Unsealed docs in Facebook privacy suit offer glimpse of missing app audit

It’s not the crime, it’s the cover up… The scandal-hit company formerly known as Facebook has fought for over four years to keep a lid on the gory details of a third party app audit that its founder and CEO Mark Zuckerberg personally pledged would be carried out, back in 2018, as he sought to buy time to purge the spreading reputational stain after revelations about data misuse went viral at the peak of the Cambridge Analytica privacy crisis.

But some details are emerging nonetheless — extracted like blood from a stone via a tortuous, multi-year process of litigation-triggered legal discovery.

A couple of documents filed by plaintiffs in privacy user profiling litigation in California, which were unsealed yesterday, offer details on a handful of apps Facebook audited and internal reports on what it found.

The revelations provide a glimpse into the privacy-free zone Facebook was presiding over when a “sketchy” data company helped itself to millions of users’ data, the vast majority of whom did not know their info had been harvested for voter-targeting experiments.

Two well-known companies identified in the documents as having had apps audited by Facebook as part of its third party sweep — which is referred to in the documents as ADI, aka “App Developer Investigation” — are Zynga (a games maker); and Yahoo (a media and tech firm which is also the parent entity of TechCrunch).

Both firms produced apps for Facebook’s platform which, per the filings, appeared to have extensive access to users’ friends’ data, suggesting they would have been able to acquire data on far more Facebook users than had downloaded the apps themselves — including some potentially sensitive information.

Scraping Facebook friends data — via a ‘friends permissions’ data access route that Facebook’s developer platform provided — was also of course the route through which the disgraced data company Cambridge Analytica acquired information on tens of millions of Facebook users without the vast majority knowing or consenting vs the hundreds of thousands who downloaded the personality quiz app which was used as the route of entry into Facebook’s people farm.

“One ADI document reveals that the top 500 apps developed by Zynga — which had developed at least 44,000 apps on Facebook — could have accessed the ‘photos, videos, about me, activities, education history, events, groups, interests, likes, notes, relationship details, religion/politics, status, work history, and all content from user-administered groups’ for the friends of 200 million users,” the plaintiffs write. “A separate ADI memorandum discloses that ‘Zynga shares social network ID and other personal information with third parties, including advertisers’.”

“An ADI memo concerning Yahoo, impacting up to 123 million users and specifically noting its whitelisted status, revealed that Yahoo was acquiring information ‘deem[ed] sensitive due to the potential for providing insights into preferences and behavior’,” they write in another filing. “It was also ‘possible that the [Yahoo] App accessed more sensitive user or friends’ data than can be detected.'”

Other examples cited in the documents include a number of apps created by developer called AppBank, which made quiz apps, virtual-gifting apps, and social gaming apps — and which Facebook’s audit found to have access to permissions (including friends permissions) that it said “likely” fall outside the use case of the app and/or with there being “no apparent use case” for the app to have such permissions.

Another app called Sync.Me, which operated from before 2010 until at least 2018, was reported to have had access to more than 9M users’ friends’ locations, photos, websites, and work histories; and more than 8M users’ read_stream information (meaning they could access the users’ entire newsfeed regardless of privacy settings applied to to different newsfeed entries) per the audit — also with such permissions reported to be out of scope for the use case of the app.

While an app called Social Video Downloader, which was on Facebook’s platform from around 2011 through at least 2018, was reported to be able to access more than 8M users’ “friends’ likes, photos, videos, and profile information” — data collection which Facebook’s internal investigation suggested “may speak to an ulterior motive by the developer”. The company also concluded the app likely “committed serious violations of privacy” — further observing that “the potential affected population and the amount of sensitive data at risk are both very high”.

Apps made by a developer called Microstrategy were also found to have collected “vast quantities of highly sensitive user and friends permissions”.

As the plaintiffs argue for sanctions to be imposed on Facebook, they attempt to calculate a theoretical maximum for the number of people whose data could have been exposed by just four of the aforementioned apps via the friends permission route — using 322 friends per user as a measure for their exercise and ending up with a figure of 74 billion people (i.e. many multiples greater than the human population of the entire planet) — an exercise they say is intended “simply to show that that number is huge”.

“And because it is huge, it is highly likely that most everyone who used Facebook at the same time as just these few apps had their information exposed without a use case,” they go on to argue — further noting that the ADI “came to similar conclusions about hundreds of other apps and developers”.

Let that sink in.

(The plaintiffs also note they still can’t be sure whether Facebook has provided all the information they’ve asked for re: the app audit — with their filing attacking the company’s statements on this as “consistently proven false”, and further noting “it remains unclear whether Facebook has yet complied with the orders”. So a full picture still does not appear to have surfaced.)

App audit? What app audit?

The full findings of Facebook’s internal app audit have never been made public by the tech giant — which rebooted its corporate identity as Meta last year in a bid to pivot beyond years of accumulated brand toxicity.

In the early days of its crisis PR response to the unfolding data horrors, Facebook claimed to have suspended around 200 apps pending further probes. But after that early bit of news, voluntary updates on Zuckerberg’s March 2018 pledge to audit “all” third party apps with access to “large amounts of user info” before a change to permissions on its platform in 2014 — and a parallel commitment to “conduct a full audit of any app with suspicious activity — dried up.

Facebook comms simply went dark on the audit — ignoring journalist questions about how the process was going and when it would be publishing results.

While there was high level interest from lawmakers when the scandal broke, Zuckerberg only had to field relatively basic questions — leaning heavily on his pledge of a fulsome audit and telling an April 2018 hearing of the House Energy and Commerce Committee that the company was auditing “tens of thousands” of apps, for example, which sure made the audit sound like a big deal.

The announcement of the app audit helped Facebook sidestep discussion and closer scrutiny of what kind of data flows it was looking at and why it had allowed all this sensitive access to people’s information to be going on under its nose for years while simultaneously telling users their privacy was safe on its platform, ‘locked down’ by a policy claim that stated (wrongly) that their data could not be accessed without their permission.

The tech giant even secured the silence of the UK’s data protection watchdog — which, via its investigation of Cambridge Analytica’s UK base, hit Facebook with a £500k sanction in October 2018 for breaching local data protection laws — but after appealing the penalty and, as part of a 2019 settlement in which it agreed to pay up but did not admit liability, Facebook got the Information Commission’s Office to sign a gag order which the sitting commissioner told parliamentarians, in 2021, prevented it from responding to questions about the app audit in a public committee hearing.

So Facebook has succeeded in keeping democratic scrutiny of its app audit closed down

Also in 2019, the tech giant paid the FTC $5BN to buy its leadership team what one dissenting commissioner referred to as “blanket immunity” for their role in Cambridge Analytics.

While, only last month, it moved to settle the California privacy litigation which has unearthed these ADI revelations (how much it’s paying to settle isn’t clear).

After years of the suit being bogged down by Facebook’s “foot-dragging” over discovery, as the plaintiffs tell it, Zuckerberg, and former COO Sheryl Sandberg, were finally due to give 11 hours of testimony this month — following a deposition. But then the settlement intervened.

So Facebook’s determination to shield senior execs from probing questions linked to Cambridge Analytica remains undimmed.

The tech giant’s May 2018 newsroom update about the app audit — which appears to contain the sole official ‘progress’ report in four+ years — has just one piece of “related news” in a widget at the bottom of the post. This links to an unrelated report in which Meta attempts to justify shutting down independent research into political ads and misinformation on its platform which was being undertaken by academics at New York University last year — claiming it’s acting out of concern for user privacy.

It’s a brazen attempt by Meta to repurpose and extend the blame-shifting tactics it’s successfully deployed around the Cambridge Analytica scandal — by claiming the data misuse was the fault of a single ‘rogue actor’ breaching its platform policies — hence it’s trying to reposition itself as a user privacy champion (lol!) and weaponizing that self-appointed guardianship as an excuse to banish independent scrutiny of its ads platform by closing down academic research. How convenient!

That specific self-serving, anti-transparency move against NYU earned Meta a(nother) rebuke from lawmakers.

More rebukes may be coming. And — potentially more privacy sanctions, as the unsealed documents provide some other eyebrow-raising details that should be of interest to privacy regulators in Europe and the US.

Questions about data retention and access

Notably, the unsealed documents offer some details related to how Facebook stores user data — or rather pools it into a giant data lake — which raises questions about how or even whether it is able to correctly map and apply controls once people’s information is ingested so that it can, for example, properly reflect individuals’ privacy choices (as may be legally required under laws like the EU’s GDPR or California’s CCPA). 

We’ve had a glimpse of these revelations before — via a leaked internal document obtained by Motherboard/Vice earlier this year. But the unsealed documents offer a slightly different view as it appears that Facebook, via the multi-year legal discovery wrangling linked to this privacy suit, was actually able to fish some data linked to named individuals out of its vast storage lake.

The internal data warehousing infrastructure is referred to in the documents as “Hive” — an infrastructure which is said “maintains and facilitates the querying of data about users, apps, advertisers, and near-countless other types of information, in tables and partitions”.

The backstory here is the plaintiffs sought data on named individuals stored in Hive during discovery. But they write that Facebook spent years claiming there was no way for it “to run a centralized search for” data that could be associated with individuals (aka Named Plaintiffs) “across millions of data sets” — additionally claiming at one point that “compiling the remaining information would take more than one year of work and would require coordination across dozens of Facebook teams and hundreds of Facebook employees” — and generally arguing that information Facebook provided by the user-accessible ‘Download Your Information’ tool was the only data the company could provide vis-a-vis individual users (or, in this case, in response to discovery requests for information on Named Plaintiffs).

Yet the plaintiffs subsequently learned — via a deposition in June — that Facebook had data from 137 Hive tables preserved under a litigation hold for the case, at least some of which contained Named Plaintiffs data. Additionally they discovered that 66 of the 137 tables that had been preserved contained what Facebook referred to as “user identifiers”.

So the implication here is that Facebook failed to provide information it should have provided in response to a legal discovery request for data on Named Plaintiffs.

Plus of course other implications flow from that… about all the data Facebook is holding (on to) vs what it may legally be able to hold.

“For two years before that deposition, Facebook stonewalled all efforts to discuss the existence of Named Plaintiffs’ data beyond the information disclosed in the Download Your Information (DYI) tool, insisting that to even search for Named Plaintiffs’ data would be impossibly burdensome,” the plaintiffs write, citing a number of examples where the company claimed it would require unreasonably large feats of engineering to identify all the information they sought — and going on to note that it was not until they were able to take “the long-delayed sworn testimony of a corporate designee that the truth came out” (i.e. that Facebook had identified Hive data linked to the Named Plaintiffs but had just kept it quiet for as long as possible).

“Whether Facebook will be required to produce the data it preserved from 137 Hive tables is presently being discussed,” they further observe. “Over the last two days, the parties each identified 250 Hive tables to be searched for data that can be associated with the Named Plaintiffs. The issue of what specific data from those (or other) tables will be produced remains unresolved.”

They also write that “even now, Facebook has not explained how it identified these tables in particular and its designee was unable to testify on the issue” — so the question of how exactly Facebook retrieved this data, and the extent of its ability to retrieve user-specific data from its Hive lake more generally, is not clear.

A footnote in the filing expands on Facebook’s argument against provided Hive data to the plaintiffs — saying the company “consistently took the position that Hive did not contain any relevant material because third parties are not given access to it”.

Yet the same note records that Facebook’s corporate deponent recently (and repeatedly) testified “that Hive contain logs that show every ad a user has seen” — data which the plaintiffs confirm Facebook has still not produced.

Every ad a user has seen sure sounds like user-linked data. It would also certainly be, at least under EU law, classed as personal data. So if Facebook is holding such data on European users it would need a legal basis for the processing and would also need to be able to provide data if users ask to review it, or request it deleted (and so on, under GDPR data access rights).

But it’s not clear whether Facebook has ever provided users with such access to everything about them that washes up in its lake.

Given how hard Facebook fought to deny legal discovery on the Hive data-set for this ligation it suggests it’s unlikely to have made any such disclosures to user data access requests elsewhere.

Gaps in the narrative

There’s more too! An internal Facebook tool — called “Switchboard” — is also referenced in the documents.

This is said to be able to take snapshots of information which, the plaintiffs also eventually discovered, contained Named Plaintiffs’ data that was not contained in data surfaced via the (basic) DYI tool.

Plus, per Facebook’s designee’s deposition testimony, Facebook “regularly produces Switchboard snapshots, not DYI files, in response to law enforcement subpoenas for information about specific Facebook users”.

So, er, the gap between what Facebook tells users it knows about them (via DYI) and the much vaster volumes of profiling data it acquires and stores in Hive — which can, at least some of the time per these filings, be linked to individuals (and some of which Facebook may provide in response to law enforcement requests on users) — keeps getting bigger.

Facebook’s DYI tool, meanwhile, has long been criticized as providing only a trivial slice of the data it processes on and about users — with the company electing to evade wider data access requirements by applying an overly narrow definition of user data (i.e. as stuff users themselves actively uploaded). And those making so-called Subject Access Requests (SARs), under EU data law, have — for years — found Facebook frustrating expectations as the data they get back is far more limited than what they’ve been asking for. (Yet EU law is clear that personal data is a broad church concept that absolutely includes inferences.) 

If Hive contains every ad a user has seen, why not every link they ever clicked on? Every profile they’ve ever searched for? Every IP they’ve logged on from? Every third party website containing they’ve ever visited that contains a Facebook pixel or cookie or social plug, and so on, and on… (At this point it also pays to recall the data minimization principle baked into EU law — a fundamental principle of the GDPR that states you should only collect and process personal that is “necessary” for the purpose it’s being processed for. And ‘every ad you’ve ever viewed’ sure sounds like a textbook definition of unnecessary data collection to this reporter.)

The unsealed documents in the California lawsuit relate to motions seeking sanctions against Meta’s conduct — including towards legal discovery itself, as the plaintiffs accuse the company of making numerous misrepresentations, reckless or knowing, in order to delay/thwart full discovery related to the app audit — arguing its actions amount to “bad-faith litigation conduct”.

They also press for Facebook to be found to have breached a contractual clause in the Data Use Policy it presented to users between 2011 and 2015 — which stated that: “If an application asks permission from someone else to access your information, the application will be allowed to use that information only in connection with the person that gave the permission and no one else” — arguing they have established a presumption that Facebook breached that contractual provision “as to all Facebook users”.

“This sanction is justified by what ADI-related documents demonstrate,” the plaintiffs argue in one of the filings. “Facebook did not limit applications’ use of friend data accessed through the users of the apps. Instead, Facebook permitted apps to access friend information without any ‘use case’ — i.e., without a realistic use of ‘that information only in connection with’ the app user.”

“In some cases, the app developers were suspected of selling user information collected via friend permissions, which obviously is not a use of data ‘only in connection with the person that gave the permission and no one else’,” they go on. “Moreover, the documents demonstrate that the violations of the contractual term were so pervasive that it is near certain they affected every single Facebook user.”

This is important because, as mentioned before, a core plank of Facebook’s defence against the Cambridge Analytica scandal when it broke was to claim it was the work of a rogue actor — a lone developer on its platform who had, unbeknownst to the company, violated policies it claimed protected people’s data and safeguarded their privacy.

Yet the glimpse into the results of Facebook’s app audit suggests many more apps were similarly helping themselves to user data via the friends permissions route Facebook provided — and, in at least some of these cases, these were whitelisted apps which the company itself must have approved so those at least were data flows Facebook should absolutely have been fully aware of.

The man Facebook sought to paint as the rogue actor on its platform — professor Aleksandr Kogan, who signed a contract with Cambridge Analytica to extract Facebook user data on its behalf by leveraging his existing developer account on its platform — essentially pointed all this out in 2018, when he accused Facebook of not having valid developer policy because it simply did not apply the policy it claimed to have. (Or: “The reality is Facebook’s policy is unlikely to be their policy,” as he put it to a UK parliamentary committee at the time.)

Facebook’s own app audit appears to have reached much the same conclusion — judging by the glimpse we can spy in these unsealed documents. Is it any wonder we haven’t seen a full report from Facebook itself?

The reference to “some cases” where app developers were suspected of selling user information collected via friend permissions is another highly awkward reveal for Facebook — which has been known to roll out a boilerplate line that it ‘never sells user information’ — spreading a little distractingly reassuring gloss to imply its business has strong privacy hygiene.

Of course it’s pure deflection — since Meta monetizes its products by selling access to its users’ attention via its ad targeting tools it can claim disinterest in selling their data — but the revelation in these documents that some of the app developers that Facebook had allowed on its platform back in the day might have been doing exactly that (selling user data), after they’d made use of Facebook’s developer tools and data access permissions to extract intel on millions (or even billions) of Facebook users, cuts very close to the bone.

It suggests senior leadership at Facebook was — at best — just a few steps removed from actual trading of Facebook user data, having encouraged a data free-for-all that was made possible exactly because the platform they built to be systematically hostile to user privacy internally was also structured as a vast data takeout opportunity for the thousands of outside developers Zuckerberg invited in soon after he’d pronounced privacy over — as he rolled up his sleeves for growth.

The same CEO is still at the helm of Meta — inside a rebranded corporate mask which was prefigured, in 2019, by a roadmap swerve that saw him claim to be ‘pivoting to privacy‘. But if Facebook already went so all in on opening access to user data, as the plaintiffs’ suit contends, where else was left for Zuckerberg to truck to to prepare his next trick?

Unsealed docs in Facebook privacy suit offer glimpse of missing app audit by Natasha Lomas originally published on TechCrunch

FTC sues data broker Kochava for sale of people’s sensitive location data, including visits to reproductive health clinics

The U.S. Federal Trade Commission (FTC) on Monday announced it has filed a lawsuit against data broker Kochava Inc. for selling geolocation data from “hundreds of millions of mobile devices,” it says, which could be used to trace the movements of individuals including those to and from sensitive locations. Specifically, the FTC said the data could reveal people’s visits to places like reproductive health clinics, domestic violence or homeless shelters, addiction recovery centers and places of worship.

This personal and private information could expose people to “threats of stigma, stalking, discrimination, job loss, and even physical violence,” the FTC explained in a press release.

The suit aims to halt Kochava’s data collection practices involving sensitive geolocation data and will request that the company delete the data it has already collected.

Its arrival additionally signals the FTC is cracking down on mobile data brokers whose businesses rely on collecting and reselling data from consumers’ smartphones — a longtime industry practice that has numerous privacy implications, but is one often unknown to the end users who are impacted. The move also follows a significant rethinking of tracking by Apple, which updated its mobile operating system to allow consumers to opt out of some data collection practices on a per-app basis.

More recently, the U.S. House Oversight Committee began investigating how the business practices of period-tracking apps and data brokers could potentially weaponize consumers’ private health data in the post-Roe v. Wade era, TechCrunch reported.

Idaho-based Kochava is not a household name but has a sizable footprint in the data collection industry. The company is a location data broker that provides precise geolocation data from consumers’ smartphones and also purchases data from other brokers to resell to clients. These data feeds are often used by clients who want to analyze things like foot traffic at local stores or other locations. This data itself is highly precise — it includes things like timestamped latitude and longitude coordinates showing the exact location of mobile devices which is additionally associated with a unique identifier, like a device ID as well as other information, like an IP address, device type, and more.

This device ID, or Mobile Advertising ID, is a unique identifier that’s assigned to a consumer’s mobile device to assist marketers who want to advertise to the end user. Though consumers can reset this ID at any time, they would have to know to do so as well as understand where in their device’s settings this option is available.

According to Kochava’s own description of its product, cited by the FTC’s complaints, the company offers clients “raw latitude/longitude data with volumes around 94B+ geo transactions per month, 125 million monthly active users, and 35 million daily active users, on average observing more than 90 daily transactions per device.” It sells its data feeds on a subscription basis on publicly accessible sites, including on the AWS Marketplace up until June 2022. To access the feed, a purchaser would need a free AWS account and $25,000 for the Kochava location data feed subscription. A data sample containing over 327 million rows and 11 columns of data related to 61.8+ million unique mobile devices was also available.

This data is not anonymized, the FTC says, and can be used to identify the mobile device’s user or owner. This is possible because other data brokers specifically sell services that work to match these Mobile Advertising IDs with offline information, like consumers’ names and physical addresses.

In addition to being able to track consumers visiting sensitive locations, the FTC noted the data could be used to make inferences about a consumer’s LGBTQ+ identification or visits to other medical facilities beyond those that provide reproductive care. It could be used to tie that activity to someone’s home address, too. And, in light of the reversal of Roe v. Wade, the FTC points out that this data could be used to not only identify people visiting reproductive health clinics but also the medical professionals who perform, or assist in the performance, of abortion services.


The FTC aims to prosecute based on numerous violations of the FTC Act, including those involving the unfair sale of sensitive data and consumer injury. It’s seeking a permanent injunction to prevent future violations and any additional relief as determined by the court.

“Where consumers seek out health care, receive counseling, or celebrate their faith is private information that shouldn’t be sold to the highest bidder,” said Samuel Levine, Director of the FTC’s Bureau of Consumer Protection, in a statement. “The FTC is taking Kochava to court to protect people’s privacy and halt the sale of their sensitive geolocation information.”

The Commission vote authorizing the filing of the complaint against Kochava was 4-1, with Commissioner Noah Joshua Phillips the only to vote no.

The news of this latest action is not surprising. The agency had warned businesses in July it planned to enforce the law over the illegal use and sharing of sensitive consumer data and said this month it was exploring new rules that would further crack down on businesses that “collect, analyze, and profit from information about people.”

This is also not the first action the FTC has taken that directly targets a business involved in sensitive data collection, however. Last year, the FTC had taken action against the fertility tracking app Flo for sharing sensitive data with third parties. The app didn’t receive a financial penalty but was noteworthy for being the first time the regulator had ordered notice of a privacy action of this kind.


Instagram now defaults new users under 16 to most restrictive content setting, adds prompts for existing teens

In December, just ahead of Instagram head Adam Mosseri’s testimony before the U.S. Senate over the impacts of its app on teen users, the company announced plans to roll out a series of safety features and parental controls. This morning, Instagram is updating a critical set of these features which will now default teen users under the age of 16 to the app’s most restrictive content setting. It will also prompt existing teens to do the same, and will introduce a new “Settings check-up” feature that guides teens to update their safety and privacy settings.

The changes are rolling out to global users across platforms amid increased regulatory pressure over social media apps and their accompanying minor safety issues.

In last year’s Senate hearing, Mosseri defended Instagram’s teen safety track record in light of concerns emerging from Facebook whistleblower Frances Haugen, whose leaked documents had painted a picture of a company that was aware of the negative mental health impacts of its app on its younger users. Though the company had then argued it took adequate precautions in this area, in 2021 Instagram began to make changes with regard to teen use of its app and what they could see and do.

In March of this year, for instance, Instagram rolled out parental controls and safety features to protect teens from interactions with unknown adult users. In June, it updated its Sensitive Content Control, launched the year prior, to cover all the surfaces in the app where it makes recommendations. This allowed users to control sensitive content across places like Search, Reels, Accounts You Might Follow, Hashtag Pages and In-Feed Recommendations.

It’s this Content Control feature that’s receiving the update today.

The June release had put in the infrastructure to allow users to adjust their settings around “sensitive content” — that is, content that could depict graphic violence, is sexualized in nature, or content about restricted goods, among other things. At the time, it presented three options to restrict this content — “More,” “Less,” or “Standard.”

Before, all teens under 18 were only able to choose to see content in the “Standard” or “Less” categories. They could not switch over to “More” until they were an adult.

Image Credits: Instagram

Now, with today’s update, teens under the age of 16 will be defaulted to the “Less” control if they are new to Instagram. (They can still later change this to Standard if they choose.)

Existing teens will be pushed a prompt that encourages them — though does not require — to choose the “Less” control, as well.

As before, this impacts the content and accounts seen across Search, Explore, Hashtag Pages, Reels, Feed Recommendations and Suggested Accounts, Instagram notes.

“It’s all in an effort for teams to basically have a safer search experience, to not see so much sensitive content and to automatically see less than any adult would on the platform,” said Jeanne Moran, Instagram Policy Communications Manager, Youth Safety & Well-Being, in a conversation with TechCrunch. “…we’re nudging teams to choose ‘Less,’ but if they feel like they can handle the ‘Standard’ then they can do that.”

Of course, to what extent this change is effective relies on whether or not teens will actually follow the prompt’s suggestion — and whether they’ve entered their correct age in the app, to begin with. Many younger users lie about their birthdate when they join apps in order to not be defaulted to more restrictive experiences. Instagram has been attempting to address this problem through the use of A.I. and other technologies, including those that now require users to provide their birthdays if they had not, A.I. that scans for possible fake ages (e.g. by finding birthday posts where the age doesn’t match the birthdate on file), and, more recently, via tests of new tools like video selfies.

The company hasn’t said how many accounts it’s caught and adjusted through the use of these technologies, however.

Separately from the news about its Sensitive Content Control changes, the company is rolling out a new “Settings check-up” designed to encourage all teens under 18 on the app to update their safety and privacy settings.

This prompt focuses on pointing teens to tools for adjusting things like who can reshare their content, who can message and content them, and their time spent on Instagram, as well as the Sensitive Content Control settings.

The changes are a part of a broader response in consumer technology about how apps need to do better with regard to how they serve younger users. The E.U., in particular, has had its eye on social apps like Instagram through conditions set under its General Data Protection Regulation (GDPR) and Age Appropriate Design Code. Related to teen usage of its app, Instagram is now awaiting a decision about a complaint over its handling of children’s data in the E.U., in fact. Elsewhere, including in the U.S., lawmakers are weighing options that would further regulate social apps and consumer tech in a similar fashion, including a revamp of COPPA and the implementation of new laws.

In response to the new features, child-friendly policy advocate Common Sense Media‘s founder and CEO Jim Steyer suggested there’s still more Instagram could do to make its app safe.

“The safety measures for minors implemented by Instagram today are a step in the right direction that, after much delay, start to address the harms to teens from algorithmic amplification,” Steyer said, in a prepared statement. “Defaulting young users to a safer version of the platform is a substantial move that could help lessen the amount of harmful content teens see on their feeds. However, the efforts to create a safer platform for young users are more complicated than this one step and more needs to be done.”

He said Instagram should completely block harmful and inappropriate posts from teens’ profiles and should route users to this platform version if it even suspects the user is under 16, despite what the user entered at sign-up. And he pushed Instagram to add more harmful behaviors to its list of “sensitive content,” including content that promotes self-harm and disordered eating.

Instagram says the Sensitive Content Control changes are rolling out now. The Settings check-up, meanwhile, has just entered testing.

Meta officially rolls out its new metaverse ID system

Meta, formally Facebook, has officially rolled out what it’s calling Meta accounts and Meta Horizon Profiles. The global launch will be gradual, but both “accounts” are to be used in place of the personal social media account logins — Facebook and Instagram — once used to log in to the company’s virtual reality (VR) system. 

Users, new and old, of Metas VR devices, will be required to signup for a Meta account to log in and access the metaverse. The company is ditching the old way of logging on after complaints around privacy concerns arose regarding using personal social media accounts. 

However, the company is still allowing users to use Facebook and Instagram accounts to create a Meta account, the company said. If a person chooses to create their Meta account via their social media accounts they’ll be connected in the Accounts Center, the central hub for connected experiences across Meta. 

Although the company is encouraging users to connect via a Meta account, those using an Oculus login will be allowed to continue to log in this way until January 1, 2023. 

As consumers transfer over, the company claims it will “still have access to all of your previous VR purchases and downloads.” 

Though there is no need to connect Meta-run social media accounts, the company is still presenting it as an option. The company claims the connection will allow for greater experiences in the metaverse such as live stream sharing, messaging and finding followers faster.

To even begin the process of creating a Meta account one must have the latest software on the Oculus app and VR headset. 

In addition to the Meta account, a “Meta Horizon Profile” will replace the once-used Oculus account. The profile will be the home for all things avatar-based and be considered the social media for the metaverse. The company once used the term “Friends” in the Metaverse but will now consider them “Followers” — giving the Horizon World platform an Instagram feel. 

As privacy continues to be a pressing issue for the tech giant, Meta accounts will provide three options for users — “Open to Everyone,” “Friends and Family” and “Solo” — all of which have different implications on who can connect and see one’s account. If a user chose to skip privacy setup, they will be defaulted to “Friends and Family”.  Users will also have the option to set their Horizon profile as private, which requires users to accept follow requests. 

Minors ages 13 through 17 will have their accounts set to private by default. 

For now, the accounts are only linked to VR-related logins, but that’s not to say Meta won’t expand this feature in the future. 

How did a rental startup I’d never heard of leak my home address?

I consider myself a fairly privacy-conscious person, going out of my way to evade online tracking and, for the most part, avoiding spam mail. But when I found myself staring at my home address on the website of a company I had never heard of, I knew somewhere I had gone wrong.

A few days before our rent was due at the end of April, my partner received an email from the owner of our apartment building about a new way we could pay rent while collecting reward points, like a loyalty program. It was a good offer at a time when rents are at record highs, so she clicked and it loaded the website of rental rewards company Bilt Rewards and prominently displayed her full name and our apartment number.

Already this was fairly alarming. Our apartment building had given her information to Bilt and we were now staring at it on its website. I never got the email that my partner received. But I was curious, did Bilt have my information too?

Any time she clicked the link in the email, it opened the same personalized Bilt webpage showing her name and apartment number because the webpage was retrieving her information directly from Bilt’s servers through an API. (An API allows two things to talk to each other over the internet, in this case Bilt’s servers storing our information and its website.) You could see this using the browser’s developer tools, no fancy tricks needed. Using the browser’s tools, you could also see that the website was also pulling the name of the apartment building we live in, even though it wasn’t displayed on Bilt’s website.

At best this was a gross attempt at personalizing a sign-up page, and at worst it was a breach of our home address. But it was also possible to retrieve the same information directly from Bilt’s servers using just her email address — no special email link needed — which, like for many of us whose email addresses are public, unfortunately wouldn’t require much guesswork.

I plugged in my email address and the site returned my name, building name and apartment number, all the same as my partner’s information. How was it possible for a startup I hadn’t heard of until this point to obtain and leak my home address?

I am one of about 50 million renters in the United States. I live just outside New York City with my partner and our two cats in an apartment building owned by Equity Residential, one of the biggest corporate landlords in the U.S. with more than 80,000 rental apartments under its management. Even then, Equity is one of about 20 corporate landlords including Blackstone, AvalonBay and Starwood that account for over two million homes, or about 4% of all U.S. rental housing.

Enter Bilt, one of many startups that have emerged thanks to the recent boom in the property technology space, or proptech, as it’s widely known. Bilt was founded by entrepreneur Ankur Jain in June 2021 and lets renters earn rewards each time they make a rent payment. It’s through partnerships with most of the largest corporate landlords that Bilt now offers its rental rewards program to more than two million rental homes across the U.S., including homes like mine that are owned by Equity.

I started by thinking of this as any other data breach story I’ve covered in the past and wanted to know who else was affected.

My first call was to a neighbor in the same building, who when told about how Bilt’s website leaked my address, agreed to check to see if he was also affected. I pulled out my laptop and we entered his email address into Bilt’s API, which immediately returned his name, the building name and his apartment number; his face shifted from trepidation to horror, much as mine had done earlier in the day.

My second call was to Ken Munro, founder of U.K. cybersecurity testing firm Pen Test Partners, a name you might know from previous encounters with leaky online services, like Peloton bikes, smartphone apps and the occasional sex toy. Unbeknownst to me, one of his stateside colleagues has an apartment in my building and confirmed to me that the details of his home address were also exposed by the API.

Now we’re at four people whose information was exposed by Bilt’s leaky website just by knowing their email address.

I contacted Bilt, whose response was not great.

“The API you sent below is working as intended,” responded Jain, now Bilt’s CEO. (Jain declared his email “off the record,” which requires both parties agree to the terms in advance. I told Jain we would publish his responses since there was no opportunity to decline.)

“The only exception to this is a handful of buildings operated by Equity Residential, where they have not yet integrated Bilt into their native resident portal,” said Jain. “But given the small number of buildings, Equity made a risk decision to send email invitations and landing pages using a more manual approach in the short term. For this small set of pilot buildings, landing pages generated using this API require email only,” he said.

Jain said that the information returned by the API “is widely and easily available via any public records search,” and that there is “no private information being disclosed via this API that isn’t available across these public records.” (Jain and I will have to agree to disagree since up to this point I had kept my home address largely off the internet — and in any case, just because someone’s personal information is made public in one place isn’t a justification for making it public somewhere else.)

When reached for comment, Equity spokesperson Marty McKenna said: “We are using this process at a limited number of buildings while we complete our integration with Bilt. We do not agree that this is a security issue,” said McKenna.

McKenna repeatedly declined to say how many Equity buildings had residents whose information was exposed. But my own leaked information left behind clues that suggest the number could be at least 21 Equity buildings, amounting to thousands of tenants. When asked about the number of buildings, McKenna did not dispute the figure.

Bilt eventually plugged its leaky API on May 26, almost a month after I first made contact.

But it still wasn’t clear how Bilt got my information to begin with, absent any mention of data collection or sharing in my signed lease agreement.

McKenna solved that mystery, telling me: “Equity Residential shares information with service providers to allow services to be provided to our residents. Our authority to do so lies in our Terms of Use and Privacy Policy which are available on our website.”

The short answer is yes, the privacy policy on the website that nobody thinks — nor I thought — to read. From the moment you walk into an Equity building, its privacy policy allows for a wide range of data collection, including offline collection, such as the data that is collected on you as you sign an agreement to rent an apartment. And most of that data can be shared with third-party companies for a broad number of reasons, like offering services on behalf of Equity. Companies like Bilt, according to the policy, “may have access [to personally identifiable information] in order to provide these services to us or on our behalf.”

And it’s not unique to Equity. Many of the other corporate landlords use similar catch-all language in their privacy policies that gives them wide latitude to collect, use and share or sell your personal information.

AvalonBay, which owns 79,000 apartments across the U.S. east coast, uses the same word-for-word language in its privacy policy about giving personal information about its tenants to third parties it works with. That can include laundry services, car parking providers or — like Bilt — rent payment processors. And the number of third parties with access to your personal information can quickly add up.

Erin McElroy, an assistant professor in the Department of American Studies at the University of Texas at Austin, whose research includes proptech and housing, told TechCrunch that as housing becomes treated more as a commodity rather than a right or a social good. With tenants’ increasingly framed as consumers, much of what a person might experience when using a certain product or service is now also experienced as a tenant. “That’s strategic and part and parcel with the corporatization and financialization of housing, that certainly tenants don’t think of themselves as consumers and read all the fine print in their lease agreements, imagining that something like this might happen,” said McElroy.

Some privacy policies go further. GID, which owns more than 86,000 residential units, has a privacy policy that explicitly allows it to sell extensive amounts of its tenants’ personal information to its affiliates, other management companies and data brokers that further collect, combine and sell your information to others.

“It’s very common to have a privacy policy that governs the use of data,” Lisa Sotto, a privacy lawyer and partner at Hunton Andrews Kurth, told TechCrunch in a phone call. Sotto said that privacy policies are not empty words: “They are regulated by the Federal Trade Commission, and the FTC prohibits unfair or deceptive trade practices.”

The FTC can, and sometimes does, take action against companies that misuse data or have poor data security practices, like mortgage data firms exposing sensitive personal information, attempts to cover up data breaches and tech companies for breaking their privacy promises. As attorneys at law firm Orrick wrote: “The fact that you can sell your tenants’ data does not mean you should sell that data.”

But there are no rules that specifically protect the sharing of a tenant’s personal information.

Instead, it’s up to each state to legislate. Only a handful of U.S. states — California, Connecticut, Colorado, Utah and Virginia — have passed privacy laws that protect consumers in those states, said Sotto. And only California’s law is currently in force at the time of writing.

California became the first U.S. state to enact individual privacy rights — similar to those offered to all Europeans under GDPR. The California Consumer Privacy Act, or CCPA as it’s known, came into force in January 2020 and grants Californians rights to access, change and delete the data that companies and organizations collect on them. The CCPA became a major thorn in the side of data-hungry companies because the law forced them to carve out wide exceptions in their privacy policies to allow Californians the right to opt-out of having their data sold to third parties. It also often necessitated companies to offer an entirely separate privacy policy for California residents, just like GDPR had done years earlier.

CCPA is, like GDPR, imperfect to say the least. But as the first U.S. statewide privacy law in, it set the bar for other states to follow and, ideally, improve over time.

Virginia is the next state with a law to come into effect in January 2023. But critics have called the bill “weak,” alongside reports that the bill’s text was authored by Amazon and Microsoft lobbyists, working to serve their corporate interests. Tech giants are backing and pushing for heavily lobbied state privacy laws, like Virginia’s, with the ultimate goal of prompting federal legislation that would create weaker blanket rules across the U.S. that would replace the patchwork of state laws — including California’s, where the rules are the strongest.

But while a fraction of Americans are covered by some privacy laws, the majority live in states that have little to no protections against the sharing of a person’s information.

“There is really a paucity of legislation,” said McElroy. “Tenants are not told generally anything about what kinds of data are being collected about them. They don’t have the opportunity to consent and they’re not given any sort of indication of potential harms,” they said.

Would I have moved into this apartment knowing that my corporate landlord would share my personal information with third parties that show little regard to protecting it? Maybe not. But with skyrocketing rents and a looming global economic downturn, despite record profits by some of America’s largest corporate landlords, renters may not have much of a choice.

“As housing gets swept up by these corporations, there’s an affordable housing crisis in most cities and tenants can’t be too picky when it comes to finding a place to rent,” said McElroy. “Often tenants are forced to sort of forgo finding a landlord with less abusive data policies just because there aren’t options.”

So, how did a technology startup obtain my home address? Easily and legally. As for leaking it? That’s just bad security.

More on TechCrunch:

Meta consolidates its privacy policy to appease regulators

In an effort to make its notoriously dense user agreements less labyrinthine, Meta has rewritten and redesigned how that information is presented.

The company insists that the changes are in form, not function, bolding some lines, adding subheaders and illustrations instead of presenting that information as a giant wall of text. The result is still mostly a giant wall of text, but one designed to appease regulators across the globe as they amp up scrutiny on how social media platforms inform consumers.

Meta Deputy Chief Privacy Officer Rob Sherman cited “more demand” from regulators and privacy laws seeking to ensure that privacy policies cover as much ground as possible. The company also made similar changes to its terms of service, which sets out rules people must abide by to use its platforms.

“One of the challenges that we and lots of other companies are facing is privacy policies really… need to be comprehensive and provide explicit detail about how people’s data is used and protected, which translates to more words on the page,” Sherman said. “But they also need to be understandable, which means that we need to do more to help people navigate what’s written.”

The rewritten privacy policy provides new examples and infographics that spell out what the company can and can’t do with private user data more clearly. The redrafted policies will tie into all Meta products except for WhatsApp.

People who use Meta’s stable of products will begin receiving updates on the new privacy policy changes around July 26, when they’re implemented. While users might understandably think something has shifted in the way apps like Facebook and Instagram collect data, the company says there are no changes to the amount of information it collects

“A big part of the goal is obviously to first of all make sure that we meet our regulatory obligations,” Sherman said. “But beyond that, to make sure that people understand how our data is used — it’s not good for us if if people are surprised by data practices.”


Meta’s Oversight Board urges Facebook and Instagram to tighten doxing rules

Meta’s external advisory organization issued new recommendations Tuesday, urging the company to bolster its policies that protect users against doxing.

Facebook requested advice on the policy last year, acknowledging that it had difficulty balancing access to public information with privacy concerns. The company now known as Meta’s current policy on sharing private identifying details carves out an exception for cases when that information becomes “publicly available:”

“We remove content that shares, offers or solicits personally identifiable information or other private information that could lead to physical or financial harm, including financial, residential, and medical information, as well as private information obtained from illegal sources. We also recognize that private information may become publicly available through news coverage, court filings, press releases, or other sources. When that happens, we may allow the information to be posted.”

Citing how this kind of harm can be “difficult to remedy” — i.e. once someone’s address is out in the wild it’s impossible to put that cat back in the bag — the Oversight Board recommended that Meta remove the exception in its Privacy Violations Policy allowing “publicly available” home addresses and identifying images. The new rules would be “more protective of privacy” according to the board, in light of the unique risks that erring on the side of too little caution poses.

“Once this information is shared, the harms that can result, such as doxing, are difficult to remedy,” the Oversight Board wrote. “Harms resulting from doxing disproportionately affect groups such as women, children and LGBTQIA+ people, and can include emotional distress, loss of employment and even physical harm or death.”

The board’s recommendations would create a few commonsense exceptions, like in the case of sharing an image of a residence that is the focus of a news story or when someone shares a picture of their own home. The group still advises Meta disallow images of private addresses shared for the purposes of organizing protests.

The Board also argues that Meta should allow residential imagery to be shared if a protest is being organized at “official residences provided to high-ranking government officials” like federal and local government leaders and ambassadors, otherwise an event planning to demonstrate at a location like the White House might run afoul of the rules.

SiriusXM figures out how to track audiences across its apps, including Pandora and Stitcher

The use of tracking cookies is winding down, and Apple’s anti-tracking privacy update has impacted mobile apps’ advertising revenues. But these changes have only prompted the adtech industry to get more creative with its solutions. The latest example comes from Pandora parent company, SiriusXM, which this week rolled out a new way to identify and track its listening audience across apps, which it’s calling “AudioID.”

The new identity solution comes from AdsWizz, the digital audio ad tech company Pandora acquired for $145 million back in 2018, gaining access to adtech products like dynamic ad insertion, campaign monitoring tools, podcast transcription tech, and even weirder features — like “Shake Me” that let users shake their phones during an ad to trigger an action. Now, AdsWizz is being put to work in a new way, by powering the AudioID product.

To work, AudioID matches the datasets of user information across SiriusXM’s businesses, including its own satellite radio music service, as well as streaming apps Pandora and Stitcher — the podcast app it bought for $325 million in 2020.

The company explains that it looks for signals in the datasets that overlap. So, for example, if a customer signed up with the same email address across both Pandora and Stitcher, SiriusXM can combine those accounts into a single “AudioID.” Consumers won’t likely know this matching is happening behind the scenes. They aren’t being asked by the apps to provide any additional information or consent. There’s no opt-out. That’s because the AudioIDs are meant to be a stand-in for the traditional identifier which, in the past, may have contained or linked to a user’s personal information. SiriusXM, on the other hand, describes its AudioIDs as unique but “anonymized.”

But the AudioID can match together all kinds of signals beyond just an email or phone number to inform its creation. The technology can look for matches across device IDs, IP addresses, other user profile data, and then create an identifier that spans streaming apps. That means it can track a user’s listening behavior whether they’re playing music or podcasts in a mobile app, in the browser, in a car, or on a smart device in their home.

In other words, the company has come up with a way that will continue to allow advertisers to target users with more relevant ads, but in a way that attempts to obfuscate the personal information and identity of the listener and instead focus on the content they listen to.

At launch, the solution will support first-party ad targeting, enhanced measurement, reach, forecasting, and frequency capping use cases, says SiriusXM.

“We are entering a new era of identity – both in culture and in technology – that defines us not by who we are on paper or the cookies we leave behind, but by our interests and passions,” states Chris Record, AdsWizz SVP and Head of Ad Product, Technology and Operations. “AudioID is a consumer-first, privacy-conscious infrastructure that will deliver our audiences the best experiences and give marketers access to data-driven capabilities like never before.”

Of course, it remains to be seen whether consumers will appreciate the positioning of this type of solution — especially after they receive highly-targeted ads after tapping a “do not track” pop-up in their mobile app. The assumption on marketers’ part, of course, is that consumers actually welcome personalized ads because they’re more relevant to their interests. They believe the issue is that consumers don’t want their personal information floating around in advertisers’ dossiers. Arguably, though, consumers who opt-out of tracking understand the trade-off is that the ads they encounter may become less precise. But they tap that button anyway. If anything, that’s because consumers are opting out not only out of a desire for protecting their private, personal information, but because highly personalized ads have gotten far too creepy. The AudioID solution doesn’t seem to address that aspect of consumers’ complaints with modern-day adtech — especially if it’s collecting and compiling a user’s “interests and passions” for better targeting.

SiriusXM notes that the solution is opt-in for its partnered publishers and marketers — they don’t have to use AudioID, in other words. It says that later in 2022, it will extend this first-party targeting to off-platform marketers and advertisers across AdsWizz in the U.S., as well.

Google gets hit with a new lawsuit over ‘deceptive’ location tracking

Washington DC, Texas, Washington state and Indiana announced the latest lawsuit against Big Tech Monday, alleging that Google deceived users by collecting their location data even when they believed that kind of tracking was disabled.

“Google falsely led consumers to believe that changing their account and device settings would allow customers to protect their privacy and control what personal data the company could access,” DC Attorney General Karl Racine said. “The truth is that contrary to Google’s representations it continues to systematically surveil customers and profit from customer data.”

Racine described Google’s privacy practices as “bold misrepresentations” that undermine consumer privacy. His office began investigating how Google handles user location data after reporting from the Associated Press in 2018 found that many Google apps across iOS and Android recorded location data even when users have chosen privacy options that explicitly say they won’t. The AP coordinated with computer science researchers at Princeton to verify its findings.

“Google’s support page on the subject states: ‘You can turn off Location History at any time. With Location History off, the places you go are no longer stored,'” the AP reported. “That isn’t true. Even with Location History paused, some Google apps automatically store time-stamped location data without asking.”

The lawsuit argues that Google created a location tracking system that’s impossible for users to opt out of and that it misled users about how privacy settings could protect their data within apps and at the device level on Android. It also accuses Google of relying on deceptive dark pattern design to force users into making choices counter to their own interests.

Those practices may run have run afoul of state laws protecting consumers. In Washington DC, the Consumer Protection Procedures Act (CPPA) outlaws “a wide variety of deceptive and unconscionable business practices,” and is enforced by the attorney general.

Racine’s office is pursuing an injunction against Google as well as seeking to force the company to pay out profits that it made from user data collected by misleading consumers about their privacy.

New privacy bill would put major limits on targeted advertising

A new bill seeks to dramatically reshape the online advertising landscape to the detriment of companies like Facebook, Google and data brokers that leverage deep stores of personal information to make money from targeted ads.

The bill, the Banning Surveillance Advertising Act, introduced by Reps. Anna Eshoo (D-CA) and Jan Schakowsky (D-IL) in the House and Cory Booker (D-NJ) in the Senate, would dramatically limit the ways that tech companies serve ads to their users, banning the use of personal data altogether.

Any targeting based on “protected class information, such as race, gender, and religion, and personal data purchased from data brokers” would be off-limits were the bill to pass. Platforms could still target ads based on general location data at the city or state level and “contextual advertising” based on the content a user is interacting with would still be allowed.

The bill would empower the FTC and state attorneys general to enforce violations, with fines of up to $5,000 per incident for knowing violations.

“The ‘surveillance advertising’ business model is premised on the unseemly collection and hoarding of personal data to enable ad targeting,” Rep. Eshoo said. “This pernicious practice allows online platforms to chase user engagement at great cost to our society, and it fuels disinformation, discrimination, voter suppression, privacy abuses, and so many other harms.”

Sen. Booker called the targeted advertising model “predatory and invasive,” stressing how the practice exacerbates misinformation and extremism on social media platforms.

Privacy-minded companies including search engine maker DuckDuckGo and Proton, creator of ProtonMail, backed the legislation along with organizations including the Electronic Privacy Information Center (EPIC), the Anti-Defamation League, Accountable Tech and Common Sense Media.