Smart cameras show images from other people’s houses

Smart cameras show images from other people’s houses

It’s been discovered that smart cameras produced by Chinese firm Xiaomi and connected to Google have been showing users images from inside stranger’s homes.

Upon loading their Xiaomi smart cameras into Google Home Hub, people were able to see still images of other homes. These images included children playing and people sleeping, including a baby asleep in a crib.

The incident took place on Wednesday 1st January; the images appeared to have been taken the same day. Google has stated that the problem only affects smart cameras made by Xiaomi, and has responded immediately.

According to The Independent:

The Chinese firm did not immediately respond to a request for comment but a Google spokesperson told The Independent: “We’re aware of the issue and are in contact with Xiaomi to work on a fix. In the meantime, we’re disabling Xiaomi integrations on our devices.”

This is an extremely worrying breach of privacy, and demonstrates that people should take care when installing cameras and other recording devices in their homes. The report from The Independent goes on to note that:

This is not the first time Google-linked smart cameras have experienced issues with either security bugs or hacking.

 

In February last year, the technology giant urged owners of Nest cameras to reset their passwords due to fears that some devices had been taken over by hackers.

 

One incident involved a family in Illinois, who said cyber criminals took control of their internet-connected camera to shout racial abuse through the device’s speaker at a couple and their baby.

 

A separate incident involved a family in California receiving an emergency broadcast alert, which falsely claimed that North Korean intercontinental ballistic missiles were headed to the United States.

You can read the full article from The Independent by clicking here.

On that occasion, Google stated that the breach occurred because of “customers using passwords that had been compromised by hacks on other websites”. Nonetheless, it demonstrates that these devices need stringent security measures.

Making sure that you have the best available cybersecurity is crucial when dealing with smart cameras and other recording devices – especially when it comes to protecting the privacy of your own home.

If you’re concerned about the measures in place at your organisation, Activa Consulting are the data management experts who can help to improve your procedures and data protection programme. Contact us today to find out how!

Google ordered to stop manual review of recordings via Article 66

Google ordered to stop manual review of recordings via Article 66

google - article 66Under GDPR’s Article 66, Google has been ordered to stop manually reviewing audio recordings from its Google Assistant Service because the process breaches data protection laws.

This follows a data breach last month of more than 1000 recordings. A Belgian News Site, VRT, was able to identify people from the clips given to them, including such data as their addresses and medical conditions.

While Google has taken steps to report the breach to the Irish Data Protection Commission (DPC), it’s the fact that it has been forced to stop processing this data that is most significant here.

As reported by TechCrunch:

The real enforcement punch packed by GDPR is not the headline-grabbing fines, which can scale as high as 4% of a company’s global annual turnover — it’s the power that Europe’s DPAs now have in their regulatory toolbox to order that data stops flowing.

 

“This is just the beginning,” one expert on European data protection legislation told us, speaking on condition of anonymity. “The Article 66 chest is open and it has a lot on offer.”

This seems to be the first time that Article 66 has been implemented, but it demonstrates that GDPR is a powerful tool for data protection regulators. Not only can it levy big penalties after a data breach has occurred, it can force organisations to change their procedures.

The key requirement is that there is an “an urgent need to act in order to protect the rights and freedoms of data subjects”, which there was here.

This case also demonstrates that data can include such things as video and audio recordings. Personal data is anything that can be used to identify a person, whether on its own or in conjunction with other information.

Not sure whether your organisation’s data handling processes are compliant with GDPR? Our expert advice can help. Contact us today to find out how our consultancy services can help you!

Google GDPR fine of £44m

Google GDPR fine of £44m

Google - Google GDPR fine

France’s data regulator, CNIL, has fined Google £44 million (50 million euros) for a lack of transparency over collecting data to personalise ads for users. This is a record fine resulting from complaints brought by two privacy rights groups, noyb and La Quadrature du Net. So what else do we know about this Google GDPR fine?

  • The official reason given by CNIL for the fine was a “lack of transparency, inadequate information and lack of valid consent regarding ads personalisation”. In short, people were “not sufficiently informed” about how their data was being collected.
  • The key thing here is that Google was not obtaining clear consent for the gathering of this data. “The relevant information is accessible after several steps only,” stated CNIL. “Users are not able to fully understand the extent of the processing operations carried out by Google.”
  • In addition to this, Google did not have a valid legal basis for gathering this data. In effect, not only was the process by which they were collecting users data insufficiently clear, they were also unjustified in doing so.
  • The first complaint was filed as soon as GDPR came into effect on 25 May 2018. Google’s preparations for the new data protection laws were clearly insufficient as they were found to be in breach of them.
  • Google is now considering its next steps after the decision from CNIL. However, it’s likely that any actions taken now will be too late – measures should have been taken before GDPR came into effect, not after.

This Google GDPR fine ought to be a big wake-up call to corporations that handle user data. As we’re reported, Facebook has suffered numerous data breaches both before and after GDPR was brought into force; what penalties it might suffer have yet to be seen.

For more information on the Google GDPR fine and its ramifications, see the full story by clicking here.

If you’d like to ensure that your business or organisation is GDPR compliant, contact Activa Consulting today. Our GDPR Gap Analysis will help you to prevent data breaches, and therefore avoid costly fines and penalties.

Google Receives User Data from Android Phones…

Google Receives User Data from Android Phones…

Google Receives User Data from Android Phones… ALL Android phones have been sending the location of phones to Google, even when location services are turned off by the user, or, in other words, when the user has explicitly not consented to provide personal information.

It appears that the location services are automatically turned on when you activate a new Android phone. Under GDPR, this will not be allowed – the user will have to provide consent (i.e. turn any location services on themselves). Organisations can no longer assume a data subject will want a certain service on.

There are many apps that will ask whether you agree to share your location – a ploy used mainly for marketing purposes and analysing where an app is most popular, but at least this asks for consent. This issue is disregarding that consent and the information being used anyway.

A good example of how to do it right would be Facebook’s “check in” tool. At certain locations a user essentially shares their exact location (sometimes even accompanied by a Google Maps link) to the user’s friends. This can be considered explicit consent as that individual is willingly sharing their location, but this can’t be reliably used for marketing purposes – which is the main function of these location services really.

With regards to Google’s situation, they have made a couple of contradictory statements. Firstly, they have said that they did not store the data – if that’s the case, then it could be a fault with Android devices themselves and while Google would still receive a fine, it is perhaps a more understandable mistake.

However, “Google said it had been collecting the tower addresses for 11 months “as an additional signal to further improve the speed and performance of message delivery”.” (http://www.bbc.co.uk/news/technology-42079858) Google may not have stored the data, but if they processed it that’s a different situation entirely – but there may be an excuse Google can use.

There are certain exceptions when it comes to requiring consent, and that sometimes depends on whether something is mutually beneficial to the organisation and data subject. Google using this information and using it to try and improve messaging services (or claiming to) would benefit the individual users of Android products, so consent on this occasion may not be required.

Still, there has been some user backlash and there are those who feel “betrayed” by this situation. Circumstances such as this will probably have to be included in Privacy Policies to cover all bases, and the wording will have to be clear and not misleading.

But once again, another American company has lost the trust of its customers…