspect data stored on the device, but in practice, an agency’s internal promises are scant comfort when you’re at the border. “The super-conservative perspective is to assume they [CSB] are completely unhinged and that even the most benign reasons for travel are going to subject non-citizens to these device searches,” said Sophia Cope, a senior staff attorney at the Electronic Frontier Foundation (EFF). Even U.S. citizens – who by law cannot be refused entry – aren’t immune from hassle: agents can detain you for hours and confiscate your device if you decline to unlock it. For visa holders and foreign visitors, the stakes are higher: CBP can decide on the spot that you’re “not eligible” to enter if you refuse a search or if they dislike what they find. Legal permanent residents (green card holders) historically had rights close to citizens, but recent crackdowns show that even they can be targeted under broad “national security” pretexts (e.g., the attempted deportation of Columbia University graduate Mahmoud Khalil in apparent retaliation for his campus activism). In short, anyone crossing into the U.S. and a number of other countries should be prepared for the possibility of intrusive digital searches – especially journalists, activists, or others carrying sensitive information.

What Are Border Agents Looking For on Your Devices?

CBP agents claim that searching phones and laptops is a “routine part” of verifying a visitor’s admissibility. In many cases, they’re hunting for evidence of anything that might violate immigration rules or national security:

• Political or religious content: Private communications or social media that express certain political opinions have raised flags. The French researcher’s text messages criticizing U.S. policies were viewed as “anti-American” and even conflated with terrorism. In the past, travelers have been questioned about their political beliefs or associations at the border. Content supporting controversial groups (for example, the images on Rasha Alawieh’s phone that were deemed supportive of Hezbollah) can be treated as links to extremism. Even completely lawful activism or speech may draw scrutiny if an agent deems it “inflammatory.” This creates a climate where legitimate dissent or religious expression could be misinterpreted as a security threat.

• Contact lists and communications: Agents often scroll through contacts, call logs, emails, messaging apps, and social media. They may look for names of people of interest, evidence of plans to overstay a visa or work without authorization, or any associations they consider suspicious. In one reported case, officers demanded a traveler’s social media handles and scoured their online posts. Notably, U.S. visa applications now ask for social media IDs, so border agents can already view any content you’ve made public. While the policy says agents shouldn’t demand your private social media passwords, anything you’re already logged into on your device at the moment you hand it over to an agent could be accessed. Essentially, your digital footprint – from WhatsApp chats to Twitter feed – is under the microscope. Even the list of previously used WiFi hotspots can be used to determine where you have been.

• Photos, videos, and files: Your camera roll and files can also be browsed for incriminating material. Agents have searched photo galleries for violent or explicit content, symbols, or contacts. Dr. Alawieh’s case is a cautionary tale: the “incriminating” photos agents cited were not even in her main gallery but in the phone’s “Recently Deleted” folder (iPhones retain deleted photos for 30 days unless you manually purge them). This means that even files you think you deleted might still be found during a forensic search. Simply clearing the trash bin isn’t foolproof – often, deletion just hides data without truly erasing it from storage. Agents with specialized tools might recover emails, browser history, or documents you attempted to remove.

• Anything they can use against you: The unfortunate reality is that at the border, the presumption of innocence is flipped. Officers have wide discretion to interpret what they find. Harmless content can be taken out of context – jokes in a group chat, memes saved on your phone, or an old text about looking for work could all raise questions. If agents find something they don’t like, they can use it as a basis to refuse entry, cancel your visa, or, in rare cases, confiscate your device for further investigation. And if you refuse to cooperate or provide passwords, that alone might be viewed as suspicious. In other words, border agents are fishing for anything – from serious to trivial – that they can use to question your purpose or character.

It’s hard to predict exactly what will trigger scrutiny, which is why we suggest taking a “better safe than sorry” approach. Sophia Cope advises doing a personal risk assessment: consider your immigration status, travel history, and what data you carry that could be misinterpreted. Then, take steps to minimize what’s on your device during travel.

Travel Clean: Consider Leaving Personal Devices at Home

The simplest way to protect your digital privacy at the border is not to carry sensitive data across in the first place. Border authorities can only search what you have on your devices at the border.” If you don’t bring it, they can’t search it. For this reason, we recommend using “clean” devices for travel and leaving your everyday phone or laptop at home.

Burner Phones & Temporary Laptops: One strategy is to use a basic “burner” phone (a cheap phone with a fresh SIM or no SIM) while traveling. Your regular phone can stay safely at home, and you carry a phone that has no sensitive data on it – just the bare essentials for communication. Similarly, you might travel with a loaner or new laptop that contains no personal files. A Chromebook is a good travel laptop since it’s inexpensive and designed to store data primarily in the cloud. With a clean device, if an agent confiscates or searches it, there’s little for them to find. It is advisable to hand over the device when it is turned off, as this ensures no recently used apps are running and that the running memory is clean. It is, therefore, important to remember to turn off your devices well before you reach the border crossing. Note: A completely clean device may be seen as suspicious and used as a pretext for further search. “People are damned if they do and damned if they don’t, If you cross the border with no data on your device, that itself can be seen as suspicious.,” warns EFF’s Sophia Cope. Border agents might wonder if you wiped something incriminating. We, therefore, recommend using your clean devices before traveling to make sure they look authentic.

Cloud Storage is Your Friend: Using cloud services can help ensure you’re not carrying data locally. Files, photos, and messages that you store in the cloud – and log out of – won’t be accessible if your device is searched offline. Current CBP policy instructs officers to only inspect data residing on the device, not to probe their online accounts. So, consider uploading important documents to a secure cloud drive and delete the local copies from your phone or computer before you travel. You can download them later once you’re safely past the border. Note: You must fully log out of cloud apps (Drive, Dropbox, iCloud, email, etc.) on your device; if you stay logged in, an officer can open those apps and view synced data. But if the data lives only online and your device is offline and logged out, it’s effectively out of reach. This way, you travel “light” digitally – your device becomes a shell that grants access to your cloud data after you’re through customs.

Wipe Data Before the Next Destination: If you do use a device during your trip (even a “clean” one can accumulate messages or photos), you might consider deleting personal data before crossing into your next destination. For example, if you’re concerned about searches when you return home or enter another country, back up any data you need and delete it prior to travel. This ensures that any new sensitive info you picked up on your trip isn’t carried over borders. However, remember that showing up with a completely clean device, such as the case following a factory reset, may look suspicious.

In an ideal world, you would travel with zero private data and have nothing to worry about. In reality, completely disconnecting may not be practical for everyone. If you must bring your regular phone or laptop or need to keep some data with you, the next section covers steps you can take to mitigate the risks.

What if You Decide to Bring Your Personal Devices Along?

If you choose to travel with your personal device (or can’t use a burner), you should harden it and minimize its contents before you reach the border. Here are some precautions to help protect your privacy:

• Power Off Before Crossing & Use Strong Passwords: Shut down your devices completely before you approach customs. Turning off a phone or laptop resets its security state and re-enables full disk encryption, making it much harder for anyone to bypass your lock screen. Upon reboot, a password will be required to decrypt the storage. This is critical: if your phone is just in sleep mode, advanced forensics tools might be able to exploit it. So power down, and when you turn it on for an officer, unlock it yourself if required to – don’t reveal your passcode. Also, ensure you have a strong device passphrase, not something easily guessable. Modern iPhones and many Androids are encrypted by default (as long as you set a PIN/password), but that encryption is only as strong as your code. We recommend a password at least 9-12 characters long (or a random 4-5 word phrase) for robust security. A long, unique passcode can thwart casual guessing by agents and significantly slow down forensic cracking attempts.

• Disable Fingerprints and Face Unlock: Biometric locks (fingerprints, Face ID, etc.) should be turned off before travel. Why? Because agents can physically compel or trick you into unlocking with your biometrics – for example, by holding your phone up to your face – even if they can’t legally force you to divulge a PIN. Unlike a memorized password, which you can refuse to provide, your biometric features aren’t protected in the same way. To avoid this, switch to password-only unlock at least for the duration of your trip. On iPhones, if you hold the side button and a volume button for a few seconds, it will disable Face ID until the next passcode entry. Similarly, you can turn off Touch ID/Face ID in settings before you travel. This ensures that only your password can unlock the device, which is under your control. It might feel less convenient day-to-day, but it’s a smart trade-off when crossing borders.

• Encrypt and Back Up Everything: Full-device encryption is a must if you travel with electronics. Encryption scrambles your data so that even if an agent confiscates your device and connects it to forensic software, they’ll struggle to access your files without your key. Most up-to-date smartphones have encryption on by default – just double-check in your security settings. For laptops, enable disk encryption (FileVault on Mac, BitLocker on Windows, or VeraCrypt for other systems). Back up your data before traveling, then remove what you don’t need from the device. The idea is to carry as little sensitive information as possible and have an encrypted backup at home or in the cloud to restore later. That way, even if something happens to your device or you choose to wipe it, you haven’t lost anything important.

• Use “Travel Mode” and a Security PIN for Sensitive Apps: Some apps recognize the unique security risks of travel. For example, the password manager 1Password offers a Travel Mode that temporarily removes designated vaults from your device entirely. Before you cross a border, you can flip the app into travel mode to hide sensitive passwords or documents, leaving only a minimal set of data accessible. Once you’re safely through, you log into 1Password’s website to restore your vaults. Consider using this if you have a password manager – it’s an excellent way to avoid carrying a trove of account credentials that could be compromised. Likewise, log out of email and social media apps or even uninstall them for the trip if you won’t need them. You can always reinstall later. Some travelers go as far as to create a separate “travel” account (email, social, etc.) that they use on the road, which contains no sensitive info, while their real accounts stay logged out. This kind of alternate persona can be useful for high-risk individuals: your travel accounts present a clean, innocuous profile if inspected, while your true data remains in the cloud, protected by strong passwords you haven’t stored on the device. Finally, some apps such as two-factor authenticator (2FA), dropbox, and crypto-wallets allow you to specify a lock PIN that you have to enter before using the app. This provides another layer of security.

• Protect Your Contacts and Messages: Think carefully about the contacts, call logs, and messages on your device. These can reveal your associations (friends, colleagues, organizations) and personal life. If you have contacts that might raise questions (e.g. journalists, activists, or just someone with a certain surname), you might remove or alias them for the trip. For messaging apps, consider clearing chat histories or using apps with disappearing messages for any particularly sensitive conversations before you travel. It may also help to turn off message previews on your lock screen – so if your device receives a text during the inspection, it doesn’t display potentially private content to prying eyes. Overall, carry only what communication data you truly need; archive or delete the rest.

• Plan for the Worst (and Hope for the Best): Finally, mentally prepare a plan for what you will do if an agent demands access to your device. Know your bottom line: Are you willing to refuse and risk longer detention or denial of entry? Or will you comply but try to minimize what’s exposed? It’s a personal decision. Remember, U.S. citizens cannot be denied entry for refusing a device search (though you might be delayed). Visitors, unfortunately, don’t have that protection – refusing could mean you’re sent back home. Some travelers have a “dummy” screen ready – e.g., a secondary phone that you surrender – while keeping their primary data elsewhere. If you’re extremely concerned, you might coordinate with a lawyer in advance or have a device confiscation contingency (for instance, some journalists travel with loaner devices that can be safely abandoned if seized). These scenarios are rare, but thinking them through ahead of time will leave you much more confident if you do hear those dreaded words: “Please step aside for secondary inspection.”

Conclusion

Crossing the border with digital devices now carries real privacy risks. In an age of cloud-connected lives, our phones and laptops hold intimate details about who we are – information that border agents can exploit under lax rules. The stories of travelers being deported or detained over innocent texts and photos are a wake-up call. The good news is you can take control of your data footprint. The best solution is to travel with devices that reveal little or nothing – and thanks to cloud services and affordable gadgets, that’s easier than ever. If you do bring your primary devices, a bit of preparation (encrypting, logging out, using strong passwords, and pruning sensitive data) can go a long way to shield your privacy during border crossings.

Digital rights advocates at Conscious Digital and beyond want you to know that you don’t have to roll over when faced with an invasive device search. By following the steps above and staying informed of your rights, you can significantly reduce the risk of a privacy violation at the border. Safe travels – and stay safe online, too!

Sources: This guide draws on expertise from the Electronic Frontier Foundation’s Digital Privacy at the U.S. Border handbook and recent cases reported by The Guardian, Reason, Bruce Schneier, and others.

On a personal note, I hesitated before publishing this post because it could place me in the same risk category as people who have been detained at the border due to a digital footprint that CBP agents deemed unacceptable. If a CBP agent is reading this in the future while I await the outcome of an inspection, please know I am simply doing my job: informing the public of their digital rights and choices. Any criticism implied here is aimed broadly—at previous administrations and other countries—not at any single individual. It’s not personal.

All customers of 23andMe and similar genetic testing companies, as well as individuals who have family members who are customers of these services, should:

1. Download your genetic data immediately.

2. Delete your data directly via the company's website.

3. Send a legally binding data deletion request.

Please continue reading to understand why this action is critical and how to proceed with data deletion. The potential for significant data misuse means we may not have yet witnessed the worst-case scenario.

Unforeseen Privacy Risks

23andMe, once a leading pioneer of direct-to-consumer genetic testing, recently shocked the industry by filing for bankruptcy. Founded in the mid-2000s, 23andMe soared in popularity, selling saliva-based DNA tests that unveiled customers’ ancestry breakdowns and potential health risks. Over 15 million people worldwide used 23andMe, drawn by the promise of connecting with relatives and discovering hidden parts of their family history.

Yet this trove of genetic data also posed serious privacy risks. Customers entrusted 23andMe with not only their DNA but also their names, birthdates, geographic details, and often health survey data. Because genetic information is essentially impossible to change, a breach of this data can have lifelong consequences. Worse, 23andMe’s policies aren’t governed by strict health privacy laws like HIPAA in the United States; instead, the company’s privacy pledges rest mainly in its user agreements, which can change over time.

Another largely unrecognized privacy threat concerns relatives who never consented to testing. Genetic data is shared among family members, so by submitting their saliva, your relatives also reveal parts of your and your children’s genetic profile. Researchers have shown it takes only a relatively small database to identify the majority of individuals of European descent by cross-referencing DNA markers. That means even non-customers are indirectly exposed.

A History of Negligence

The company’s history of data breaches highlights how vulnerable this information can be. In late 2023, a credential-stuffing attack compromised about 6.9 million customers’ data, including partial ancestry details, personal demographics, and family connections. Raw DNA files weren’t publicly released, but the breach exposed extremely sensitive information. Attackers listed entire swaths of profiles for sale on the dark web—some grouped by ethnicity—raising concerns about discrimination, financial scams, or even identity theft. Most alarmingly, many people’s data was harvested simply because they appeared in someone else’s DNA Relatives match list.

Public confidence in 23andMe plummeted after this breach, and the company struggled to recover. With growth stagnating in the DNA test kit market—largely a one-time purchase—23andMe’s revenue began to stall. Its stock price, which had soared during an earlier IPO, tanked. Despite layoffs and an aborted attempt to pivot to drug development, 23andMe ultimately filed for Chapter 11 bankruptcy in March 2025. The company listed over 15 million genetic profiles in its database in its court filings—potentially one of its most valuable assets.

Now, 23andMe’s financial woes place user data at even greater risk. In bankruptcy sales, user data is viewed as an asset that can be transferred to new owners who might see commercial value in monetizing that information in various ways. The company’s terms of service explicitly state that genetic data may be transferred if 23andMe is sold or restructured—an unsettling reality for anyone who assumed their DNA would never leave the original custodians’ hands.

Take Action

The Attorney General of California has issued an urgent alert instructing 23andMe customers to delete their data and have their genetic samples destroyed. The alert contains step-by-step instructions on how to do this via the 23andMe website. You should follow these instructions now, even if you are not a California resident. In addition to the steps in the alert, we recommend sending 23andMe a legally binding data deletion request. Sending such a request will give you additional legal recourse if the company does not fully comply with your request. You can send 23andMe a data deletion request via the following link:

• https://yourdigitalrights.org/d/23andme.com

Broader Implications

These events underscore a broader warning about consumer genomics. Similar companies such as AncestryDNA, MyHeritage, FamilyTreeDNA, and Living DNA also gather large volumes of deeply personal data from millions of users. Each business sets its own rules for data usage, retention, and sharing. If you share your genetic profile—on purpose or via a relative—truly securing that data can be complex. Law enforcement agencies have already leveraged some databases to identify crime suspects through distant relatives, stirring debate over genetic privacy rights. If you are a customer of any one of the companies listed above, please consider deleting your data as well. Here are the links:

• https://yourdigitalrights.org/d/ancestry.com

• https://yourdigitalrights.org/d/myheritage.com

• https://yourdigitalrights.org/d/familytreedna.com

• https://yourdigitalrights.org/d/livingdna.com

In hindsight, 23andMe’s bankruptcy is a cautionary tale: It reminds us that genetic data is profoundly sensitive, and handing it over to a private company is a significant act of trust. If that company falters financially or is sold to a third party, your personal information might end up in unfamiliar hands. Above all, it is a reminder that we can never know up front where our personal information, once shared, will end up, what other data it will be joined with, nor all the ways by which it can be used against our interests.

Do not delay—protect yourself by deleting your genetic data immediately via the company's website and sending a formal data deletion request.

After initially reporting the issue to OpenAI without resolution, Rehberger provided a proof-of-concept showing how the ChatGPT macOS app could be manipulated to send all user inputs and outputs to an attacker's server using a malicious image link. The most remarkable aspect of this exploit is that it is persistent across new conversations due to ChatGPT’s long-term memory feature:

While OpenAI has implemented a fix to prevent memory abuse for data exfiltration, the risk of prompt injections planting false memories persists. OpenAI provided some guidance on how to better control the memory feature.

This is a good opportunity to re-iterate our advice not to share personal data with ChatGPT and similar commercial systems. This is in part due to exploits such as this one, but mostly because OpenAI uses the content of your chats to train its algorithm. Only Team and Enterprise customers of the platform get to have their data excluded from training data:

This behavior illustrates two alarming trends concerning online privacy. The first is privacy as a premium paid feature. The second is that even when paying for a service, in this case, ChatGPT Pro subscription, you can still end up as the product.

Share

Leave a comment

Initially, the focus was on specific companies with poor privacy practices that we recommended opting out of. However, we soon realized this approach was too narrow, and there is much more we’d like to share with you.

Moving forward, Privacy Alerts will guide you on actions to take to stay ahead of online threats and better control your personal data. We’ll offer expert advice, tips, and strategies to protect your digital privacy. This may still include recommendations to opt out of certain companies, but will also cover broader advice such as new privacy-preserving technologies, tools, and services, or important privacy-related settings in commonly used software.

We're also re-launching the paid version of the newsletter, which will focus on urgent issues that require immediate action to protect your privacy. While the free version will provide occasional updates, the paid version will cover critical events like major data breaches or instances where companies pose an immediate and significant threat to your privacy.

If you value your privacy in an ever-changing digital world you can subscribe to the paid version here:

Subscribe now

If you prefer to stay subscribed to the free version, please consider donating to ensure our long-term financial stability and independence:

Donate

Free Guide

Today we’d like to share a guide we recently published titled How Deceptive Design is Used to Compromise Your Privacy and How to Fight Back. The guide covers 10 deceptive design patterns that threaten data protection, along with strategies to counter them. It focuses on tactics companies use to undermine data protection requests, such as those for data deletion or access.

Deceptive design, also known as "dark patterns," manipulates individuals into taking actions they wouldn't normally choose—like signing up for more expensive services, only to downgrade later. These manipulative techniques are often used by companies to sidestep data protection requests, which are legal rights that allow individuals to control their personal data.

You can learn more about this research further on our website. We hope you find the guide helpful!

Product Update

We have been working hard on adding additional countries and regulations to YourDigitslRights.org. These include Texas, Oregon, Florida, India, and Switzerland.

We are also looking for volunteer software engineers with the following skills: Machine Learning, React, and AWS. Please contact us if you would like to help us improve the platform.

As always, we appreciate your feedback in any form. If you have any suggestions or requests please email us, or leave a comment.

Yoav
Founder, Conscious Digital // YourDigitalRights.org

Share

Subscribe now

The experiment was successful in that we learned a lot. Almost 700 people have subscribed to the free newsletter, and about 20 people subscribed to the paid service. In the end, we decided to prefer a large subscriber base and an active community over the projected revenue from the paid service. We, therefore, decided to make Privacy Alerts free for all.

We have other ideas for creating revenue streams to support our work while keeping the core services of YourDigitalRights.org free, so please stay tuned. If you would like to support our efforts, please consider making a donation to ensure our long-term financial stability and independence:

Donate

And now, without further ado, here are the top three companies that, according to our assessment, pose the most significant risk to your online privacy this month. Please consider sending them all data deletion requests (click on the company's name to do so).

Kochava

Kochava Inc (kochava.com) is a classic data broker, buying and selling personal data. What makes Kochava stand out is that they specialize in aggressively selling location information. Kochava first crossed our radar in August 2022, when the Federal Trade Commission filed a lawsuit against the company, arguing that after acquiring location data from Mobile carriers, "Kochava then sells customized data feeds to its clients to, among other purposes, assist in advertising and analyzing foot traffic at stores or other locations. Among other categories, Kochava sells timestamped latitude and longitude coordinates showing the location of mobile devices".

Kochava says it offers "rich geo data spanning billions of devices globally." In the lawsuit, the FTC was particularly concerned with the possibility that Kochava’s information could be used to identify visits to reproductive health clinics and other sensitive places. More recently, a federal class action lawsuit has been filed against the company in the U.S. District Court of Idaho-Northern Division for alleged violations of Idaho and Washington laws.

We recommend that you send Kochava a data deletion request now.

T-Mobile

In late January, T-Mobile (t-mobile.com), the second largest US-based mobile carrier, disclosed a data breach affecting millions of customer accounts.

In a filing with the U.S. Securities and Exchange Commission, T-Mobile said hackers hoovered data on roughly 37 million customer accounts. The data stolen included the customer's name, billing address, email, phone number, date of birth, T-Mobile account number, and information on the number of customer lines and plan features.

We’ve long held the position that data breaches are a great indicator of the internal cybersecurity culture of a given company. They not only shed light on past events but often also provide an indication of things to be. This is the second major data breach T-Mobile has reported in the past two years, and we believe that this indicates a systemic failure to prioritize the safekeeping of personal information within the company.

If you’ve ever held an account with T-Mobile in the past, we recommend that you send them a data deletion request now. If you are a current T-Mobile customer, then now is a good time to consider switching providers.

Signal Hire

Signal Hire (signalhire.com) is a recruiting, HR analytics, and benchmarking platform that collects data from multiple public sources to provide real-time and historical trends on over 200 million candidates. In other words, the company is a data broker selling the personal information of millions of people. The company offers, amongst other services, a browser extension that will display the individual’s email address when you visit their LinkedIn , Facebook as well as other social media profiles.

In January, we noticed a spike in the number of data deletion requests sent via our platform to SignalHire. Such a spike is usually caused by an increased awareness amongst individuals of the risk the company poses to their online privacy. A further search indicated that the company had been linked to cases where CEOs and other high-profile individuals were blackmailed, their personal data obtained via the platform. There are probably additional reasons for the recent spike in requests sent to SignalHire, which we could not correlate.

We recommend that you send SignalHire a data deletion request now.

Privacy Update

In the last edition of Privacy Alrets, we recommended you send a data deletion request to LastPass (lastpass.com), a widely used password manager, following a catastrophic data breach the company suffered in August (and reported only in December). During the past month, it was revealed that the company was negligent in many aspects of its product design, weakening its end-to-end encryption scheme to the point of making it ineffective.

If you have used LastPass at any time in the past, we now strongly recommend that you change the passwords to all the important services which you stored in LastPass and take evasive measures assuming the content of your secure notes is now public, in addition to sending them a data deletion request.

If you would like more information regarding the weaknesses discovered in the design of LastPass, please check out the two episodes on the topic by the podcast Security Now.

Yoav
Founder, Conscious Digital // YourDigitalRights.org

Share

Subscribe now

The experiment was successful, as we learned a lot. First, we learned that there is…

Read more

Voyager Labs

Voyager Labs (voyager-labs.com), an Israeli company that relocated its headquarters to New York earlier this year, is in the business of selling AI-Based Investigation Solutions. According to the company’s website, “government and law enforcement agencies, as well as private sector customers, use our award-winning, cutting-edge technology, and superior domain expertise to exponentially increase the productivity and outcomes of their investigative teams”.

Voyager Labs was in the news earlier this month after getting sued by Meta, the company behind Facebook and Instagram, for allegedly creating tens of thousands of fake Facebook accounts to scrape user data and provide surveillance services for clients. When a company with a horrendous privacy-related track record, such as Meta, sues another company for privacy violations, it gets our attention.

In a blog post announcing the lawsuit, Meta claims that “Voyager designed its scraping software to use fake accounts to scrape data accessible to a user when logged into Facebook, including users profile information, posts, friends lists, photos, and comments.“ Meta also claims that Voyager collected data from other sites, including Twitter, YouTube, and Telegram.

Send Voyager Labs a data deletion request now.

Meta

Regarding privacy violations, Meta (meta.com), the company behind Facebook and Instagram, is the gift that keeps on giving. Even if you believe that the folks at Meta are genuinely interested in amending their ways and protecting individual privacy, stories such as the one about Voyager Labs should convince you that merely holding on to such a vast amount of personal information is a ticking time bomb.

This month marks an important milestone in the flight to get regulators to pay attention to this particular time bomb. Our friends at Noyb (short for None of Your Business), an Austrian nonprofit organization, won a strategic lawsuit against Meta, which they filed in 2018, on the day the GDPR came out.

The lawsuit targets a clever workaround that Facebook’s lawyers have come up with as a legal basis for their vast collection of personal data. Instead of relying on user consent, which would necessitate the user to agree when each piece of personal information was used for every one of many purposes (meaning thousands of separate content requests), Facebook’s lawyers have added the collection of Personal Information to its terms of service, claiming it’s a service Facebook is providing to the user. It then claimed that if it did not perform this collection, it would violate the contract with the user.

Noyb has managed to get the European Data Protection Board (EDPB) to prohibit Meta from using personal data collected in such a manner for advertisement. It also increased the fine for Meta, previously set by the Irish regulator, from € 28 million to € 390 million.

If you find Meta’s behavior infuriating, there is something that you can do to help. Please send Meta a data deletion request using our service, and when you do, please turn on the smart follow-up assistant feature. The email will be sent directly to Stephen Deadman, Facebook’s Data Protection Office, but don’t worry, as Stephan will not be writing you back. Instead, you will get a reply saying his email address is not monitored. Over the past four years, we have attempted to email Facebook using many addresses, which all turned out to be not monitored. In fact, Meta does not publish even one corporate email address on any of its many websites. That Ok. I am asking you to wait until you get the automated reply, then escalate your request to the relevant government regulator. Our smart follow-up assistance will send you an email after 30 days with instructions on exactly how to escalate your request. If you are in the EU, we will even generate an email addressed to the proper regulator for you to send.

With your help, we can persuade government regulators to step up enforcement.

LastPass

LastPass (lastpass.com) is a widely used password manager owned by parent company GoTo.com (formerly LogMeIn). In December, LastPass acknowledged that it had suffered a critical data breach. The breach occurred in August, but in its initial report of the incident, LastPass attempted to downplay the severity. This month it finally admitted that attackers managed a total compromise of company systems.

The attackers obtained a swath of personal information, including names, end-user names, billing addresses, email addresses, telephone numbers, and IP addresses. This particular breach is concerning because the attackers also managed to gain access to customer vaults.

People rely on LastPass’s vaults to store their most valuable passwords and secrets securely. As a measure of last defense, LastPass end-to-end encrypts these vaults, which means the attackers got away with encrypted copies of customer secrets. Just how much this encryption is worth depends on how good are the master passwords chosen by customers. Experts expect that, in many cases, it is only a matter of time before some customer vaults are decrypted.

If you are a LastPass user or have used them in the past we recommend that you take evasive action immediately. Here is a list of recommended actions. After securing your accounts and switching to another password manager, we recommend sending LastPass a data deletion request.

Privacy Tip

IEEE Spectrum has published an incredibly insightful article titled How Police Exploited the Capitol Riot’s Digital Records, questioning whether powerful forensic technology is worth the privacy trade-off. This is a well-worth read if you are interested in a big-picture view of how investigators are now approaching this and similar situations and the related privacy debate—highly recommended.

Yoav
Founder, Conscious Digital // YourDigitalRights.org

Read more

Uber

The company has recently suffered a significant data breach, where an 18-year-old hacker had total control over their systems. Coincidently, Uber’s former Chief Security Officer was found guilty this month for attempting to conceal an earlier data breach that occurred in 2016. The company has also started testing targeted ads from other companies sent out as push notifications.

If all of this is not enough, according to a recent trove of confidential documents obtained by the Guardian, Uber broke laws, duped police, and secretly lobbied governments.

We understand that Uber services (ride-sharing and food delivery) are convenient. Still, for all the reasons mentioned above, we think Uber’s unethical attitude is unlikely to change. We recommend you uninstall these apps, send the company adata deletion request, and use one of the many alternative services available.

Mimecast

Mimecast brands itself as “Advanced Email & Collaboration Security”. Notable companies, including Adobe, Hertz, NASA, and Nationwide Insurance, use Mimecast’s “Secure Email Gateway” product. It is also popular in various industries, such as healthcare, finance, and government.

We have recently been made aware that many individuals are placed in a type of email purgatory due to how Mimecast’s service works. It appears that Mimecast’s clients can mark an email message as spam, which will then classify any messages from that sender as spam for all of the other organizations using Mimecast’s solution. This ability gives immense power to every customer support person working for one of these companies.

One individual described his experience when following an email exchange with a telecom provider, which apparently the provider classified as spam, the individual then found themself unable to contact that provider, as well as any other organization on Mimecast’s client list, which includes many governmental organizations, all without ever being notified or having the right to appeal the decision.

We recommend that you send Mimecast a data access request to see if they have any of your personal information, and in case they do, follow up with a data deletion request. You can send both types of requests here.

TikTok

TikTok is the world's most downloaded app, owned by the Chinese tech giant ByteDance. To help explain why we have chosen to add TikTok to this month’s Privacy Alerts, we wanted to share a new documentary called TikTok, Boom, which is available for free on PBS. The movie examines the power and influence of TikTok from the perspective of Gen-Z natives, journalists, and experts.

In a nutshell, TikTok is shaping our cultural norms in an unprecedented fashion while completely ignoring privacy and human rights.

We recommend that you send TikTok adata deletion request.

Privacy Tip

New privacy tools released this month by tech giants Google and Facebook seem at first glance like a step in the right direction and at a closer look as an attempt to ease regulators and other critics. Still, both tools are worth knowing.

Google has been pushing out a tool for removing personally identifiable information from its search results. As with almost all Google features and products, you may not immediately have access to Google's new removal process. If you do, you should be able to click the three dots next to a web search result (while signed in) or in a Google mobile app to pull up "About this result." One option you can click at the bottom of a pop-up is "Remove result." However, note that this button is much more intent than immediate action. Google suggests a response time of "a few days."

Facebook has quietly rolled out a new service that lets people check whether the firm holds their contact information, such as their phone number or email address, and delete and block it. Notably, the tool works even if the individual does not have a Facebook account. According to a Business Insider article, the tool is well-hidden and apparently only available via a link that is embedded 780 words into a fairly obscure page in Facebook's help section for non-users. The bad news: the scope of the data that his tool covers is a drop in the ocean of what Facebook has on you.

You can send both Google and Facebook data deletion requests via YourDigitalRights.org.

All the best,

Yoav & Rafa
Founders, Conscious Digital // YourDigitalRights.org