Skip to content

Planned Parenthood patient information isn’t always private online

Placeholder while loading article actions

Hello and welcome to The Cybersecurity 202! We don’t have a newsletter tomorrow, so we’ll see you on Tuesday. Happy 4th of July weekend!

Below: The TSA updates its cybersecurity rules for pipelines, and researchers link a $100 million cryptocurrency heist to North Korea. But first :

Planned Parenthood’s online tracking raises privacy concerns

Women who want an abortion may have a new kind of worry if they visit the Planned Parenthood website to find out about clinics near them.

The organization’s online scheduling tool gives it the ability to share patients’ locations — and, sometimes, the type of abortion they’ve chosen — with big tech companies, reports my colleague Tatum Hunter.

This could raise privacy concerns, as about 20 states ban or are preparing to ban abortion following the overturning of the Supreme Court ruling. Roe vs. Wade.

To be fair, the state bans enacted so far would allow abortion providers — not the patients themselves — to be prosecuted. And that’s also noteworthy: Third-party tracking is ubiquitous online, and many organizations, including nonprofits like Planned Parenthood, have long collected such data, according to markup.

Yet in this new era of state abortion bans, it’s fair to imagine that law enforcement might turn to digital data to gather evidence of crimes. Some experts fear what big tech companies would do if they received subpoenas from state authorities for data. Tech companies still haven’t said what they would do in such a situation and employees are frustrated, my colleagues report.

Marketing “necessary”

Planned Parenthood’s planner may share information with Google, Facebook, TikTok and tracking tool Hotjar, according to an investigation by Lockdown Privacy, which creates an app that blocks online tracking.

Most concerning: When a user selects a type of abortion and makes an appointment, this data, as well as information about the clinic, its IP address and its behavior on the site, is shared with Google. Users’ IP addresses and data about their behavior on the site are shared with Facebook and TikTok, Lockdown said.

“It was absolutely shocking,” said Lockdown founder Johnny Lin said. “We analyzed and reviewed the tracking behaviors of hundreds of apps and websites, and it’s rare to see such a degree of negligence with sensitive health data.”

Planned Parenthood uses trackers for marketingspokesperson Lauren Kokum said. She didn’t respond when asked if Planned Parenthood plans to remove trackers given the state’s new abortion bans, or why trackers even work on the planning page.

  • “Marketing is a necessary part of Planned Parenthood’s work to reach people seeking sexual and reproductive health care, education and information,” she said.

Facebook, for its part, said that advertisers should not transfer sensitive data through its site.

  • “Advertisers should not send sensitive information about individuals through our business tools,” said Peter Andy, a spokesperson for Meta, the parent company of Facebook. “This is against our policies and we teach advertisers how to properly configure business tools to prevent this from happening. When companies do this, our filtering mechanism is designed to prevent potentially sensitive data from being passed on to them. detect to enter our ad system. According to our review, it happened here.

Organizations using Google’s analytics software can delete data at any time, and the latest version of its tool automatically deletes IP addresses, Director of Google Analytics Russell Ketchum said.

Planned Parenthood Should Know Better, Says Electronic Frontier Foundation senior technologist Cooper Quintin.

  • “It’s really irresponsible of Planned Parenthood to create more data about website visitors and more evidence leads about people who seek out their services,” he said. “Planned Parenthood must – right now, right now – minimize the amount of data they share with any outside parties and minimize the amount of data they retain.”

In view of the cancellation by the Supreme Court of deerthe review looked to other companies that had data on visitors to abortion clinics.

For just $160, Motherboard reporters last month bought a week of data from SafeGraph on visitors to hundreds of Planned Parenthood locations. CEO of SafeGraph Auren Hoffman later wrote in a blog post that the company would stop offering the data and that it had “no indication that this data has ever been misused.”

In the wake of Motherboard’s report on SafeGraph, Democratic senators Told Chairman of the Federal Trade Commission Lina Khan that “additional steps must be taken to protect personal data and ensure women’s privacy when making decisions that should be between them and their doctors,” they said.

Lawmakers have also turned their attention to online privacy in the post-deer world. They introduced legislation to restrict what data period-tracking apps can collect and disclose, my colleague Cristiano Lima reported.

The deer The decision also comes as lawmakers struggle to reach an agreement on privacy legislation. But leading Democrats say the bill does not sufficiently protect abortion-related data, Cristiano reported this week.

Canadian police admit to using spyware

The Royal Canadian Mounted Police (RCMP) says it used the technology in 10 investigations from 2018 to 2020, Politicsby Maura Forest reports. This is the first time the police agency has publicly admitted to using spyware, which it says it uses only in its most serious investigations.

The RCMP has linked its use of spyware to wiretapping which it says has lost its effectiveness. “In less than a generation, many Canadians have migrated their day-to-day communications from a small number of large telecommunications service providers, all of which provided limited and centrally controlled services to customers, to countless organizations in Canada and elsewhere that offer a myriad of digital services to customers,” he wrote. “This decentralization, combined with the widespread use of end-to-end encrypted voice and text messaging services, makes it exponentially more difficult for the RCMP to conduct court-authorized electronic surveillance.

End-to-end encryption ensures that only the sender and receiver of a message can read its contents. Canadian police have long said that the encryption hampered their investigations. Law enforcement around the world, including the FBI, shares these concerns, but privacy experts say end-to-end encryption is necessary to maintain privacy online.

TSA relaxes cybersecurity rules for pipelines

The Transportation Security Administration’s new requirements extend the time pipeline companies have to report hacks from 12 to 24 hours, said David Uberti of the Wall Street Journal. reports. It also plans to revise a second set of pipeline safety guidelines. Last year, some experts called the second directive too prescriptive.

The TSA plans to release an update to this second set of rules by July 26. It should focus less on particular security measures, reports Uberti. The Post obtained and published a copy of this directive last year.

The Pipeline rules came in the wake of a Colonial Pipeline ransomware hack that led to the company shutting down its systems for nearly a week. This breach exposed the TSA’s slight touch on pipeline cybersecurity oversight, my colleagues reported.

The update’s goal is to move to a “performance-based model that will strengthen security and provide the flexibility needed to ensure advances in cybersecurity through technology enhancements,” a TSA spokesperson said. at the Wall Street Journal. “TSA is consulting with industry stakeholders and federal partners when modifying this security directive.”

The industry seems to be open to updating. “We are encouraged by the changes they have made,” Suzanne Lemieux, director of operations safety and emergency response policy at the American Petroleum Institute, told Uberti. “There were a lot of things that weren’t well thought out in the rush to get this out [last year].”

Researchers find ‘strong indications’ that North Korean hackers were responsible for $100 million cryptocurrency hack

Cryptocurrency analysis company Elliptic cited similarities in how the Harmony Horizon blockchain bridge hack was carried out – such as “the nature of the hack and the subsequent laundering of stolen funds” – and previous North Korean cryptocurrency heists as reasons for its assessment.

North Korean group Lazarus is behind a string of cryptocurrency thefts, according to US government and UN investigators. In April, the US government linked the Lazarus Group to a cryptocurrency address used to steal more than $600 million from a video game.

On Monday, hackers began moving stolen Harmony cryptocurrency into a service that allows users to bundle their digital assets to hide their owners’ identities. At least 39% of the stolen funds were transferred, Elliptic said. Harmony is working with the FBI ‘as part of an investigation’ into the hack, Harmony said.

Here’s more from cryptocurrency analysis company Chainalysis, which is work on the Harmony survey:

NATO establishes program to coordinate rapid response to cyberattacks (Politico)

Norway accuses ‘pro-Russian group’ of cyberattack (Reuters)

Cops Investigate ‘WhatsApp For Gangsters’, Arrest Key Suspect In The Caribbean (Motherboard)

Security experts prepare for possible Russian cyberattacks (Protocol)

  • Director of CISA jen easter speak at the opening of the US Cyber ​​Open today.
  • United Nations Institute for Disarmament Research holds a conference on cyberstability and critical infrastructure protection on July 5.

Thanks for reading. See you next week.