Welcome to the February edition of Privacy Alerts. We have great news to share. Starting today, Privacy Alerts are free for all subscribers! We started Privacy Alerts in November 2022 as an experiment to see if we could create a revenue stream to support our work at Conscious Digital, the nonprofit behind YourDigitalRights.org while providing individuals with a way to improve their online privacy over time.

The experiment was successful in that we learned a lot. Almost 700 people have subscribed to the free newsletter, and about 20 people subscribed to the paid service. In the end, we decided to prefer a large subscriber base and an active community over the projected revenue from the paid service. We, therefore, decided to make Privacy Alerts free for all.

We have other ideas for creating revenue streams to support our work while keeping the core services of YourDigitalRights.org free, so please stay tuned. If you would like to support our efforts, please consider making a donation to ensure our long-term financial stability and independence:

Donate

And now, without further ado, here are the top three companies that, according to our assessment, pose the most significant risk to your online privacy this month. Please consider sending them all data deletion requests (click on the company's name to do so).

Kochava

Kochava Inc (kochava.com) is a classic data broker, buying and selling personal data. What makes Kochava stand out is that they specialize in aggressively selling location information. Kochava first crossed our radar in August 2022, when the Federal Trade Commission filed a lawsuit against the company, arguing that after acquiring location data from Mobile carriers, "Kochava then sells customized data feeds to its clients to, among other purposes, assist in advertising and analyzing foot traffic at stores or other locations. Among other categories, Kochava sells timestamped latitude and longitude coordinates showing the location of mobile devices".

Kochava says it offers "rich geo data spanning billions of devices globally." In the lawsuit, the FTC was particularly concerned with the possibility that Kochava’s information could be used to identify visits to reproductive health clinics and other sensitive places. More recently, a federal class action lawsuit has been filed against the company in the U.S. District Court of Idaho-Northern Division for alleged violations of Idaho and Washington laws.

We recommend that you send Kochava a data deletion request now.

T-Mobile

In late January, T-Mobile (t-mobile.com), the second largest US-based mobile carrier, disclosed a data breach affecting millions of customer accounts.

In a filing with the U.S. Securities and Exchange Commission, T-Mobile said hackers hoovered data on roughly 37 million customer accounts. The data stolen included the customer's name, billing address, email, phone number, date of birth, T-Mobile account number, and information on the number of customer lines and plan features.

We’ve long held the position that data breaches are a great indicator of the internal cybersecurity culture of a given company. They not only shed light on past events but often also provide an indication of things to be. This is the second major data breach T-Mobile has reported in the past two years, and we believe that this indicates a systemic failure to prioritize the safekeeping of personal information within the company.

If you’ve ever held an account with T-Mobile in the past, we recommend that you send them a data deletion request now. If you are a current T-Mobile customer, then now is a good time to consider switching providers.

Signal Hire

Signal Hire (signalhire.com) is a recruiting, HR analytics, and benchmarking platform that collects data from multiple public sources to provide real-time and historical trends on over 200 million candidates. In other words, the company is a data broker selling the personal information of millions of people. The company offers, amongst other services, a browser extension that will display the individual’s email address when you visit their LinkedIn , Facebook as well as other social media profiles.

In January, we noticed a spike in the number of data deletion requests sent via our platform to SignalHire. Such a spike is usually caused by an increased awareness amongst individuals of the risk the company poses to their online privacy. A further search indicated that the company had been linked to cases where CEOs and other high-profile individuals were blackmailed, their personal data obtained via the platform. There are probably additional reasons for the recent spike in requests sent to SignalHire, which we could not correlate.

We recommend that you send SignalHire a data deletion request now.

Privacy Update

In the last edition of Privacy Alrets, we recommended you send a data deletion request to LastPass (lastpass.com), a widely used password manager, following a catastrophic data breach the company suffered in August (and reported only in December). During the past month, it was revealed that the company was negligent in many aspects of its product design, weakening its end-to-end encryption scheme to the point of making it ineffective.

If you have used LastPass at any time in the past, we now strongly recommend that you change the passwords to all the important services which you stored in LastPass and take evasive measures assuming the content of your secure notes is now public, in addition to sending them a data deletion request.

If you would like more information regarding the weaknesses discovered in the design of LastPass, please check out the two episodes on the topic by the podcast Security Now.

Yoav
Founder, Conscious Digital // YourDigitalRights.org

Share