Ctrl-Alt-Defeat: White Castle facing “annihilation” over worker surveillance; Congress gets hacked
Where would we be without a good tale of Bollywood cyber-crime? This week it’s just the tip of the iceberg. Students in Minnesota and public workers in California are left reeling after major ransomware attacks, the Justice Department is swatting away Democrats who want to peek at its investigation into Donald Trump — and the FBI admits it’s been buying the location data of Americans.
Here’s this week’s highlight reel of the most important, infuriating and utterly bizarre moments in tech-politics.
Privacy: White Castle on the hook for $17 billion; right-wing Catholic group tracks gay priests
Burgers and biometrics Tech giants and their lawyers are peeling their eyebrows off the ceiling this week following a ruling from the Illinois Supreme Court. White Castle — yes, that White Castle, home of the microscopic hamburgers known as “sliders” — could be on the hook for the truly alarming sumo f $17 billion over collecting biometric data from workers.
Illinois’ bar-setting Biometric Information Privacy Act (BIPA) has been a model law for activists seeking to hold major web platforms accountable for the haphazard collection and sharing of personal user information. Since 2008, the industry-embattled BIPA has become the target of deregulation efforts, while sparking nearly 1,600 suits against companies of all sizes. It allows residents to sue for $1,000 per violation (and $5,000 if it was willful).
Enter White Castle. The Crave Case purveyor forced nearly 9,500 workers to give the company fingerprint scans every time a worker punched the clock or collected a pay stub, without ever obtaining those employees’ consent.. Illinois’ high court ruled against White Castle last month, putting them on the hook for damages. BIPA doesn’t contain a statute of limitations, and after a clarification from the court this week that each instance of the fingerprint-swipe counts as a violation, the total charge could amount to $17 billion in damages, a sum one dissenting justice called “annihilative liability.”
Cyber-schism church stalkers A right-wing Catholic group called Catholic Laity and Clergy for Renewal spent $4 million buying app data to track and surveil gay priests in the U.S. — and then targeted one for outing. The group bought ad-exchange data from brokers, originating from “dating” or meet-up sites like Grindr, Scruff, Growlr, Jack’d and OKCupid. Then they “cross-referenced location data from the apps and other details with locations of church residences, workplaces and seminaries to find clergy who were allegedly active on the apps.” All the apps told the Washington Post they no longer share the kind of specific location data the groups acquired.
Hack reel: Capitol heist; School shut-down; Bollywood fraud
Congress gets hacked Health data from hundreds of members of Congress and Capitol Hill staffers were exposed in a massive hack Wednesday when the health insurance marketplace for Washington, D.C., was breached. U.S. Capitol Police and the FBI alerted the House of Representatives’ chief administrative officer in a letter, reports NBC News, though the hack impacted Senate offices as well. Data stolen included “the full names, date of enrollment, relationship (self, spouse, child), and email address, but no other Personally Identifiable Information (PII).” The FBI is investigating.
Want a daily wrap-up of all the news and commentary Salon has to offer? Subscribe to our morning newsletter, Crash Course.
School’s out A hacker called Medusa has threatened to release sensitive documents if Minnesota public schools refuse to pay $1 million in ransom by St. Patrick’s Day. Two weeks ago the cyber-criminal shut down the school bureaucracy’s IT system, and this week they reappeared in a 51-minute video, scrolling through a trove of personal data stolen from the schools: employee tax forms, HSA withdrawals, contracts with vendors, résumés of job applicants, a letter to a student’s parent about their child’s suspension. Meanwhile, thousands of Oakland, Calif., employees and residents had personal data exposed in an unrelated ransomware attack this week that temporarily shut down municipal government systems.
Bollywood bamboozle After digging up tax details and forging financial documents, a crew of fraudsters is now under arrest in India for taking a financial joyride on fake credit cards procured in the names of several Bollywood stars. The defrauded company managed to snare the five swindlers, who promptly detailed the method of the hack — but not before they managed to spend roughly $26,000.
Surveillance state: Court silences Twitter report on federal warrants
Warrant canary in the coalmine The FBI claims there has been a “significant decline” in the number of times it has targeted Americans’ data with warrantless search and seizure under its Section 702 FISA powers. But there’s no way to verify that claim, which becomes more difficult to credit when the Department of Justice gags Twitter, as it did this week with an appeals court ruling that blocks the site from telling the public when feds demand user data.
A seemingly insignificant court ruling, which blocks Twitter from revealing when the feds demand user data, could deliver the coup de grâce to Americans’ digital privacy.
Don’t lose focus here: This seemingly insignificant ruling — unless it is successfully appealed — delivers the quiet coup de grâce to Americans’ digital privacy. It sets a dangerous precedent that could undermine the annual transparency reports of all websites and apps. Those reports, which usually detail the number of spy-agency demands a site received and the number it responded to, represent a hard-won victory for privacy activists and are often the only keyhole allowing the public to see whether a particular site (and one’s individual data) is being secretly targeted.
Entire companies behind privacy-focused apps and web services in the U.S. — like VPNs, password managers, secure messaging platforms and private email providers — can live and die by these annual transparency reports. These reports are also what permitted Politico’s Alfred Ng to report this week on the sharp rise in law enforcement requests for Amazon Ring surveillance footage:
After concerns from activists and lawmakers about Ring’s role in community surveillance, the company began in 2020 publishing a transparency report on law enforcement requests the company receives.
The report shows that the number of search warrants it receives has grown significantly each year. It received 536 search warrants in 2019, the first year covered by the report. In the first half of 2022, it received 1,622 requests.
So much for “significant declines.”
Section 702 tied to Trump-file sneak peek Whether or not Congress will renew Section 702 of FISA is currently up for debate. But this week Sen. Mark Warner, D-Va., tied its fate to whether or not the DOJ was willing to hand over information about the files found in the homes of Donald Trump and Mike Pence. But that information, as administration officials told the Gang of Eight, is protected as part of an open investigation. That’s the same line the DOJ is giving pro-Trump House Republicans who are eager to see investigators’ cards through Oversight Committee subpoenas.
“This trust relationship has to go two ways,” Warner said, as reported by the New York Times. “That is not the kind of collaboration and cooperation that we expect, and it will tie and restrain our ability to make the kind of trusting relationship with the nonmembers of this committee on issues like 702.”
But who needs Section 702’s secret search-and-seize authority when you can just buy the data without a warrant instead? After all, that’s exactly what the FBI admitted to doing this week.
So: “Significant declines” in what exactly?
Thanks, I hate it.
We’ve got a tie for the most heinous tech-enabled moment of the week, and I hate them both equally.
Ransomware gang targets cancer patients Last Tuesday, Russian ransomware gang BlackCat posted photos online of three cancer patients receiving radiation treatment and seven documents containing patient information. The patients’ data was stolen during the group’s February attack on a Pennsylvania hospital network that refused to pay the ransom. The health network said it was continuing to cooperate with law enforcement investigation. Cyberattacks on hospitals have risen sharply, particularly in Europe, where this week German and Ukrainian police busted a ransomware group in a high-profile raid.
Experiments on suicidal teens exposed Nonprofit mental health startup Koko went looking for at-risk teens and young adults on Facebook, Tumblr and other platforms. Those platforms partnered with Koko, and whenever Koko’s algorithm detected “crisis-related” language about depression or suicide, the platform would funnel those users to Koko’s chatbot. The chatbot gathered data from the teens by asking them personal questions — which it was allowed to do because the experiment was carried out as “nonhuman subjects research.”