Article 43

 

Privacy And Rights

Sunday, March 03, 2019

Data Brokers

image: data brokers

Here are the data brokers quietly buying and selling your personal information

By Steven Melendez and Alex Pasternack
Fast Company
March 2, 2019

Its no secret that your personal data is routinely bought and sold by dozens, possibly hundreds, of companies. What’s less known is who those companies are, and what exactly they do.

Thanks to a NEW VERMONT LAW requiring companies that buy and sell third-party personal data to register with the Secretary of State, weve been able to assemble a list of 121 data brokers operating in the U.S. It’s a rare, rough glimpse into a bustling economy that operates largely in the shadows, and often with few rules.

Even Vermonts first-of-its-kind law, which went into effect last month, doesn’t require data brokers to disclose whose in their databases, what data they collect, or who buys it. Nor does it require brokers to give consumers access to their own data or opt out of data collection. Brokers are, however required to provide some information about their opt-out systems under the law - assuming they provide one.

If you do want to keep your data out of the hands of these companies, you’ll often have to contact them one by one through whatever opt-out systems they provide; more on that below.

The registry is an expansive, alphabet soup of companies, from lesser-known organizations that help landlords research potential tenants or deliver marketing leads to insurance companies, to the quiet giants of data. Those include big names in people search, like Spokeo, ZoomInfo, White Pages, PeopleSmart, Intelius, PeopleFinders, and the numerous other websites they operate; credit reporting, like Equifax, Experian, and TransUnion; and advertising and marketing, like Acxiom, Oracle, LexisNexis, Innovis, and KBM. Some companies also specialize in “risk mitigation,” which can include credit reporting but also background checks and other identity verification services.

Still, these 121 entities represent just a fraction of the broader data economy: The Vermont law only covers third-party data firms - those trafficking in the data of people with whom they have no relationship - as opposed to first-party - data holders like Amazon, Facebook, or Google, which collect their own enormous piles of detailed data directly from users.

What they know

By buying or licensing data or scraping public records, third-party data companies can assemble thousands of attributes each for billions of people. For decades, companies could buy up lists of magazines subscribers to build targeted advertising audiences. These days, if you use a smartphone or a credit card, its not difficult for a company to determine if you’ve just gone through a break-up, if you’re pregnant or trying to lose weight, whether you’re an extrovert, what medicine you take, where you’ve been, and even how you swipe and tap on your smartphone. (Browser cookies and trackers are a major part of this infrastructure, and like many websites, Fast Company’s site relies on them in order to serve content and ads.)

All that information can be used to create profiles of you - think of them as virtual, possibly erroneous versions of you - that can be used to target you with ads, classify the riskiness of your lifestyle, or help determine your eligibility for a job. Like the companies themselves, the risks can be hard to see. Apart from the dangers of merely collecting and storing all that data, detailed (and often erroneous) consumer profiles can lead to race or income-based discrimination, in a high-tech version of redlining.

Piles of personal data are flowing to political consultants attempting to influence your vote (like Cambridge Analytica) and to government agencies pursuing non-violent criminal suspects (like U.S. Immigration and Customs Enforcement). Meanwhile, people-search websites, accessible to virtually anyone with a credit card, can be a goldmine for doxxers, abusers, and stalkers.

People in the U.S. still struggle to understand the nature and scope of the data collected about them, according to a recent survey by the Pew Research Center, and only 9% believe they have a lot of control over the data that is collected about them. Still, the vast majority, 74%, say it is very important to them to be in control of who can get that information.

Deleting your data

For companies regulated under the Fair Credit Reporting Act (FCRA), including traditional credit bureaus, you have the right to request your personal data and request corrections of anything that’s wrong.

But for other companies that deal in data, like marketing and people finder companies, U.S. law mostly doesn[t make any such guarantees, though that may change in the future as state and federal legislatures consider further rules. Those could ultimately bring protections like the right-to-be-forgotten and other safeguards granted to European residents under the General Data Protection Regulation (GDPR), probably the strictest international consumer data policy.

To try to remove yourself from a company’s databases: Click on the name of the broker below, click “Filing History,” and then click “DATA BROKER REGISTRATION.” You’ll get a documentin PDF form that contains details from the company on how to opt out - provided the company allows you to opt-out.

You can also consult various online guides listing opt-out procedures. Griffin Boyce, systems administrator at Harvard University֒s Berkman Klein Center for Internet and Society, has compiled one such opt-out guide. Another guide is put together by Joel Winston, an attorney known for his work on data privacy and consumer protection. At Motherboard, Yael Grauer compiled another list of brokers with tips for opting out. If you’re a resident of the European Union, opt-out.eu has a guide to sending GDPR Erasure Requests.

You can also use the Data & Marketing Association’s DMAchoice program, which is primarily designed for opting out of direct mail and email messages, but is also used by some organizations to remove consumers from their lists entirely. It costs $2 to sign up for the program, and registration lasts two years.

If you’re part of a “protected class,” which includes victims of domestic violence, stalking, sexual assault, identity theft, or people who work in law enforcement, some states like California offer Safe at Home, a program that lets victims remove their contact info from databases with a single request. The National Network to End Domestic Violence has also assembled a guide to data brokers.

If you’re concerned about how a company is handling your personal data, you can file a complaint with the Federal Trade Commission, which has issued millions of dollars in penalties over unfair or unlawful behavior by credit agencies and data brokers.

You can limit data loss by deleting unnecessary apps, adjusting your privacy settings, using privacy tools like a VPN, and limiting what you post online.

In order to control your data, you may need to hand over some basic info to verify that its really you. But be careful about what you turn over. As Boyce writes, “other than credit reporting agencies such as Equifax, no one should ask for your Social Security number or tax ID while opting out. When sending a copy of your ID, mark out the ID number and draw a line across the photo.”

The data broker companies

Below are the companies that have registered under Vermont’s data broker law, with descriptions drawn from their websites or other sources where noted.

ACCUDATA INTEGRATED MARKETING INC.

Accudata operates mailing lists and marketing data services.

ACXION LLC

The data giants offerings now encompass more than 62 countries, 2.5 billion addressable consumers and more than 10,000 attributes - for a comprehensive representation of 68 percent of the world’s online population. Last year, following the Cambridge Analytica scandal and Facebook’s decision to end partnerships with Acxiom and other third-party data handlers, LiveRamp sold Acxiom to Interpublic Group, one of the world’s largest advertising agencies, for $2.3 billion. LiveRamp continues to operate as a leading “data onboarding” company, helping bring offline data online for marketing purposes.

ADVANTAGE CREDIT INC

Advantage Credit resells credit services and data for the mortgage and finance industry.

ADVANTAGE SALES AND MARKETING LLC

Advantage offers shopper marketing, retail merchandising, and other services to retailers and manufacturers.

ADVERTISE4SALES LLC

Advertise4Sales connects law firms and legal professionals across the country to tens of thousands of prospects requesting legal help in real-time via phone or web leads each month.

ALC INC

ALC (American List Counsel) has “become the industry’s leading privately held direct and digital data marketing services provider.”

ALL WEB LEADS INC

All Web Leads is an online lead generation company that sells the highest-quality sales leads to top insurance producers. (Crunchbase)

ALISOURCE HOLDINGS LLC

Altisource provides information about landlords to businesses that wish to market to them.

AMRENT INC

AmRent provides tenant screening services and data.

ANALYTICSIQ INC

[T]he first data company to consistently blend cognitive psychology with sophisticated data science to help you understand the who, what and why behind consumers and the decisions they make every day. Their accurate and comprehensive consumer database, PeopleCore, provides access to data attributes you can’t find anywhere else.

ASL MARKETING INC

ASL is “the nation’s premier provider of student marketing data, focused on the highly desirable 13-34-year-old market.

AUTOMATION RESEARCH INC DBA DATA VERIFY

DataVerify provides information for the mortgage and real estate loan industry.

AVRICK DIRECT INC

Mailing list and direct marketing company “specializing in data compilation.”

BACKGROUND INFORMATION SERVICES INC (BIS)

BIS focuses on employee and tenant screening.

BACKGROUNDCHECKS.COM LLC

Backgroundchecks.com provides online background checks and criminal records data.

BEENVERIFIED INC and its subsidiaries/affiliates

BeenVerified provides background check and people search services.

BELARDI OSTROY ALC LLC

“Belardi Wong is a full service digital & direct marketing agency, relentlessly focused on driving revenue, profit and customer growth.”

BLACK KNIGHT DADA AND ANALYTICS LLC

Black Knight provides loan and real estate data.

BLACKBAUD INC

“A supplier of software and services specifically designed for nonprofit organizations. Its products focus on fundraising, website management, CRM, analytics, financial management, ticketing, and education administration.” (Wikipedia)

CBCINNOVIS INC

CBCInnovis provides credit and real estate data.

CDK GLOBAL LLC

“CDK provides software and technology solutions for automotive retailers in the United States and internationally.”

CIC MORTGAGE CREDIT INC

CIC provides credit data for the mortgage industry.

CIVIS ANALYTICS INC

Civis is an Eric Schmidt-backed data science software and consultancy company founded by Dan Wagner in 2013. Wagner served as the chief analytics officer for Barack Obama’s 2012 re-election campaign. Read more from Fast Company here.

CLARITY SERVICES INC

Clarity Services is a unit of Experian focusing on alternative credit data.

COMPACT INFORMATION SYSTEMS

Provides specialty lists, data hygiene services, and direct marketing database solutions.

CONFI-CHEK

A people search conglomerate that owns Peoplefinders.com, Enformium Inc., PublicRecordsNOW.com, PrivateEye.com and Advanced Background Checks Inc.

CORELOGIC BACKGROUND DATA LLC

CoreLogic Background Data provides “wholesale background data” for screening purposes.

CORELOGIC CREDCO OF PUERTO RICO

CoreLogic Credco provides credit data to the mortgage industry.

CORELOGIC CREDCO LLC

CoreLogic Credco provides credit data to the mortgage industry.

CORELOGIC SCREENING SERVICES LLC

CoreLogic Screening Services provides tenant screening for rental properties.

CORELOGIC SOLUTIONS LLC

CoreLogic Solutions processes and provides property records for the real estate and mortgage industries.

CORTERA INC

Cortera provides credit information about businesses.

DATA FACTS INC

Data Facts provides information on consumers for background checks in lending, housing and more

DATAMENTORS LLC DBS V12

A “data and technology platform that links customer records with their proprietary blend of online, offline, and digital marketing data for highly personalized, one-to-one consumer marketing, regardless of device or channel.” (Crunchbase)

DATAMYX LLC DBA DELUXE MARKETING SOLUTIONS

A “leading provider of integrated information, technology and analytics. Datamyx serves customers in industries ranging from banking, credit unions, and mortgage providers to alternative finance, insurance, and others.”

DATASTREAM GROUP INC

Datastream “provides rich marketing data and real-time sales leads.”

DATAX LTD

DataX is a unit of Equifax focused on alternative credit data.

DIGITAL MEDIA SOLUTIONS

“Deploys diversified and data-driven digital media customer acquisition solutions, including performance marketing, digital agency and marketing technology solutions to help achieve the marketing objectives of clients.”

DIGITAL SEGMENT LLC

A multi-channel marketing company.

DROBU MEDIA LLC

Ad manager and lead generator for social media campaigns.

DUSTIN BLACKMAN

Dustin Blackman is the head of Drobu Media LLC, a lead generation service. He indicated to Fast Company that he intended to register only the business, not himself.

EDVISORS NETWORK INC

Edvisors “provides independent advertising-supported platforms for consumers to search compare and apply for private student loans.”

ENFORMION

Enformion “aggregates billions of United States public records into one of the largest online people databases.”

EPSILON DATA MANAGEMENT LLC

Epsilon is one of the largest data management companies in the world, and provides direct marketing and customer relationship management services, sending more than 40 billion e-mails each year.

EQUIFAX IBFORMATION SERVICES LLC

Incorporated in 1937, Equifax is one of the three major consumer credit reporting agencies. In 2017, the company said it suffered a cyberattack that exposed the data of more than 145.4 million Americans, including their full names, Social Security numbers, birth dates, addresses, and driver license numbers. At least 209,000 consumers’ credit card credentials were also taken in the attack.

EXPERIAN DATA CORP

A sibling of the giant U.S. credit reporting agency Experian Information Solutions and one of many subsidiaries of the Ireland-based data giant Experian PLC, the company operates Experian RentBureau, a database updated daily with millions of consumers “rental payment history data” from property owners/managers, electronic rent payment services and collection companies.

EXPERIAN FRAUD PREVENTION SOLUTIONS INC

An Experian unit providing a database focusing on fraudulent transactions.

EXPERIAN HEALTH INC

The healthcare division of the credit reporting agency, providing data and analytics for healthcare providers, labs, pharmacies, payers, and other risk-bearing entities.

EXPERIAN INFORMATION SOLUTIONS INC

One of the “big three credit reporting agencies, Experian also sells data analytics and marketing services, and purports to aggregate information on over one billion people and businesses, including 235 million individual U.S. consumers.”

EXPERIAN MARKETING SOLUTIONS INC

A marketing subsidiary of the credit reporting giant focused on identity-linkage and consumer research.

FD HOLDINGS LLC DBA FACTUAL DATA

Factual Data provides credit and other data to mortgage lenders.

FIRST AMERICAN DATA TREE LLC

DataTree “delivers the current and accurate real estate and property ownership data you need for your business.”

FIRST DIRECT INC and its subsidiaries/affiliates</a>

First Direct provides digital & traditional direct marketing.

FIRST ORION CORP

First Orion provides information on telephone callers, including contact information and the likelihood of a scam.

FOREWARN LLC

Forewarn provides background information about potential business associates, including real estate clients.

FUSED LEADS LLC

Fused Leads is “a pipeline to potential clients for the home improvement, auto insurance, auto finance, life insurance, mortgage, and health insurance industries.”

GENERAL INFORMATION SOLUTIONS LLC

GIS, which recently merged with HireRight, is a background screening company.

HEALTHCARE.COM

Not to be confused with the government insurance portal healthcare.gov, healthcare.com provides consumer marketing for insurance companies.

I360 LLC

Funded by the Koch brothers and started by a former adviser to John McCain’s presidential campaign, i360 has built one of the largest data, technology, and analytics platforms for political and commercial clients.

ID ANALYTICS LLC

ID Analytics is a unit of Symantec focused on credit and fraud risk mitigation.

IHS MARKIT

IHS Markit is a” global leader in information, analytics and solutions: for various industries.

INCHECK INC

InCheck is a background check provider.

INFLECTION RISK SOLUTIONS LLC

Inflection helps companies to make better and faster people decisions about who to hire, who to trust, and to whom they should grant access using in-house and public data that includes criminal records, sex offender registries, and global watchlists.

INFLECTION.COM INC

A subsidiary of Inflection Risk Solutions.

INFOCORE INC

Infocore “specializes in direct marketing, campaign strategy, and sourcing market data for domestic and multinational clients.”

INFOGROUP INC

Infogroup, FOUNDED by Vinod Gupta in 1972, “offers real-time data on 245 million individuals and 25 million businesses for customer acquisition and retention,” according to Wikipedia.

INFUTOR DATA SOLUTIONS

Infutor is “the expert in identity management, enabling brands to instantly identify consumers and make informed marketing decisions.”

Innovis Data Solutions Inc.

Innovis is a consumer credit reporting agency.

Instant Checkmate LLC

Instant Checkmate is a people search site that uses public records, including criminal records.

Insurance Services Office Inc.

ISO is a unit of Verisk that focuses on insurance risk and fraud identification.

IntelliCorp Records Inc.

IntelliCorp is a unit of Verisk focusing on employment background checks.

Intellireal LLC

Intellireal is a division of Equifax focusing on real estate analytics and valuation.

Interactive Data LLC

Interactive Data provides consumer information for risk mitigation, compliance, and identity verification.

IQ Data Systems Inc. dba Backgrounds Online

A nationwide data aggregator, IQ Data Systems offers private investigation, skip tracing, public record maintenance and background screening services,Ӕ and provides FCRA compliant background screening.Ӕ

ISO Claims Services Inc.

ISO manages insurance companies personal injury claims portfolios.

ISO Services Inc.

A subsidiary of data giant Verisk Analytics, ISO ғis a provider of statistical, actuarial, underwriting, and claims information and analytics; compliance and fraud identification tools for ԓinsurers, reinsurers, agents and brokers, insurance regulators, risk managers, and other participants in the property/casualty insurance marketplace.

IXI Corp.

Equifax-owned IXI analyzes household economics and ԓoffers customer targeting, segmentation, and market tracking solutions and services for financial services and consumer marketing firms.

KBM GROUP LLC

WPP-owned data giant KBM offers ԓmarketing strategy and analytics services.

KnowWho Inc.

KnowWho helps ԓgovernment relations, lobbying firms, advocacy groups, library patrons, and the government itself, connect with elected officials and their staffs for more than 15 years.

LexisNexis Risk Solutions Inc. and affiliates

This LexisNexis unit provides and works with data for risk management purposes.

Lundquist Consulting Inc.

LCI, part of Verisk Financial, provides data on bankruptcy matters.

MCH Inc. dba MCH Strategic Data

MCH ԓprovides the highest quality education, healthcare, government, and church data.

Modernize Inc.

A home improvement contractor marketplace.

National Consumer Telecom & Utilities Exhange Inc.

ԓNCTUE is a consumer reporting agency that maintains data such as payment and account history, reported by telecommunication, pay TV, and utility service providers that are members of NCTUE.

National Student Clearinghouse

The National Student Clearinghouse verifies where people attended school and the degrees they earned.

Neustar Inc.

Neustar ԓprovides real-time information and analytics for defense, telecommunications, entertainment, and marketing industries, and provides clearinghouse and directory services to the global communications industries, serving as the domain name registry for .biz, .us, .co, and .nyc top-level domains.

New England List Services Inc.

Offers targeted consumer mailing lists.

Open Dealer Exchange LLC dba 700 Credit LLC

700 Credit provides credit screening for car dealers.

Oracle America Inc. (Oracle Data Cloud)

Data giant ԓOracle Data Cloud gives marketers access to 5 billion global IDs, $3 trillion in consumer transactions, and more than 1,500 data partners available through the BlueKai Marketplace. With more than 45,000 prebuilt audiences spanning demographic, behavioral, B2B, online, offline, and transactional data, we bring together more data into a single location than any other solution.

OwnerIQ Inc.

OwnerIQ ԓprovides online advertising solutions and marketing channels for brands, retailers, and manufacturers and operates a platform for second party data for marketing.

Parasol Media Inc.

Parasol Leads is one of the insurance industryԒs highest quality leads generation services.

Partners Credit and Verification Solutions

Partners provides credit and background data to mortgage lenders.

Path2Response

Path2Response collects, aggregates and models consumer information.Ӕ

PeopleConnect Inc.

A people search company that owns Intelius and Classmates.com, providing access to criminal records, employee screening, background checks, and identity theft protection services.

Pipl Inc.

Pipl is a people search tool.

Plural Marketing Solutions Inc.

A company that builds engaging, consumer-centric paths and web sites.Ӕ

PossibleNOW Data Services

PossibleNOW is the leader in consumer regulatory compliance and consent solutions, and pioneered the concept of enterprise preference management.Ӕ

Project Applecart LLC

Project Applecart gathers data on adults in the U.S. via publicly available sources or via third-party license agreements. It analyzes the data to help advertisers address marketing and other communications to the relevant audience.Ӕ

Quality Planning Corp.

QPC provides analytics and information on policyholders for automobile insurance companies.

Rental Property Solutions LLC

Rental Property Solutions is a unit of CoreLogic that provides credit reporting information to landlords.

Reveal Mobile Inc.

Reveal provides location-based marketing & analytics to help companies reach audiences across mobile apps, digital advertising, and social media.

Ruf Strategic Solutions

A marketing firm owned by consumer identity management company Infutor with a focus on travel, tourism, insurance, e-commerce, and education.

SageStream LLC

SageStream is a consumer credit reporting company.

Skipmasher Inc.

For skiptracers and investigators.

Speedeon Data LLC

Speedeon DataӒs goal has been to provide our clients with the highest quality customer contact dataŔ

Spokeo Inc.

Spokeo is a people search giant that purports to provide access to 12 billion public records. In 2012, the Federal Trade Commission fined the company $800,000 and placed it under a 20-year privacy prohibition for marketing information for employment screening purposes without adhering to the Fair Credit Reporting Act, in the first FTC fine involving personal data collected online and sold to potential employers.

Spy Dialer Inc.

Spy Dialer is a people search website providing information on people by name or phone number.

Strategic Information Resources

SIR provides background and credit screening to employers, landlords, and lenders.

TALX Corp.

TALX is a unit of Equifax that provides employment information to companies and landlords through a database called The Work Number. As Fast Company previously reported, the database relies on feeds of detailed employee and salary data provided by the countrys biggest companies and organizations, including Facebook, Amazon, Microsoft, Oracle, Walmart, Twitter, AT&T, Harvard Law School, and the Commonwealth of Pennsylvania. In 2017, a security researcher exposed a breach in which employeesҒ data could be accessed using only Social Security numbers and dates of birth.

Teletrack LLC

CoreLogic Teletrack is a consumer reporting agency that provides consumer reports to third parties for the purpose of credit risk assessment and/or other purposes as permitted by law.Ӕ

The Lead Company Inc.

Specializing in quality real-time online insurance leads for auto, home, life, and health.

Thomas Reuters (CRC) LLC dba Refinitiv

Refinitiv operates the World-Check database used for financial know your customerӔ compliance and identity verification.

Towerdata Inc.

A multichannel marketing firm focused on email.

TransUnion

TransUnion is the smallest of the big threeӔ credit reporting agencies, alongside Experian and Equifax.

Truthfinder LLC

Truthfinder is a people search site that provides background checks and public records search capabilities.

Twine Data Inc.

Twine is a mobile data platform that works with app publishers who generate mobile data & the companies who need data for ad targeting.Ӕ (Crunchbase)

Viant Technology LLC

Viant, a former Time Inc. and current Meredith subsidiary, is a premier people-based advertising technology company, enabling marketers to plan, execute, and measure their digital media investments,Ӕ with access to over 250 million registered users in the U.S., infusing accuracy, reach and accountability into cross device advertising.Ӕ

WEST PUBLISHING CORP

A unit of Thomson Reuters, West offers tools for searching public records and legal records. In 2018, the non-profit Privacy International identified it as one of a number of firms HIRED BY Immigration and Customs Enforcement to provide data that can be used by the agency and others to identify and track people and their families, including for deportation.

WHITEPAGED INC

WhitePages provides people search and background information.

WHOODLE LLC

Whoodle is a people search and background check service.

WILAND INC

A provider of intelligence-driven predictive marketing solutions.

SOURCE

Posted by Elvis on 03/03/19 •
Section Privacy And Rights
View (0) comment(s) or add a new one
Printable viewLink to this article
Home

Wednesday, October 17, 2018

The Clouded Cloud

image: amazon honor system

AmazonAtlas

Wikileaks
October 11, 2018

Today, WikiLeaks publishes a “Highly Confidential” internal documentfrom the cloud computing provider Amazon. The documentfrom late 2015 lists the addresses and some operational details of over one hundred data centers spread across fifteen cities in nine countries. To accompany this document, WikiLeaks also created a map showing where Amazons data centers are LOCATED.

Amazon, which is the largest cloud provider, is notoriously secretive about the precise locations of its data centers. While a few are publicly tied to Amazon, this is the exception rather than the norm. More often, Amazon operates out of data centers owned by other companies with little indication that Amazon itself is based there too or runs its own data centers under less-identifiable subsidiaries such as VaData, Inc. In some cases, Amazon uses pseudonyms to obscure its presence. For example, at its IAD77 data center, the documentstates that Amazon is known as “Vandala Industries” on badges and all correspondence with building manager

Amazon is the leading cloud provider for the United States intelligence community. In 2013, Amazon entered into a $600 million contract with the CIA to build a cloud for use by intelligence agencies working with information classified as Top Secret. Then, in 2017, Amazon announced the AWS Secret Region, which allows storage of data classified up to the Secret level by a broader range of agencies and companies. Amazon also operates a special GovCloud region for US Government agencies hosting unclassified information.

Currently, Amazon is one of the leading contenders for an up to $10 billion contract to build a private cloud for the Department of Defense. Amazon is one of the only companies with the certifications required to host classified data in the cloud. The Defense Department is looking for a single provider and other companies, including Oracle and IBM, have complained that the requirements unfairly favor Amazon. Bids on this contract are due tomorrow.

While one of the benefits of the cloud is the potential to increase reliability through geographic distribution of computing resources, cloud infrastructure is remarkably centralised in terms of legal control. Just a few companies and their subsidiaries run the majority of cloud computing infrastructure around the world. Of these, Amazon is the largest by far, with recent market research showing that Amazon accounts for 34% of the cloud infrastructure services market.

Until now, this cloud infrastructure controlled by Amazon was largely hidden, with only the general geographic regions of the data centers publicised. While Amazons cloud is comprised of physical locations, indications of the existence of these places are primarily buried in government records or made visible only when cloud infrastructure fails due to natural disasters or other problems in the physical world.

In the process of dispelling the mystery around the locations of Amazon’s data centers, WikiLeaks also turned this documentinto a puzzle game, the Quest of Random Clues. The goal of this game was to encourage people to research these data centers in a fun and intriguing way, while highlighting related issues such as contracts with the intelligence community, Amazons complex corporate structures, and the physicality of the cloud.

SOURCE

Posted by Elvis on 10/17/18 •
Section Privacy And Rights • Section Broadband Privacy
View (0) comment(s) or add a new one
Printable viewLink to this article
Home

Sunday, October 07, 2018

Analog Malicious Hardware

image: computer chip

This Demonically Clever Backdoor Hides In a Tiny Slice of a Computer Chip

By Andy Greenberg
Wired
June 1, 2016

Security flaws in software can be tough to find. Purposefully planted oneshidden backdoors created by spies or saboteursחare often even stealthier. Now imagine a backdoor planted not in an application, or deep in an operating system, but even deeper, in the hardware of the processor that runs a computer. And now imagine that silicon backdoor is invisible not only to the computers software, but even to the chip’s designer, who has no idea that it was added by the chips manufacturer, likely in some farflung Chinese factory. And that it’s a single component hidden among hundreds of millions or billions. And that each one of those components is less than a thousandth of the width of a human hair.

In fact, researchers at the University of Michigan haven’t just imagined that computer security nightmare; they’ve built and proved it works. In a study that won the “best paper” award at last weeks IEEE Symposium on Privacy and Security, they detailed the creation of an insidious, microscopic hardware backdoor proof-of-concept. And they showed that by running a series of seemingly innocuous commands on their minutely sabotaged processor, a hacker could reliably trigger a feature of the chip that gives them full access to the operating system. Most disturbingly, they write, that microscopic hardware backdoor wouldn’t be caught by practically any modern method of hardware security analysis, and could be planted by a single employee of a chip factory.

“Detecting this with current techniques would be very, very challenging if not impossible,” says Todd Austin, one of the computer science professors at the University of Michigan who led the research. “It’s a needle in a mountain-sized haystack.” Or as Google engineer Yonatan Zunger wrote after reading the paper: “This is the most demonically clever computer security attack I’ve seen in years.”

Analog Attack

The “demonically clever” feature of the Michigan researchers’ backdoor isn’t just its size, or that it’s hidden in hardware rather than software. It’s that it violates the security industry’s most basic assumptions about a chip’s digital functions and how they might be sabotaged. Instead of a mere change to the “digital” properties of a chip - a tweak to the chip’s logical computing functions - the researchers describe their backdoor as an “analog” one: a physical hack that takes advantage of how the actual electricity flowing through the chip’s transistors can be hijacked to trigger an unexpected outcome. Hence the backdoor’s name: A2, which stands for both Ann Arbor, the city where the University of Michigan is based, and “Analog Attack.”

Here’s how that analog hack works: After the chip is fully designed and ready to be fabricated, a saboteur adds a single component to its “mask,” the blueprint that governs its layout. That single component or “cell” 0 of which there are hundreds of millions or even billions on a modern chip - is made out of the same basic building blocks as the rest of the processor: wires and transistors that act as the on-or-off switches that govern the chip’s logical functions. But this cell is secretly designed to act as a capacitor, a component that temporarily stores electric charge.

Every time a malicious program - say, a scripton a website you visit - runs a certain, obscure command, that capacitor cell “steals” a tiny amount of electric charge and stores it in the cell’s wires without otherwise affecting the chip’s functions. With every repetition of that command, the capacitor gains a little more charge. Only after the “trigger” command is sent many thousands of times does that charge hit a threshold where the cell switches on a logical function in the processor to give a malicious program the full operating system access it wasn’t intended to have. “It takes an attacker doing these strange, infrequent events in high frequency for a duration of time,” says Austin. “And then finally the system shifts into a privileged state that lets the attacker do whatever they want.”

That capacitor-based trigger design means it’s nearly impossible for anyone testing the chip’s security to stumble on the long, obscure series of commands to “open” the backdoor. And over time, the capacitor also leaks out its charge again, closing the backdoor so that it’s even harder for any auditor to find the vulnerability.

New Rules

Processor-level backdoors have been proposed before. But by building a backdoor that exploits the unintended physical properties of a chip’s componentsחtheir ability to “accidentally” accumulate and leak small amounts of chargerather than their intended logical function, the researchers say their backdoor component can be a thousandth the size of previous attempts. And it would be far harder to detect with existing techniques like visual analysis of a chip or measuring its power use to spot anomalies. “We take advantage of these rules ‘outside of the Matrix’ to perform a trick that would [otherwise] be very expensive and obvious,” says Matthew Hicks, another of the University of Michigan researchers. “By following that different set of rules, we implement a much more stealthy attack.”

The Michigan researchers went so far as to build their A2 backdoor into a simple open-source OR1200 processor to test out their attack. Since the backdoor mechanism depends on the physical characteristics of the chip’s wiring, they even tried their “trigger” sequence after heating or cooling the chip to a range of temperatures, from negative 13 degrees to 212 degrees Fahrenheit, and found that it still worked in every case.

As dangerous as their invention sounds for the future of computer security, the Michigan researchers insist that their intention is to prevent such undetectable hardware backdoors, not to enable them. They say it’s very possible, in fact, that governments around the world may have already thought of their analog attack method. “By publishing this paper we can say it’s a real, imminent threat,” says Hicks. “Now we need to find a defense.”

But given that current defenses against detecting processor-level backdoors wouldn’t spot their A2 attack, they argue that a new method is required: Specifically, they say that modern chips need to have a trusted component that constantly checks that programs haven’t been granted inappropriate operating-system-level privileges. Ensuring the security of that component, perhaps by building it in secure facilities or making sure the design isn’t tampered with before fabrication, would be far easier than ensuring the same level of trust for the entire chip.

They admit that implementing their fix could take time and money. But without it, their proof-of-concept is intended to show how deeply and undetectably a computer’s security could be corrupted before it’s ever sold. “I want this paper to start a dialogue between designers and fabricators about how we establish trust in our manufactured hardware,” says Austin. “We need to establish trust in our manufacturing, or something very bad will happen.”

Here’s the Michigan researchers’ FULL PAPER - [ LOCAL COPY .pdf ]

SOURCE

Posted by Elvis on 10/07/18 •
Section Privacy And Rights
View (0) comment(s) or add a new one
Printable viewLink to this article
Home

Monday, August 27, 2018

What Google Knows About You - Part II

image: google

Android data slurping measured and monitored
Study lays bare personal data flows from mobes to the Chocolate Factory

By Andrew Orlowski
The Register
August 24, 2018

GOOGLE’S passive collection of personal data from Android and iOS has been monitored and measured in a significant academic study.

The report confirms that Google is no respecter of the Chrome browser’s “incognito mode” aka “porn mode”, collecting Chrome data to add to your personal profile, as we pointed out EARLIER THIS YEAR.

It also reveals how phone users are being tracked without realising it. How so? It’s here that the B2B parts of Google’s vast data collection network its publisher and advertiser products - kick into life as soon the user engages with a phone. These parts of Google receive personal data from an Android even when the phone is static and not being used.

The activity has come to light thanks to RESEARCH (PDF) by computer science professor Douglas Schmidt of Vanderbilt University, conducted for the nonprofit trade association Digital Content Next. It’s already been described by one privacy activist as “the most comprehensive report on Google’s data collection practices so far”.

Even if you don’t use a consumer-facing Google service such as YouTube, many of the sites you visit on the web will be plugged into Google via the publisher and advertiser services: DoubleClick and Google Analytics.AMP mobile pages, hosted on Google, has also helped retrieve more valuable personal data.

Google Analytics is used by more than three quarters of the top 100,000 most visited websites (including the one you’re reading), while DoubleClick’s third-party cookies are widely used to track users across the web. When Google acquired DoubleClick in 2007 it assured regulators it would never combine DoubleClick’s cookies with its own. It abandoned that promise in 2016, attracting the (ongoing) attention of the European Commission.

So did Facebook, for similar reasons a strategy that Facebook called “closing the loop”.

The nature of some data may also surprise. App developers receive your age and gender whenever an app is launched, the study found.

Overall, the study discovered that Apple retrieves much less data than Google.

“The total number of calls to Apple servers from an iOS device was much lower, just 19 per cent the number of calls to Google servers from an Android device.

Moreover, there are no ad-related calls to Apple servers, which may stem from the fact that Apple’s business model is not as dependent on advertising as Google’s. Although Apple does obtain some user location data from iOS devices, the volume of data collected is much (16x) lower than what Google collects from Android,” the study noted.

As we repeatedly point out, Apple makes its money from selling overpriced hardware, and has no need to track and personalise a virtual version of you, that advertisers can then access. Porn habits included.

We invited Google to comment on, and debunk the study if it so wished, but have not yet heard back at press time.

SOURCE

Posted by Elvis on 08/27/18 •
Section Privacy And Rights
View (0) comment(s) or add a new one
Printable viewLink to this article
Home

Thursday, August 16, 2018

AC Phone Home

snooping on your pc

I got a new HONEYWELL THERMOSTAT for the air conditioner that has internet connectivity for remote access, and pulls a weather report.

Like everything IOT- it INSISTS ON A MIDDLEMAN (pretty much anyone after looking at their EULA) possibly peeking at the things connected to my network, and who knows WHAT ELSE:

The Internet has been around for around 20 years now, and its security is far from perfect. Hacker groups still ruthlessly take advantage of these flaws, despite spending billions on tech security. The IoT, on the other hand, is primitive. And so is its security.

Once everything we do, say, think, and eat, is tracked, the big data thats available about each of us is immensely valuable. When companies know our lives inside and out, they can use that data to make us buy even more stuff. Once they control your data, they control you.

Why can’t I just VPN into the house and connect to it that way?

Because then they can’t SNOOP.

Their EULA SAYS:

We may use your Contact Information to market Honeywell and third-party products and services to you via various methods

We also use third parties to help with certain aspects of our operations, which may require disclosure of your Consumer Information to them.

Honeywell uses industry standard web ANALYTICS to track web visits, Google Analytics and Adobe Analytics.

GOOGLE and Adobe may also TRANSFER this INFORMATION to third parties where required to do so by law, or where such third parties process the information on Google’s or Adobe’s behalf.

You acknowledge and agree that Honeywell and its affiliates, service providers, suppliers, and dealers are permitted at any time and without prior notice to remotely push software

collection and use of certain information as described in this Privacy Statement, including the transfer of this information to the United States and/or other countries for storage

Wonderful.

I connected it to the LAN without asking it to get the weather - or signing up for anything at HONEYWELL’S SITE.

As fast as I can turn my head to peek at the firewall - it was chatting on the internet, and crapped out with some SSL error:

‘SSL_PROTO_REJECT: 48: 192.168.0.226:61492 -> 199.62.84.151:443’
‘SSL_PROTO_REJECT: 48: 192.168.0.226:65035 -> 199.62.84.152:443’
‘SSL_PROTO_REJECT: 48: 192.168.0.226:55666 -> 199.62.84.153:443’

Maybe the website has a problem:

# curl -sslv2 199.62.84.151:443
* About to connect() to 199.62.84.151 port 443 (#0)
* Trying 199.62.84.151… connected
* Connected to 199.62.84.151 (199.62.84.151) port 443 (#0)
> GET / HTTP/1.1
> User-Agent: curl/7.19.7 (i386-redhat-linux-gnu) libcurl/7.19.7 NSS/3.27.1 zlib/1.2.3 libidn/1.18 libssh2/1.4.2
> Host: 199.62.84.151:443
> Accept: */*
>
* Closing connection #0
* Failure when receiving data from the peer

# curl -sslv3 199.62.84.151:443
* About to connect() to 199.62.84.151 port 443 (#0)
* Trying 199.62.84.151… connected
* Connected to 199.62.84.151 (199.62.84.151) port 443 (#0)
> GET / HTTP/1.1
> User-Agent: curl/7.19.7 (i386-redhat-linux-gnu) libcurl/7.19.7 NSS/3.27.1 zlib/1.2.3 libidn/1.18 libssh2/1.4.2
> Host: 199.62.84.151:443
> Accept: */*
>
* Closing connection #0
* Failure when receiving data from the peer

# curl -tlsv1 199.62.84.151:443
curl: (56) Failure when receiving data from the peer

# curl -tlsv1.0 199.62.84.151:443
curl: (56) Failure when receiving data from the peer

# curl -tlsv1.1 199.62.84.151:443
curl: (56) Failure when receiving data from the peer

# curl -tlsv1.2 199.62.84.151:443
curl: (56) Failure when receiving data from the peer

# curl 199.62.84.151:80
curl: (56) Failure when receiving data from the peer

Then I pulled the plug.  Even if Honeywell’s website is broke - I still fear this thermostat will find a way to download software, and maybe START SPYING ON MY HOME NETWORK:

The US intelligence chief has acknowledged for the first time that agencies might use a new generation of smart household devices to increase their surveillance capabilities.

Maybe, someday I’ll firewall off HONEYWELL’S NETBLOCKS, connect it again, see where it goes.

For now - I’m too AFRAID:

When the cybersecurity industry warns about the nightmare of hackers causing blackouts, the scenario they describe typically entails an elite team of hackers breaking into the inner sanctum of a power utility to start flipping switches. But one group of researchers has imagined how an entire power grid could be taken down by hacking a less centralized and protected class of targets: home air conditioners and water heaters.

Posted by Elvis on 08/16/18 •
Section Privacy And Rights • Section Broadband Privacy
View (0) comment(s) or add a new one
Printable viewLink to this article
Home
Page 1 of 69 pages  1 2 3 >  Last »

Statistics

Total page hits 9156669
Page rendered in 1.5435 seconds
41 queries executed
Debug mode is off
Total Entries: 3153
Total Comments: 337
Most Recent Entry: 04/09/2019 09:59 am
Most Recent Comment on: 01/02/2016 09:13 pm
Total Logged in members: 0
Total guests: 8
Total anonymous users: 0
The most visitors ever was 114 on 10/26/2017 04:23 am


Email Us

Home

Members:
Login | Register
Resumes | Members

In memory of the layed off workers of AT&T

Today's Diversion

You can widen your life by yourself, but to deepen it you need a friend. - Anonymous

Search


Advanced Search

Sections

Calendar

April 2019
S M T W T F S
  1 2 3 4 5 6
7 8 9 10 11 12 13
14 15 16 17 18 19 20
21 22 23 24 25 26 27
28 29 30        

Must Read

Most recent entries

RSS Feeds

Today's News

ARS Technica

External Links

Elvis Picks

BLS Pages

Favorites

All Posts

Archives

RSS


Creative Commons License


Support Bloggers' Rights