Where would we be without a good cyber crime story from Bollywood? This week is just the tip of the iceberg. Students in Minnesota and public employees in California are left stranded after major ransomware attacks, the Justice Department is pushing back on Democrats who want to look into the investigation into Donald Trump — and the FBI admits it bought Americans’ location data.
Here’s this week’s highlight of the most important, annoying and downright bizarre moments in tech politics.
Privacy: White Castle on the hook for $17 billion; far-right Catholic group tracks gay priests
Burgers and biometrics Tech giants and their lawyers are raising eyebrows this week after a ruling by the Illinois Supreme Court. White Castle — yes, that White Castle, home of the microscopic hamburgers known as “sliders” — may be on the hook for the truly alarming $17 billion sumo over the collection of worker biometric data.
Illinois’ bar-setting Biometric Information Privacy Act (BIPA) has been a model law for activists who want to hold large online platforms accountable for the random collection and sharing of personal user information. Since 2008, the industry-defended BIPA has become the target of deregulation efforts, while sparking nearly 1,600 lawsuits against companies of all sizes. It allows residents to sue for $1,000 per violation (and $5,000 if it was willful).
Enter White Castle. The Crave Case vendor forced nearly 9,500 workers to provide the company with fingerprint scans every time a worker clocked in or collected a paycheck, without ever obtaining the employees’ consent. The Illinois Supreme Court ruled against White Castle last month, putting them on the hook for damages. BIPA contains no statute of limitations, and after a court ruling this week that each instance of fingerprinting counts as a violation, the total charge could amount to $17 billion in damages, a sum that a dissenting judge called “devastating liability.”
Cyber-schism church persecutors A right-wing Catholic group called Catholic Laity and Clergy for Renewal spent $4 million to buy app data to track and monitor gay priests in the United States — and then targeted one for outing. The group bought ad exchange data from brokers, originating from “dating” or matchmaking sites such as Grindr, Scruff, Growlr, Jack’d and OKCupid. They then “cross-referenced location data from the apps and other details with locations of church residences, workplaces and seminaries to find clergy who were allegedly active on the apps.” All the apps told the Washington Post that they no longer share the type of specific location data the groups obtained.
Hack wheel: Capitol robbery; School closure; Bollywood scam
Congress gets hacked The health data of hundreds of members of Congress and Capitol Hill staffers was exposed in a massive hack Wednesday when the Washington, D.C., health insurance marketplace was breached. US Capitol Police and the FBI notified the House executive director in a letter, NBC News reports, although the hack also affected Senate offices. Data stolen included “full name, registration date, relationship (self, spouse, children) and email address, but no other personally identifiable information (PII).” The FBI is investigating.
Want a daily summary of all the news and commentary Salon has to offer? Subscribe to our morning newsletter, Crash Course.
School is out A hacker called Medusa has threatened to release sensitive documents if Minnesota public schools refuse to pay a $1 million ransom by St. Patrick’s Day. Two weeks ago, cybercriminals shut down the school bureaucracy’s IT system, and this week they resurfaced in a 51-minute video, scrolling through a trove of personal data stolen from the schools: employee tax forms, HSA withdrawals, contracts with vendors, resumes for job seekers, a letter to a student parent about their child’s suspension. Meanwhile, thousands of Oakland, California, employees and residents had their personal information exposed in an unrelated ransomware attack this week that temporarily shut down municipal government systems.
Bollywood bamboo After digging up tax details and falsifying financial documents, a crew of fraudsters have now been arrested in India for making a financial run on fake credit cards procured in the names of several Bollywood stars. The defrauded company managed to catch the five fraudsters, who immediately described the method of the hack – but not before they managed to spend around $26,000.
Surveillance state: Court silences Twitter report on federal arrest warrants
Warrant canary in the coal mine The FBI claims there has been a “significant decrease” in the number of times it has targeted Americans’ data with searches and warrantless seizures under Section 702 FISA powers. But there’s no way to verify that claim, which becomes harder to credit when the Justice Department gags Twitter, as it did this week with an appeals court ruling that blocks the site from telling the public when federal authorities demand user data.
A seemingly inconsequential court decision, which blocks Twitter from disclosing when the feds demand user data, could deliver the coup de grace to Americans’ digital privacy.
Don’t lose focus here: This seemingly inconsequential ruling — unless it’s appealed — delivers the quiet coup d’état to Americans’ digital privacy. It sets a dangerous precedent that could undermine the annual transparency reports of all websites and apps. These reports, which typically detail the number of spy agency claims a site received and the number it responded to, represent a hard-won victory for privacy activists and are often the only keyhole that allows the public to see whether a particular site (and one’s individual data) is being secretly targeted.
Entire companies behind privacy-focused apps and online services in the US—like VPNs, password managers, secure messaging platforms, and private email providers—can live and die by these annual transparency reports. Those reports are also what allowed Politico’s Alfred Ng to report this week on the sharp increase in law enforcement requests for Amazon Ring surveillance footage:
Following concerns from activists and lawmakers about Ring’s role in community surveillance, in 2020 the company began publishing a transparency report on law enforcement requests the company receives.
The report shows that the number of search warrants it receives has grown significantly each year. It received 536 search warrants in 2019, the first year covered by the report. In the first half of 2022, it received 1,622 requests.
So much for “significant declines.”
Section 702 Related to the Trump File Sneak Peek Whether or not Congress will renew Section 702 of FISA is currently up for debate. But this week, Sen. Mark Warner, D-Va., tied his fate to whether the DOJ was willing to hand over information about the files found in the homes of Donald Trump and Mike Pence. But that information, administration officials told Gang of Eight, is protected as part of an open investigation. It’s the same line the DOJ is giving pro-Trump House Republicans eager to see investigators’ briefs through oversight committee subpoenas.
“This relationship of trust has to go both ways,” Warner said, as reported by the New York Times. “That’s not the kind of collaboration and cooperation that we expect, and it will bind and limit our ability to create that kind of trusting relationship with non-members of this committee on matters like 702.”
But who needs Section 702’s secret search-and-seizure authority when you can just buy the data without a warrant instead? After all, that’s exactly what the FBI admitted to doing this week.
Then: “Significant declines” in what exact?
Thanks, I hate it.
We have a tie for the most loathsome tech-enabled moment of the week, and I hate them both equally.
The ransomware gang targets cancer patients Last Tuesday, the Russian ransomware group BlackCat posted online images of three cancer patients receiving radiation treatment and seven documents containing patient information. Patients’ data was stolen during the group’s February attack on a Pennsylvania hospital network that refused to pay a ransom. The health network said it continues to cooperate with the police investigation. Cyber-attacks on hospitals have increased sharply, particularly in Europe, where German and Ukrainian police this week took down a ransomware group in a high-profile raid.
Suicidal ideation experiments revealed Mental health startup Koko was looking for at-risk teens and young adults on Facebook, Tumblr and other platforms. These platforms partnered with Koko, and whenever Koko’s algorithm detected “crisis-related” language about depression or suicide, the platform would direct those users to Koko’s chatbot. The chatbot collected data from the teenagers by asking them personal questions — which it was allowed to do because the experiment was conducted as “non-human subjects.”