Wolfie Christl Profile picture
Researcher, writer, activist https://t.co/krjqJJhiTP | Tech & society. Tracking, surveillance, data economy, platform power, algorithmic decisions, datafication of work
Chris #WearAMask 3.5% #RejoinEU #FBPE 💛🌊🎪 Profile picture eDo Profile picture CHEW Profile picture 3 added to My Authors
28 Jul
When the data industry is talking about sharing 'anonymized' profile data:

They do indeed not share email addresses, for example. But they share hashed versions of it, and they all use THE SAME hash function, and can thus still monitor and act on people across the digital world.
Calling this kind of personal data sharing 'anonymized' is corporate misinformation. A whole industry has been built on this lie.

Many still don't understand that.

Also, the question of whether or not you can reverse the hash is irrelevant, if everyone uses the same function.
Of course, hashed IDs can also be based on phone numbers or other data.

There are more complex versions of this, e.g. hashing the hashes, using temporary IDs and later match it to persistent ones, linking/matching chains of identifiers, using salted hashes for sub-purposes etc.
Read 20 tweets
23 Jul
Remember the debate about eBay port scanning visitors?

Turns out this was about ThreatMetrix, a fraud/identity analytics firm. The CIA was an early investor. Now owned by a massive data broker. FB and thousands of other companies are sending data to them. blog.nem.ec/2020/05/24/eba…
ThreatMetrix is owned by LexisNexis Risk Solutions / RELX.

Together, they claim to have data on hundreds of millions of people including names, addresses, phone numbers, email addresses, insurance records, criminal records and data on 4.5 billion devices.
relx.com/~/media/Files/…
I wrote about LexisNexis in 2016 (crackedlabs.org/dl/Christl_Spi…), about ThreatMetrix in 2017 (crackedlabs.org/dl/CrackedLabs…).

Many companies are harvesting data for marketing and advertising. Data collection for risk/fraud/identity stuff is even more pervasive, secretive and unaccountable.
Read 20 tweets
21 Jul
If you visit 450 pages on 15 major health, education and news sites, 1121 third parties set 891772 cookies. Visiting health sites first maximizes the chance that data brokers can track you across sites.

Excellent study by @idonibrasco, @HNissenbaum et al: news.cornell.edu/stories/2020/0…
Using personal identifiers stored in third-party cookies to monitor, follow and profile people across sites may have an expiration date, but it's more prevalent than ever.

I think, examining cross-context ID in this way, presented at the @FTC's #PrivacyCon today, is very useful.
Observing the same personal identifier (aka pseudonymous cookie ID) across two websites proves that both sites help a third party to recognize a user again, and thus facilitate personal data sharing.

EU data protection authorities must adopt this methodology to gather evidence.
Read 13 tweets
13 Jul
"This report is best used to get a full picture of the movements of a device through a given time period"

UberMedia, a location data broker who claims to have 6.5 years of historical data on 800 million mobile devices, is selling very specific data access
ubermedia.com/wp-content/upl…
So, you can send UberMedia a list of device IDs referring to persons and they return a 'device history report' on the past movements of those persons.

You can also ask them about the device IDs observed at a certain place, and about where those people went before and afterwards.
How do they obtain location data?

From 62 mobile apps that embed UberMedia's data harvesting software, 400 apps that embed data harvesting software operated by other firms, and from 100,000 apps that constantly leak location data while displaying ads.

ubermedia.com/wp-content/upl…
Read 9 tweets
1 Jul
The UK competition and markets authority's new report on 'online platforms and digital advertising' suggests that large shady platforms should share all kinds of personal data with smaller shady data firms via a linkable personal ID to increase competition.

This is a BAD idea.
Here's the report:
assets.publishing.service.gov.uk/media/5efc57ed…

It's not just a bad idea, it's simply unacceptable.

As I wrote months ago, when it comes to restricting platform power, perpetuating a hostile and broken personal data industry cannot be part of the solution.
Read 7 tweets
30 Jun
So, do the @EU_EDPB's new guidelines on consent approve/endorse an interpretation of the GDPR that permits the 'consent to data harvesting or pay' model? Or don't they?
edpb.europa.eu/sites/edpb/fil…
If yes, wouldn't this mean that every website, mobile app, shop, streaming platform, ISP, airline, scooter rental firm and makers of TV devices, cars, coffee brewers, loudspeakers, vacuum cleaners, light bulbs and door locks could charge additional € for tracking-free versions?
Yes, personal data processing has additional requirements under the GDPR anyway, but still.

I mean, I'm fine with publishers using an 'ads or pay' model.

I'm not okay with personal data exploitation remaining the default, while a minority is paying a hundred times to avoid it.
Read 6 tweets
13 May
The Norwegian public broadcaster purchased data on the movements of 140,000 phones and tablets over the whole year 2019 from Tamoco, a UK data broker.

They were able to trace the lives of individuals, including how 8300 people moved around in hospitals.

Important investigation:
Articles (in Norwegian):
nrk.no/norge/xl/avslo…
nrk.no/norge/mobilspo…

The Norwegian data protection authority started an investigation:


This is just the tip of the iceberg. Statement by the Norwegian Consumer Council:
forbrukerradet.no/side/asking-co…
As detailed in our report from January, we observed several data companies receiving detailed GPS location info from mobile apps.

Today, the Norwegian Consumer Council sent letters to some of them & considers filing GDPR complaints based on the responses: forbrukerradet.no/side/asking-co…
Read 6 tweets
10 Apr
I see four main types of potential issues with proximity tracing apps:

1) Opaque/centralized mass profiling

2) Insufficient epidemiological/practical efficacy

3) Everything related to how governments implement them, e.g. making them (de-facto) compulsory

4) Mission creep
The Google/Apple approach *may* largely prevent (1) by governments.

G/A probably have still access to some data. They must amend their ToS with legally binding statements that STRICTLY prohibit them from exploiting any of it. In this case, (1) is perhaps largely resolved.
The other issues are challenging enough.
Read 10 tweets
2 Apr
Location data secretly gathered from smartphone apps is potentially flawed, biased, untrustworthy or even fraudulent.

Overview of data harvesting companies who claim to help fighting the virus by providing data on the movements of millions #covidwashing

Ongoing thread:
Cuebiq, data on Italian smartphone users:
Read 9 tweets
25 Mar
The most shady data harvesting companies, who are secretly gathering location data from smartphones and apps without the users' knowledge, are covidwashing their products and exploiting the disaster.
According to @geoffreyfowler, Unacast's CEO said 'all of the apps that Unacast acquires location data from must let users know. But he declined to name any of the apps'.

How reliable is the data? How biased? We have no idea. He doesn't even name the data sources. Irresponsible.
Certain kinds of aggregate analytics based on consumer data that is being gathered secretly or illegally *may* be appropriate right now, in case of emergency.

But: full transparency, public governance, strong legal safeguards, firms must be held accountable for other data uses.
Read 5 tweets
26 Feb
"We don't sell any of your information to anyone, and we never will" (Facebook's data policy)

Here's one way of how FB has long been selling personal data to advertisers at scale, according to trade press reports.

I have long suspected they do, this is potentially huge #GDPR
So, FB shared individual-level data with advertisers or allowed them to query/link data involving device IDs via its 'measurement' partners.

This is 'personal data' as defined in the GDPR, and I'm sure FB didn't share it for charitable reasons, but received something in return.
I have long suspected that FB is directly sharing personal data with third parties for so-called 'measurement', but never had access to comprehensive info.

EU authorities must investigate this. This should be one more large GDPR case.

(AdAge article: adage.com/article/digita…)
Read 16 tweets
23 Feb
2017 conference paper on cross-device tracking based on mass surveillance data from comScore, covering the majority of the US population.

They show how they identify which browsers, smartphones and other devices belong to which individuals and families: pages.cs.wisc.edu/~pb/kdd17_fina…
The paper was written by comScore researchers.

They used personal data on website visits and app/device usage recorded from unaware users over 6 weeks, including 1.2bn Google/Apple 'Advertising' IDs and pseudonymous IDs stored in cookies, in combination with IPs and timestamps.
In another paper published by a similar team in 2018, also based on comScore data, they additionally included device/browser fingerprints (based on e.g. screen size, user agent) and behavioral fingerprints (apps used and domains of the websites visited): pages.cs.wisc.edu/~pb/kdd18b_fin…
Read 6 tweets
20 Feb
2 weeks ago the WSJ reported that US government agencies bought access to commercial location data from mobile apps to track immigrants.

Here's another company who claims to gather data from 1 billion devices + promises to assist law enforcement agencies in 'case investigation'.
lotadata.ai, the company who runs citydash.ai, maps the movements of millions based on data from unknown apps.

They sell 'people intelligence' both to businesses and government, for marketing purposes, as well as for 'public safety' and 'law enforcement'.
They claim to have data on people across the planet, including several EU countries:

- Los Angeles 100% coverage
- Madrid 82.3% coverage
- Rome 56,2% coverage

Recently, the FTC caught them misleading the public about their Privacy Shield certification: ftc.gov/enforcement/ca…
Read 7 tweets
7 Feb
I have LONG suspected that governments buy commercial location data gathered from all kinds of mobile apps, from games to weather, and of course, it's happening.

WSJ reports that DHS, ICE and CBP bought access to data that maps the movements of millions: wsj.com/articles/feder…
According to the WSJ, this data:

- has been used to track immigrants and even to 'help identify immigrants who were later arrested' by DHS+ICE

- comes from a company that seems to be closely related to Gravy Analytics, a major player in digital marketing and mobile advertising
WSJ writes:

"According to federal spending contracts, a division of DHS ... began buying location data in 2017 from Venntel Inc. of Herndon, Va., a small company that shares several executives and patents with Gravy Analytics"

ICE bought Venntel licenses in 2018, CBP in 2019.
Read 22 tweets
30 Jan
Agreed.

However, Publicis is a huge part of this, owning all kinds of data/adtech companies, and Epsilon, one of the largest consumer data brokers globally.
Read 4 tweets
27 Jan
So both OkCupid (according to what we observed: fil.forbrukerradet.no/wp-content/upl…) and Tinder's new 'safety' app (according to: gizmodo.com/tinders-new-pa…) share personal data including device IDs with Kochava, a massive data broker who claims to gather data from '7 billion devices globally'.
This is what we observed. It's not about detailed profile data, yet Kochava still receives data about the fact that someone uses the app, when and for how long ('uptime'), plus device metadata, linked to personal identifiers such as Google's 'Advertising ID' and a proprietary ID.
Kochava openly sells data to other companies, for example, they 'deliver' access to 'mobile device IDs and accompanying data elements', including but not limited to data on interests, behaviors and devices:
kochava.com/data-marketpla…
Read 6 tweets
14 Jan
NEW: We examined in detail how 10 popular smartphone apps secretly share extensive personal information with at least 135 companies, systematically breaking EU data protection law. This must end.

Two massive reports + legal complaints against 6 companies: forbrukerradet.no/side/new-study…
I helped with the investigation, led by the Norwegian Consumer Council. It took several months and also involved @thezedwards, technical analysis by security firm Mnemonic and legal expertise by @NOYBeu.

25 orgs in the EU/US are urging authorities to act:
@thezedwards @NOYBeu We observed 8 data companies receiving detailed GPS location info, in combination with unique personal IDs, when using the gay/bi dating app Grindr, including MoPub (owned by Twitter), Bucksense, PubNative, OpenX, AdColony, Braze, Smaato and Vungle.

p125: fil.forbrukerradet.no/wp-content/upl…
Read 27 tweets
22 Nov 19
Ok, this is devastating. It seems that almost the whole database of People Data Labs, a MASSIVE data broker who claims to have detailed profiles on 1.5 billion people, was left open on the Internet.
This is from the company's website:
peopledatalabs.com

All this data being exposed is only the final stage of the drama. The real scandal is that this company has been selling extensive data on hundreds of millions to anyone already before, largely without their knowledge.
People Data Labs has a page with detailed stats on 'their' database. It includes 91m birth dates, 413m educational records, 783m email addresses, 678m phone numbers, 809m records on work experience, 2,362m names, plus inferred salary, skills, interests etc
docs.peopledatalabs.com/docs/stats
Read 13 tweets
15 Nov 19
Die Financial Times hat gestern darüber berichtet, wie globale Gesundheits-Websites sensible Daten an Dritte weiterleiten. Wie sieht das in AT aus?

Ich hab die netdoktor.at-Seite über Brustkrebs aufgerufen. Im Hintergrund wurden 26 Drittparteien über meinen Besuch informiert.
Jetzt mal abgesehen von Google, wer sind diese Drittparteien? Großteils Firmen, die digitale Profile über (hunderte) Millionen Menschen sammeln und damit handeln.

BlueKai/Oracle (US), Neustar (US), Weborama (FR) und Cleverdata (RU) sind etwa ganz klar Datenhandelsfirmen.
Aber auch Online-Werbefirmen wie Adform, AppNexus (AT&T), Dataxu (Roku), MediaMath, Pubmatic, Teads (Altice), The Trade Desk, Turn (Singtel), Brightcove und Virtual Minds (mehrheitlich im Eigentum von ProSiebenSat1) verarbeiten umfassende Daten über den Großteil der Bevölkerung.
Read 13 tweets
11 Nov 19
Very interesting stuff in the leaked Facebook documents, indeed.

See e.g. from page 1561:
dataviz.nbcnews.com/projects/20191…

For example, Facebook did actually analyze "call log data (e.g. duration/frequency/recency of incoming/outgoing calls/texts)" and use it for friend suggestions.
@PrivacyMatters Facebook was "working with Cisco and other manufacturers to collect insights about users whose mobile devices are detected by in-store wifi".

(the whole table is from an email dated December 11, 2013)
Read 13 tweets
7 Nov 19
What do airlines such as United and AA, hotel chains such as Hyatt and Marriott, and car rentals such as Hertz and Avis have in common?

They provide data to a firm who says it has traveler profiles on 750 million people, on their searches, purchases, devices, passenger records.
The Adara 'data co-op' states to collect 'real-time search, purchase and loyalty data from 200+ of the world’s most recognized travel brands', with 'more than 30 data points per traveler profile', all based on personal identifiers.

adara.com/about-data-co-…
adara.com/recognized-tra…
Adara calculates 'traveler value scores' based on 'customers’ behaviors and needs across the global travel ecosystem, over time', and it provides personalized offers/treatment 'pre-purchase, booking, post-purchase, check-in, in-airport, or in-destination'.
adara.com/traveler-intel…
Read 18 tweets