Selling Your Data Without Consent: AT&T Won, Verizon Lost. Is Your Privacy Just a Legal Coin Toss?

Security is everyone’s problem, sure, but it’s important to remember that entities that collect, store, process, and sell data have a greater responsibility to secure it than you or I. So when a US senator accuses Microsoft of “gross cybersecurity negligence” and calls for an FTC investigation into the company, or the parent company of luxury brands like Gucci and Balenciaga gets hacked, it’s worth paying attention to.

Yes, we should all do things like use a password manager and learn to avoid phishing attacks. Those skills serve us well in the workplace as well as at home. That way, when we’re at work, we don’t fall victim to the type of phishing attack that resulted in the massive ransomware hack that landed Microsoft in hot water in the first place. Even so, companies can only delegate their responsibilities for data security to their employees so much.

For example, as generative AI tools become more powerful, we’ll see more complicated attacks that end users won’t easily be able to identify. This week, we reported that Kimsuky, a North Korean hacking group, has been using ChatGPT’s image generation tools to build very convincing phishing attacks.

There are still plenty of people trying to help, though. For example, when attorneys representing victims in a 2019 accident (where a driver using Tesla’s “Enhanced Autopilot” crashed into a parked car, killing one occupant and severely injuring another) asked Tesla for crash data, the company claimed it didn’t exist. Well, one hacker believed otherwise, and so did the lawyers working on the case. Together, they uncovered the data and presented it at trial, resulting in over $242 million in damages (which Tesla is, of course, appealing.) We spoke to the hacker about how he got involved and how he got the data.

In the same vein, security company Proton, makers of Proton VPN and Proton Pass, reaffirmed its commitment to reporters and security researchers this week after reinstating the accounts of two journalists who were looking into security issues with the South Korean government. It’s problematic that the firm shut down the accounts in the first place, but the fact that, after looking into it (and being called out for it on social media), the company reversed course is a bright spot.

Besides, after Michigan Republicans introduced a very graphic bill to completely ban adult content on the internet and VPNs (and make it a felony to use the latter or view the former), we can appreciate any organization with a commitment to internet privacy. After all, the risks and consequences of living in a surveillance state aren’t theoretical: they’re very real, and can transform a society, as PCMag contributor Rob Pegoraro’s dispatch from Berlin’s Stasi Museum reveals. The parallels between East Germany’s regime and today’s high-tech surveillance are clear, he notes.

There’s more, though, and these are just the stories we covered. Here are some smart stories from around the web that caught our attention and are worth paying attention to:

Get Our Best Stories!

Stay Safe With the Latest Security News and Updates

SecurityWatch Newsletter Image

Sign up for our SecurityWatch newsletter for our most important privacy and security stories delivered right to your inbox.

By clicking Sign Me Up, you confirm you are 16+ and agree to our Terms of Use and Privacy Policy.

Thanks for signing up!

Your subscription has been confirmed. Keep an eye on your inbox!

ChatGPT’s Calendar Integration Can Be Exploited to Steal Emails

Remember back in August when we reported that a rogue calendar invitation could turn Google Gemini against you and leak your data? Well, the beat goes on, this time with ChatGPT. According to SecurityWeek, an attacker could use a malicious calendar appointment to scan a user’s inbox for sensitive information and then send that information back to the attacker. Even worse, you don’t even have to accept the calendar appointment or really interact with it in order for it to work: all it has to do is be in your inbox, and all you have to do is use ChatGPT’s calendar integration to review your upcoming appointments on a given day.

Unfortunately, the researchers point out that these kinds of attacks aren’t limited to ChatGPT and are becoming more common as more people connect AI chatbots, which aren’t designed with security in mind, to sensitive systems like their email inboxes, corporate accounts, cloud storage services, and more. The researchers also explained how similar attacks are easy with chatbots like Gemini, Salesforce Einstein, Microsoft’s Copilot, and others. Even worse, most AI companies are aware that these attacks are possible. Whether they plan to do anything about them, or they even consider the attacks their own problem, is another matter entirely.

Last year, the FCC fined the major wireless carriers almost $200 million for collecting and selling users’ location data without the explicit consent of their users. In response, the three carriers sued the FCC to try and get the fines overturned. Courts upheld the verdict against T-Mobile, overturned the verdict against AT&T (in an appeals court well known to be business-friendly), and now have upheld the verdict against Verizon, according to reporting by Ars Technica.

Recommended by Our Editors

The root issue was that back in 2018, all three major carriers were caught selling location data to a network of buyers who used the data for hyper-local targeted advertising. It wouldn’t have been an issue (legally, anyway) if the carriers had informed the users that their data was being collected and sold for this purpose, but none of them gave their customers a heads-up that this was happening, or offered them an opportunity to opt out.

In court, the carriers tried to make the argument that your device location doesn’t count as “proprietary network information” that exists as part of the relationship between a customer and a carrier, which is covered by Section 222 of the Communications Act, and that the law only applies to call-specific data instead. The appeals courts disagreed, but because AT&T won its petition, the Supreme Court may have to wade into the issue, which runs the risk of diminishing the FCC’s ability to fine or punish companies for violating your privacy.

Airlines Sell 5 Billion Plane Ticket Records to the Government for Warrantless Searching

Before you come away from the last story with the idea that the government is taking the privacy rights of its citizens seriously, keep in mind that some agencies have different priorities. As part of a public records investigation by 404 Media, the outlet learned that airlines had a very lucrative program selling airline ticket records and itineraries to the government as part of a warrantless surveillance program. In short, if you’ve flown anywhere at all recently, your ticket data may have been sold to (or at least is available to purchase by) government agencies like the FBI, ICE, the IRS, the Secret Service, and others.

This is all possible because of a legal loophole that allows data brokers to sell information they’ve obtained to the government, but forbids airlines from doing it directly. So the airlines set up their own collectively-owned data broker that gets updated ticket sales and travel information every day to feed the database that the broker then sells access to. By creating a middleman, the airlines avoid accountability, and the government doesn’t have to obtain a warrant or prove that they need a person’s travel data for a justifiable reason; instead, they can just buy it. Even more damning, the broker has previously asked the government not to tell the public where they get the data from. According to 404 Media, there is a bipartisan bill in Congress to close this loophole, but it’s stalled in the Senate.