Welcome to the January edition of Privacy Alerts, and happy 2023! It’s been a relatively quiet December and early January as far as privacy matters are concerned, so we are sending this email later than usual. From all the companies crossing our radar this month, the following are the top three that, according to our assessment, pose the most significant risk to your online privacy. Please consider sending them all data deletion requests. Click on the name of the company to do so.

Voyager Labs

Voyager Labs (voyager-labs.com), an Israeli company that relocated its headquarters to New York earlier this year, is in the business of selling AI-Based Investigation Solutions. According to the company’s website, “government and law enforcement agencies, as well as private sector customers, use our award-winning, cutting-edge technology, and superior domain expertise to exponentially increase the productivity and outcomes of their investigative teams”.

Voyager Labs was in the news earlier this month after getting sued by Meta, the company behind Facebook and Instagram, for allegedly creating tens of thousands of fake Facebook accounts to scrape user data and provide surveillance services for clients. When a company with a horrendous privacy-related track record, such as Meta, sues another company for privacy violations, it gets our attention.

In a blog post announcing the lawsuit, Meta claims that “Voyager designed its scraping software to use fake accounts to scrape data accessible to a user when logged into Facebook, including users profile information, posts, friends lists, photos, and comments.“ Meta also claims that Voyager collected data from other sites, including Twitter, YouTube, and Telegram.

Send Voyager Labs a data deletion request now.

Meta

Regarding privacy violations, Meta (meta.com), the company behind Facebook and Instagram, is the gift that keeps on giving. Even if you believe that the folks at Meta are genuinely interested in amending their ways and protecting individual privacy, stories such as the one about Voyager Labs should convince you that merely holding on to such a vast amount of personal information is a ticking time bomb.

This month marks an important milestone in the flight to get regulators to pay attention to this particular time bomb. Our friends at Noyb (short for None of Your Business), an Austrian nonprofit organization, won a strategic lawsuit against Meta, which they filed in 2018, on the day the GDPR came out.

The lawsuit targets a clever workaround that Facebook’s lawyers have come up with as a legal basis for their vast collection of personal data. Instead of relying on user consent, which would necessitate the user to agree when each piece of personal information was used for every one of many purposes (meaning thousands of separate content requests), Facebook’s lawyers have added the collection of Personal Information to its terms of service, claiming it’s a service Facebook is providing to the user. It then claimed that if it did not perform this collection, it would violate the contract with the user.

Noyb has managed to get the European Data Protection Board (EDPB) to prohibit Meta from using personal data collected in such a manner for advertisement. It also increased the fine for Meta, previously set by the Irish regulator, from € 28 million to € 390 million.

If you find Meta’s behavior infuriating, there is something that you can do to help. Please send Meta a data deletion request using our service, and when you do, please turn on the smart follow-up assistant feature. The email will be sent directly to Stephen Deadman, Facebook’s Data Protection Office, but don’t worry, as Stephan will not be writing you back. Instead, you will get a reply saying his email address is not monitored. Over the past four years, we have attempted to email Facebook using many addresses, which all turned out to be not monitored. In fact, Meta does not publish even one corporate email address on any of its many websites. That Ok. I am asking you to wait until you get the automated reply, then escalate your request to the relevant government regulator. Our smart follow-up assistance will send you an email after 30 days with instructions on exactly how to escalate your request. If you are in the EU, we will even generate an email addressed to the proper regulator for you to send.

With your help, we can persuade government regulators to step up enforcement.

LastPass

LastPass (lastpass.com) is a widely used password manager owned by parent company GoTo.com (formerly LogMeIn). In December, LastPass acknowledged that it had suffered a critical data breach. The breach occurred in August, but in its initial report of the incident, LastPass attempted to downplay the severity. This month it finally admitted that attackers managed a total compromise of company systems.

The attackers obtained a swath of personal information, including names, end-user names, billing addresses, email addresses, telephone numbers, and IP addresses. This particular breach is concerning because the attackers also managed to gain access to customer vaults.

People rely on LastPass’s vaults to store their most valuable passwords and secrets securely. As a measure of last defense, LastPass end-to-end encrypts these vaults, which means the attackers got away with encrypted copies of customer secrets. Just how much this encryption is worth depends on how good are the master passwords chosen by customers. Experts expect that, in many cases, it is only a matter of time before some customer vaults are decrypted.

If you are a LastPass user or have used them in the past we recommend that you take evasive action immediately. Here is a list of recommended actions. After securing your accounts and switching to another password manager, we recommend sending LastPass a data deletion request.

Privacy Tip

IEEE Spectrum has published an incredibly insightful article titled How Police Exploited the Capitol Riot’s Digital Records, questioning whether powerful forensic technology is worth the privacy trade-off. This is a well-worth read if you are interested in a big-picture view of how investigators are now approaching this and similar situations and the related privacy debate—highly recommended.

Yoav
Founder, Conscious Digital // YourDigitalRights.org