Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Location data. Show all posts
Privacy violation
Employee Security Location data location data breach location tracking Microsoft Microsoft Teams Privacy Privacy violation

Microsoft Teams’ New Location-Based Status Sparks Major Privacy and Legal Concerns

 

Microsoft Teams is preparing to roll out a new feature that could significantly change how employee presence is tracked in the workplace. By the end of the year, the platform will be able to automatically detect when an employee connects to the company’s office Wi-Fi and update their status to show they are working on-site. This information will be visible to both colleagues and supervisors, raising immediate questions about privacy and legality. Although Microsoft states that the feature will be switched off by default, IT administrators can enable it at the organizational level to improve “transparency and collaboration.” 

The idea appears practical on the surface. Remote workers may want to know whether coworkers are physically present at the office to access documents or coordinate tasks that require on-site resources. However, the convenience quickly gives way to concerns about surveillance. Critics warn that this feature could easily be misused to monitor employee attendance or indirectly enforce return-to-office mandates—especially as Microsoft itself is requiring employees living within 50 miles of its offices to spend at least three days a week on-site starting next February. 

To better understand the implications, TECHBOOK consulted Professor Christian Solmecke, a specialist in media and IT law. He argues that the feature rests on uncertain legal footing under European privacy regulations. According to Solmecke, automatically updating an employee’s location constitutes the processing of personal data, which is allowed under the GDPR only when supported by a valid legal basis. In this case, two possibilities exist: explicit employee consent or a legitimate interest on the part of the employer. But as Solmecke explains, an employer’s interest in transparency rarely outweighs an employee’s right to privacy, especially when tracking is not strictly necessary for job performance. 

The expert compares the situation to covert video surveillance, which is only permitted when there is a concrete suspicion of wrongdoing. Location tracking, if used to verify whether workers are actually on-site, falls into a similar category. For routine operations, he stresses, such monitoring would likely be disproportionate. Solmecke adds that neither broad IT policies nor standard employment contracts provide sufficient grounds for processing this type of data. Consent must be truly voluntary, which is difficult to guarantee in an employer-employee relationship where workers may feel pressured to agree. 

He states that if companies wish to enable this automatic location sharing, a dedicated written agreement would be required—one that employees can decline without negative repercussions. Additionally, in workplaces with a works council, co-determination rules apply. Under Germany’s Works Constitution Act, systems capable of monitoring performance or behavior must be approved by the works council before being implemented. Without such approval or a corresponding works agreement, enabling the feature would violate privacy law. 

For employees, the upcoming rollout does not mean their on-site presence will immediately become visible. Microsoft cannot allow employers to activate such a feature without clear employee knowledge or consent. According to Solmecke, any attempt to automatically log and share employee location inside the company would be legally vulnerable and potentially challengeable. Workers retain the right to reject such data collection unless a lawful framework is in place. 

As companies continue navigating hybrid and remote work models, Microsoft’s new location-based status illustrates the growing tension between workplace efficiency and digital privacy. Whether organizations adopt this feature will likely depend on how well they balance those priorities—and whether they can do so within the boundaries of data protection law.
Read more »
Verizon
AT&T FCC Location data Privacy Verizon

Court Upholds $46.9 Million Penalty Against Verizon for Sharing Location Data

 



A U.S. federal appeals court has ruled that Verizon must pay a $46.9 million penalty for unlawfully selling customers’ real-time location information. The decision closes the door on Verizon’s argument that its practices were legal, reinforcing the Federal Communications Commission’s authority to regulate privacy in the wireless industry.


Why the Fine Was Issued


In April 2024, the Federal Communications Commission (FCC) announced nearly $200 million in fines against several major mobile carriers for giving outside companies access to sensitive location data. These firms then passed the information to other parties, including bail-bond services and bounty hunters. According to regulators, this exposed consumers to significant risks and demonstrated a failure by carriers to adopt basic safeguards, even after repeated warnings. Verizon’s share of the fines was $46.9 million, which it sought to challenge in court.


Verizon’s Legal Challenge

The company argued before the U.S. Court of Appeals for the Second Circuit that device-location records should not fall under the category of “customer proprietary network information” protected by Section 222 of the Communications Act. This provision requires carriers to keep certain customer data private. Verizon claimed that location details were not covered by this rule and that the FCC had exceeded its powers by penalizing them.

The judges disagreed. They ruled that location data is precisely the kind of personal information Congress intended to protect, and that the FCC acted well within its legal authority. The court also found no violation of Verizon’s constitutional rights, firmly upholding the fine.


Other Rulings in Similar Cases

This ruling is not an isolated one. Earlier, another appeals court upheld a $92 million fine against T-Mobile for comparable violations, rejecting the carrier’s claim that selling location data was lawful. However, in a separate case, AT&T succeeded in overturning a $57 million penalty after a different appeals court raised concerns over how the FCC imposed the fine. These mixed outcomes illustrate the unsettled but intensifying debate over corporate rights, regulatory authority, and consumer privacy.


Implications for Consumers and the Industry

Privacy advocates have welcomed the latest decision, arguing that it sends a clear message: carriers cannot profit from sharing location information without explicit user consent. Experts warn that without strict oversight, telecom companies could continue searching for loopholes to monetize sensitive customer data.

For the FCC, the ruling strengthens its hand in future enforcement actions, confirming that it can hold carriers accountable when they put consumers at risk. Verizon, however, has indicated that it may continue to fight the ruling, setting the stage for further legal battles.

The decision cements a broader shift toward tougher privacy protections in the United States. It is expected to shape industry practices, influence how telecom companies manage data, and push lawmakers to advance stronger nationwide privacy rules.



Read more »
User Privacy
App security Data Breach Gravy Analytics Location data User Privacy

Global Apps Exploited to Harvest Sensitive Location Data

 


Rogue actors within the advertising industry are reportedly exploiting major global apps to collect sensitive user location data on a massive scale. This data is then funneled to a location data firm whose subsidiary has previously sold global tracking information to U.S. law enforcement agencies. 
 
Hacked files from the location data company Gravy Analytics reveal that numerous popular apps are involved in this data collection. These apps span across categories, including games like Candy Crush, dating platforms such as Tinder, pregnancy tracking tools, and religious prayer apps available on both Android and iOS. Since this data gathering occurs through the advertising ecosystem rather than direct app development, users — and even app developers — are likely unaware of these invasive practices. 

How the Data Collection Works 
 
Zach Edwards, a senior threat analyst at cybersecurity firm Silent Push, analyzed the data and shared with 404 Media, “For the first time publicly, we seem to have proof that one of the largest data brokers selling to both commercial and government clients appears to be acquiring their data from the online advertising bid stream,” rather than through embedded app code. This discovery offers rare insight into the shadowy world of real-time bidding (RTB). Historically, location data providers paid app developers to integrate tracking code that harvested user data. However, many companies now exploit the advertising ecosystem, where firms bid to place ads in apps. Data brokers can tap into this system, silently collecting users' mobile phone locations without consent. “This is a nightmare scenario for privacy,” Edwards added. “Not only does this data breach involve data scraped from RTB systems, but there’s a company out there acting recklessly, collecting and using every piece of data it encounters.” 

The compromised data from Gravy Analytics includes tens of millions of cellphone location points from users in the United States, Russia, and Europe. Some files also list specific apps associated with each data point. Upon reviewing the leaked files, 404 Media identified a wide range of popular apps implicated in this breach, including:
  • Dating Apps: Tinder, Grindr
  • Mobile Games: Candy Crush, Temple Run, Subway Surfers, Harry Potter: Puzzles & Spells
  • Transit App: Moovit
  • Health & Fitness: My Period Calendar & Tracker, MyFitnessPal
  • Social Media: Tumblr
  • Email Services: Yahoo Mail
  • Productivity Tools: Microsoft 365
  • Travel Apps: Flightradar24
  • Religious Apps: Muslim prayer apps, Christian Bible apps
  • Privacy Tools: Various VPN apps
Ironically, some users turned to VPN apps to protect their privacy, only to have their location data compromised. 

This breach highlights a dangerous loophole in the advertising ecosystem, where sensitive user data can be harvested without clear consent or awareness. The involvement of a company with a history of selling data to government agencies raises serious concerns about surveillance and misuse. As the digital world grows increasingly interconnected, this incident serves as a stark reminder of the urgent need for stronger data privacy regulations and more transparent data practices. 

Can Users Trust Their Apps Anymore? 
 
With popular and widely trusted apps implicated in this data collection scheme, users are left questioning whether their privacy is truly protected. Stronger privacy safeguards and greater accountability in digital advertising are now more critical than ever. 
Read more »
User Privacy
Data Leak Location data Mobile App Breach Mobile Security User Privacy

Millions of People's 'Intimate' Location Data Compromised in Apparent Hack

 

Major apps worldwide are potentially being exploited by rogue members within the advertising sector to collect sensitive location data extensively, which subsequently is transferred to a location data firm whose subsidiary has previously sold global location data to US law enforcement agencies. 

The thousands of apps discovered in hacked files from location data firm Gravy Analytics range from games like Candy Crush to dating apps like Tinder, pregnancy tracking, and religious prayer apps for both Android and iOS. Because much of the data collection occurs through the advertising ecosystem rather than code developed by app creators themselves, it is likely that users or even app developers are unaware of it. 

After examining some of the data, Zach Edwards, senior threat analyst at cybersecurity firm Silent Push and an avid follower of the location data space, tells 404 Media, "For the first time publicly, we seem to have proof that one of the largest data brokers selling to both commercial and government clients appears to be acquiring their data from the online advertising bid stream," instead of code embedded in the apps themselves. 

The data offers a rare peek into the realm of real-time bidding. Historically, location data providers compensated app developers to incorporate bundles of code that collected their users' location data. Numerous companies have instead moved to the advertising ecosystem, where firms bid to place ads within apps, to obtain location information. However, data brokers can listen in on that procedure and gather the location of people's mobile phones.

"This is a nightmare scenario for privacy, because not only does this data breach contain data scraped from the RTB systems, but there's some company out there acting like a global honey badger, doing whatever it pleases with every piece of data that comes its way," Edwards added. 

The hacked Gravy data includes tens of millions of mobile phone coordinates from devices in the United States, Russia, and Europe. Some of those files additionally list an app next to each piece of location data. 404 Media extracted the app names and created a list of mentioned apps. 

The list includes dating sites Tinder and Grindr; massive games like Candy Crush, Temple Run, Subway Surfers, and Harry Potter: Puzzles & Spells; transit app Moovit; My Period Calendar & Tracker, a period-tracking app with over 10 million downloads; popular fitness app MyFitnessPal; social network Tumblr; Yahoo's email client; Microsoft's 365 office app; and flight tracker Flightradar24. The list also includes a number of religious-focused apps, such as Muslim prayer and Christian Bible apps, as well as numerous pregnancy trackers and VPN apps, which some users may download, ironically, in order to safeguard their privacy.
Read more »
Technology
Cloud Cloud Data Google Google Cloud Location data Technology

User Tracking: Google to Store User Data for 180 Days

User Tracking: Google Announces to Store User Data for 180 Days

Google has made a major change in its user tracking, a big leap in privacy concerns for users. Google will stop the nosy cloud storage of data it gets from tracking user location in real time. 

The privacy change

Called Google Maps Timeline, from December, Google will save user location data for a maximum of 180 days. After the duration ends, the data will be erased from Google Cloud servers. 

The new policy means Google can only save a user’s movements and whereabouts for 6 months, the user has an option to store the data on a personal device, but the cloud data will be permanently deleted from Google servers.

The new privacy change is welcomed, smartphones can balance privacy and convenience in terms of data storage, but nothing is more important than location data

Users can change settings that suit them best, but the majority go with default settings. The problem here arises when Google uses user data for suggesting insights (based on anonymous location data), or improving Google services like ads products.

Why important 

The Google Maps Timeline feature addresses questions about data privacy and security. The good things include:

Better privacy: By restricting the storage timeline of location data on the cloud, Google can reduce data misuse. Limiting the storage duration means less historical data is exposed to threat actors if there's a breach.

More control to users: When users have the option to retain location data on their devices, it gives them ownership over their personal data. Users can choose whether to delete their location history or keep the data.

Accountability from Google: The move is a positive sign toward building transparency and trust, showing a commitment to user privacy. 

How will it impact users?

Services: Google features that use location history data for tailored suggestions might be impacted, and users may observe changes in correct location-based suggestions and targeted ads. 

The problem in data recovery: For users who like to store their data for a longer duration, the new move can be a problem. Users will have to self-back up data if they want to keep it for more than 180 days. 

Read more »
Security
Application Cyber Security Data Location data Messaging Apps Safety Security

Can Messaging Apps Locate You? Here's All You Need to Know

 

If you're worried about cybersecurity, you might question whether texting apps can follow you. Yes, but it's not as big of a deal as you believe. Understanding how location monitoring works on major messaging applications, as well as the risks associated with it, is critical. Many social media apps require location information in order to streamline the services they provide. Road directions, food delivery, and other features that require access to your location to serve you better are examples of these services. So messaging applications can easily and precisely follow you, and they collect this information from you in a variety of ways.

One of the most typical methods is to simply ask you to enable your location and grant the app permission to access it. The GPS technology allows the programme to access your latitude and longitude coordinates, pinpointing your location, after you grant it permission. For example, several free messaging programmes, including your standard SMS app, iMessage, and WhatsApp, provide a live-location function that allows you to share your current location if necessary.

Wi-Fi and Bluetooth signals from your phone can also provide location information. Apps that monitor the signal strength of adjacent Wi-Fi routers and Bluetooth devices can track your whereabouts. However, this technology is less dependable than GPS tracking and can only provide an estimated location.

Some photo-sharing social networking apps, such as Instagram and Snapchat, leverage location-based functionality on your device, such as geotagging photos or providing more accurate search results. Then there's Twitter, which uses algorithms to serve your feed items based on location.

Another culprit is your IP address. When a device connects to the internet, it is assigned a unique IP address. This address may expose your general location, such as your city or area. Location history (a record of where your phone, i.e. you, has been) can be stored on the servers of apps like Snapchat.

Most messaging apps provide thorough information about their privacy policies and how they track your location and keep your data. So, rather than skipping them without reading the material, you should go into them. If you are uncomfortable with their practices, you can restrict their access through your device settings. However, doing so may result in inconsistencies and inaccuracies with the app's location-based functionality. The most serious hazards linked with location tracking by messaging media apps are invasions of privacy and data breaches.

How to Prevent Messaging Apps from Tracking You

Using airplane mode is the best approach to prevent your location from being tracked. However, doing so would disable incoming calls as well as your data connection. Fortunately, there are less restrictive methods for preventing messaging apps from seeing your location data.

You can always disable your location. Most phones feature a button in the quick panel for this. However, if yours does not, you can do so using a Samsung Galaxy phone:
  • Go to your phone's Settings.
  • Head over to Apps.
  • Select the app you want to turn on/off privacy access.  
  • Tap on Permissions, and then Location.
  • Tap Deny, and WhatsApp won't have access to your location anymore.
VPNs, or Virtual Private Networks: They protect your privacy by routing your internet traffic through a remote server operated by the VPN operator. A VPN uses a variety of approaches to prevent tracking. First, it switches your IP address to that of the VPN server in another location, which is usually far away. Any programme that attempts to trace your location using your IP address will be unable to do so because it has been changed to that of the VPN server.

Premium VPNs also encrypt your data, disguising the data transmitted between your device and the VPN server. Any third party attempting to intercept it will find it illegible as a result. They frequently feature firewalls and ad blockers that they can employ to avoid any problems.

Utilize Private Browsers: Some web browsers include firewalls and ad blockers that restrict third-party cookies and delete your browsing history when you close the app. So, if you use these private browsers to access social media, you can be confident that your location is hidden from prying eyes.

One must also study the privacy policies of these apps and take steps to limit the location sharing to trusted contacts only.
Read more »
surveillance
DDOS Attack Location data location tracking Mobile Hacking Mobile Security Smartphone surveillance

The Russian Expert Listed the Main Signs of Smartphone Surveillance

 

Along with the unconditional benefits, the smart devices around us also carry a number of dangers. Thus, with the help of a smartphone, attackers can gain access to the personal data of its owner. According to Evgeny Kashkin, associate professor of the Department of Intelligent Information Security Systems at RTU MIREA, there are several signs that may indirectly indicate that your smartphone has become a spy. 

"An important point, in this case, is the requirement for applications to use a camera, microphone, as well as access to data (images and videos) on the phone during installation. Of course, you can disagree with this point during the installation, but most likely, then the application will not work at all or will work incorrectly," the expert explains. 

According to him, for a number of applications, these access rights are mandatory for work, but there are applications where "such rights for normal operation are simply absurd." For example, a home internet account status application. 

Another important factor, in his opinion, is the use of geolocation in applications. At the same time, it`s not only about GPS, but also the use of cellular data, as well as connections to various web resources. Such an approach, on the one hand, can greatly facilitate the search for the right companies within walking distance in a number of search engines, but, on the other hand, the cell phone conducts a "total" tracking of your movements. The key question, in this case, is how the data will be used by those who collect it. 

A number of companies have gone even further in this context. They started tracking the email messages of the users. Thus, with the banal purchase of an electronic plane ticket, the system will notify you in advance of the departure date, and on the day of departure, it will build you a route to the airport, taking into account traffic jams. 

He also advises paying attention to the sudden and uneven loss of battery power. This may indicate that a malicious program is running in the background that can use the phone to carry out a DDOS attack. 

Another alarming symptom is the sudden freezing of the phone or even turning it off for no objective reason. And finally, the occurrence of noises and extraneous sounds during a conversation may also indicate that your phone is being monitored. 

Read more »
Profiles for sale
Bank Data Darknet Data Breach Data Leakage DLBI Location data location tracking Personal Data Personal Data Breach Profiles for sale

The DLBI Expert Called the Cost of Information about the Location of any Person

Ashot Oganesyan, the founder of the DLBI data leak intelligence and monitoring service, said that the exact location of any Russian on the black market can be found for about 130 dollars. 

According to him, this service in the illegal market is called a one-time determination of the subscriber's location. Identification of all phones of the client linked to the card/account using passport data costs from 15 thousand rubles ($200). 

"The details of the subscriber's calls and SMS for a month cost from 5 thousand ($66) to 30 thousand rubles ($400), depending on the operator. Receiving subscriber data by his mobile phone number cost from 1 thousand rubles ($13)", he added. 

Mr. Oganesyan said that fixing movement on planes, trains, buses, ferries, costs from 1.5 thousand ($20) to 3 thousand rubles ($40) per record. Data on all issued domestic and foreign passports will cost from 900 ($12) to 1.5 thousand rubles ($20) per request. Information about crossing the Russian border anywhere and on any transport costs from 3 thousand rubles ($40) per request, Ashot Oganesyan clarified, relying on the latest data on leaks. 

According to him, both law enforcement agencies and security services of companies are struggling with leaks, but only banks have managed to achieve some success. The staff of mobile network operators, selling data of calls and SMS of subscribers, are almost weekly convicted, however, the number of those wishing to earn money is not decreasing. 

The expert noted that under the pressure of the Central Bank of Russia and the constant public scandals, banks began to implement DLP systems not on paper, but in practice, and now it has become almost impossible to download a large amount of data unnoticed. As a result, today it is extremely rare to find a database with information about clients of private banks for sale. 

However, another problem of leakage from the marketing systems of financial organizations has emerged. The outsourcing of the customer acquisition process and the growth of marketplaces have led to information being stored and processed with a minimal level of protection and, naturally, leaking and getting into sales.
Read more »
The Federal Court
ACCC Australia Google Location data Mobile Security The Federal Court

Customers Deceived by Google for Collection of User Location Data

 

The Federal Court of Australia observed that somewhere between January 2017 and December 2018, Google LLC and Google Australia Pty Ltd (together, Google) deceived customers in a world-first compliance action by ACCC on personal location information gathered from Android mobile devices. 

As a result of the 2019 legal proceedings against Google, the Australian Competition and Consumer Commission (ACCC) has stated that the rulings represent an "important victory for consumers" over protecting online privacy. Google deceived Android users to believe that the tech giant will only collect personal information, the ACCC said. 

“This is an important victory for consumers, especially anyone concerned about their privacy online, as the Court’s decision sends a strong message to Google and others that big businesses must not mislead their customers,” ACCC Chair Rod Sims said. “Today’s decision is an important step to make sure digital platforms are upfront with consumers about what is happening with their data and what they can do to protect it.” 

The Court ruled that in the initial installation Google misrepresented the setting of 'Location History' as the only Google Account setting which impacted whether Google obtained, maintained, or used personally identifiable information on the location of a device once consumers had created a new Google Account. In reality, Google was also able to capture, store and use personal location data during activation through a different Google Account setting entitled 'Web & App Activity.' Though this setting was set by default.

Also between 9 March 2017 and 29 November 2018, customers were deceived by the fact that Google didn't bother to tell them that perhaps the configuration was related to the collection of personal location data after they had accessed the 'Web & App Activity settings on their Android system. The Court held that the actions of Google could trick the audience. 

“We are extremely pleased with the outcome in this world-first case. Between January 2017 and December 2018, consumers were led to believe that ‘Location History’ was the only account setting that affected the collection of their location data, when that was simply not true,” Mr. Sims said. He also added, “Companies that collect information must explain their settings clearly and transparently, so consumers are not misled. Consumers should not be kept in the dark when it comes to the collection of their location data.” 

The Court rejected the claims of the ACCC concerning certain declarations by Google on how users could prevent Google from obtaining and then using the location information and the purposes for which Google uses its personal location information. Though the ACCC seeks declarations, fines, instructions for publishing, and conformity orders.
Read more »
Vulnerabilities and Exploits
Android and iOS user's Location data Shazam App Vulnerabilities and Exploits

Location Data of More Than 100 Million Users Got Compromised

 

Shazam, a popular music app was a doorway to the user’s precise location. Threat actors took advantage of the Shazam app susceptibilities to discover the victim’s specific location. Ashley King, a British IT security researcher uncovered the vulnerabilities in the Shazam app which could expose the locations of android and iOS users.

The vulnerability in the Shazam app was termed CVE-2019-8791 and CVE-2019-8792, more than 100 million users were affected at the time. Threat actors used a single malicious URL to acquire access to the victim’s precise location. This URL led the victim to the Shazam app, Shazam then opens a WebView and executes the malware which results in sending the victim’s location data back to the threat actor.

Ashley King reported the vulnerabilities in December 2018 three months after apple acquired the Shazam app. The flaw in Shazam app was finally patched on March 26, 2019, both on iOS and android but the specifics of it were only revealed last week. 

Ashley explained via a blog post that “Shazam uses deep links throughout the app as part of its navigation. I found that a particular exported deep link (which was responsible for loading a website inside a web view) was not validating its parameter, allowing external resources to be in control. This web view included a few java scripts interfaces that allowed content to communicate with the Android & iOS API’s making it possible to pull back device-specific information and the last known precise location of the user”.

Apple and Google Play Security Rewards Program did not deem ‘location data’ as big enough of a security threat even though the vulnerability was patched – most firms do not see user’s location data as a privacy issue, Ashley concluded.
Read more »
User Security
Google Google Maps Location data Mobile Security User Data User Privacy User Security

Google about to Roll Out One of the Most Awaited Features



In 2018, Google broke headlines for tracking its users location even after they disabled the sharing of location history via their privacy settings.

There were complaints against the company, stating, "Google represented that a user ‘can turn off Location History at any time. With Location History off, the places you go are no longer stored.’ This simply was not true."

In the wake of receiving intense criticism over location history, Google came up with necessary adjustments which now allow users to stop the tech giant from tracking them, except for the applications in which location data is of utmost importance such as Waze and Google Maps.

In an attempt to make Google Maps even more secure and trustworthy, the company added enhanced security features related to location privacy in Android 10; to further better the services and regain the lost user trust, Google is planning to add Incognito Mode to Google Maps and the feature is said to be in testing.

Users can always put restrictions on the location data collected by Google Maps by signing out of their Google account, but it will come at the cost of their convenience, therefore, Google is planning to introduce Incognito Mode which can be turned on by the users in the same way they do it for Youtube or Google Chrome to delink the search or navigation data from their main Google account.

In order to activate Incognito Mode, users can simply choose the option from their Google account avatar and they will be informed about the app being in incognito mode by a black status bar and the marker indicating the location will turn into dark from blue to mark the change.

To enable the feature, users are recommended to install Preview Maps version 10.26 or higher and for those who are not a part of Preview Maps test group, wait until the company releases it on a wider scale.


Read more »
Subscribe to: Comments (Atom)