BuzzFeed News

Reporting To You

tech / bestof2017

35 Times Privacy Was A Lie In 2017

The hacks, data breaches, uncanny smart devices, panoptical social media, and government surveillance that happened in a single year. Yay!!

Posted on December 15, 2017, at 3:03 p.m. ET

Every year, we give up a little more of our privacy to big tech corporations.

This happens in a lot of little ways: feeling more comfortable letting a smart device into our home, giving more access to information about ourselves to social media platforms (or discovering to our shock how much info they had been collecting this whole time), letting our phones track us. Each of these little things doesn't feel like a lot when it happens — we might be surprised, but eventually we get used to it. Tech pushes the limits of what we feel okay with just a few inches at a time, and we don't notice until we look back that "the line" has moved miles.

This year was no exception. Let's look back and see all the ways big companies chipped away at our privacy bit by bit in 2017.

1. Equifax had a data breach that affected 145 million Americans, lol.

Hackers were able to obtain names, addresses, social security numbers, and birthdays of people. The CEO of Equifax testified before Congress about the hack, admitting it was "human error" where they knew about a software vulnerability but didn't fix it. He later resigned (with a $18.4 million pension). This was a bad one. Real bad.
Mark Wilson / Getty Images

Hackers were able to obtain names, addresses, social security numbers, and birthdays of people. The CEO of Equifax testified before Congress about the hack, admitting it was "human error" where they knew about a software vulnerability but didn't fix it. He later resigned (with a $18.4 million pension).

This was a bad one. Real bad.

2. Amazon announced "Amazon Key", where the delivery person can leave the package inside your home.

I am totally okay with #AmazonKey. COME INSIDE AND LET’S GET WEIRD, BEZOS.

Amazon Key allows Amazon delivery people to open your door and leave your packages inside. You have to install a smart lock which can be digitally opened by your friends or Amazon, and then select it as a delivery option. A livestream camera shows you the delivery, which also is an incentive for drivers not to, well, poop on your porch, I guess. The immediate reaction from people on Twitter to the announcement was NOPE NOPE.

For the record, I think this is actually a pretty good idea and plenty of people will be excited about the convenience.

3. Oh yeah, and the camera for the Amazon Key? It can be hacked.

Cloud Cam is the monitor that allows you to watch your delivery take place, creating a sense of security that a delivery person isn't going to rob you. But researchers discovered that it could be disabled through Wi-Fi, meaning a delivery person could disable the camera, get inside, and ravage your toilet.
Amazon

Cloud Cam is the monitor that allows you to watch your delivery take place, creating a sense of security that a delivery person isn't going to rob you. But researchers discovered that it could be disabled through Wi-Fi, meaning a delivery person could disable the camera, get inside, and ravage your toilet.

ADVERTISEMENT

4. We discovered that Twitter has been guessing our gender and age all along.

@KateAllDay So this is bullshit. I guess if you don't pick a gender, Twitter picks one for you?

In May, Twitter decided to allow users to see some of the information it gathers about them for targeted advertising. People immediately noticed that "gender" was one of the items — but Twitter has never asked its users to fill that out. It's just been guessing. Many people noticed it was guessing quite well, but it's still awkward and potentially distressing for people who don't identify as the gender Twitter guessed for them.

5. People found Sean Spicer's Venmo account, because it turns out there's no such thing as a "private" Venmo account.

It's recently come to our attention that @seanspicer is on Venmo, and that he is being trolled

While you can make your transactions private, there's no way to make your actual profile — which typically uses your real name — unsearchable. That means there is nothing to stop someone from sending Sean Spicer thousands of dollars (unless they said it was for Cuban sandwiches, which would actually trigger Venmo's compliance team).

6. Someone found a spycam in their Airbnb, which, lol.

In "oh, that's a thing now" news, a colleague of mine thought it odd that there was a single "motion detector" in h… https://t.co/wisoPBFCmH

Airbnb told BuzzFeed News that this is "incredibly rare" and that it had permanently banned the host. It's not really an Airbnb user data problem, it's a "wow, people IRL are creeps" problem.

7. Google Maps for iPhone has been keeping a log of everywhere you go throughout the day on your "Timeline".

It's actually kind of cool to look through — it can tell you exactly where you went at exactly what times on any specific day. It also shows you which photos you took at the place you went to. Which is very cool! But...also...you know, FRIGHTENING. You can totally turn this off in the Settings in the app.
Google

It's actually kind of cool to look through — it can tell you exactly where you went at exactly what times on any specific day. It also shows you which photos you took at the place you went to. Which is very cool! But...also...you know, FRIGHTENING.

You can totally turn this off in the Settings in the app.

ADVERTISEMENT

8. Google Home Mini had a flaw that caused it to always listen to you.

Instead of only starting to listen and record when you say "Ok, Google", the Mini was actually recording all the time. The flaw was only in the Mini, and a software patch fixed it.
Google

Instead of only starting to listen and record when you say "Ok, Google", the Mini was actually recording all the time. The flaw was only in the Mini, and a software patch fixed it.

9. Uber had a massive customer data breach, and didn't tell anyone for a year.

Data from 57 million users was compromised back in 2016, but Uber didn't disclose it until November 2017. The hackers were paid a "bug bounty" of $100,000 by Uber. Bug bounties are common — a way of rewarding people who report software vulnerabilities. But this was unusually large, and it skirted Uber's legal obligation to inform its customers there was a hack. Uber's new CEO, Dara Khosrowshahi, only just found out about the hack, which happened under disgraced former CEO Travis Kalanick, and called an investigation. The New York attorney general, Eric Schneiderman, is also investigating.
Sergio Lima / AFP / Getty Images

Data from 57 million users was compromised back in 2016, but Uber didn't disclose it until November 2017. The hackers were paid a "bug bounty" of $100,000 by Uber. Bug bounties are common — a way of rewarding people who report software vulnerabilities. But this was unusually large, and it skirted Uber's legal obligation to inform its customers there was a hack.

Uber's new CEO, Dara Khosrowshahi, only just found out about the hack, which happened under disgraced former CEO Travis Kalanick, and called an investigation. The New York attorney general, Eric Schneiderman, is also investigating.

10. Imgur was hacked back in 2014 and only found out just now.

On November 23, we were notified about a data breach on Imgur that occurred in 2014. While we are still actively in… https://t.co/sRnCe3VlPS

The hack exposed email addresses and passwords for 1.4 million users.

11. Apple asked us to teach our iPhone X's to recognize our face.

Welcome to the future, may I scan your face? Face ID launched for the iPhone X — you can unlock your phone just by looking at it. People might have had some qualms about it, but plenty went ahead and bought the phone and are happily using it. Apple says it's more secure than the finger Touch ID. And until true Face/Off technology is perfected we're ok. Oh wait...
Getty

Welcome to the future, may I scan your face? Face ID launched for the iPhone X — you can unlock your phone just by looking at it. People might have had some qualms about it, but plenty went ahead and bought the phone and are happily using it. Apple says it's more secure than the finger Touch ID. And until true Face/Off technology is perfected we're ok. Oh wait...

ADVERTISEMENT

12. Someone says they can hack the iPhone X's FaceID using a mask.

So we don't even need to wait for Face/Off surgery! A Vietnamese cybersecurity firm did a test using a silicon mask. While the mask worked successfully in a demo for reporters at Reuters, the researcher said he couldn't do it on a new blank phone, because it would take too long to set up. So take it with a tiny bit of skepticism.
Kham / Reuters

So we don't even need to wait for Face/Off surgery! A Vietnamese cybersecurity firm did a test using a silicon mask. While the mask worked successfully in a demo for reporters at Reuters, the researcher said he couldn't do it on a new blank phone, because it would take too long to set up. So take it with a tiny bit of skepticism.

13. And the facial recognition for the Samsung phone seems to be able to be tricked by a photo.

Samsung Galaxy Note 8 Facial Recognition Test:

How did no one see this coming?

14. Marketers on Facebook are using "psychographic" techniques to target ads.

Vice's Motherboard reports that based on just a few "likes," marketers can analyze your psychology, and serve you ads based on that. For example, they can tell if you're an introvert or extrovert, which can be used to more effectively get you to click on ads. Let's say a travel agency advertises packages to Las Vegas to extroverts, and secluded bed and breakfasts to introverts.
Max Halberstadt / Public Domain

Vice's Motherboard reports that based on just a few "likes," marketers can analyze your psychology, and serve you ads based on that. For example, they can tell if you're an introvert or extrovert, which can be used to more effectively get you to click on ads. Let's say a travel agency advertises packages to Las Vegas to extroverts, and secluded bed and breakfasts to introverts.

15. Cloudflare had a bug that leaked passwords from OkCupid, Yelp, Medium, Fitbit, and more.

Over 5.5 million sites use the security and web performance company Cloudflare, including some incredibly huge and popular sites like Yelp. A bug in HTTPS caused some data to be pushed to the wrong place — dating site messages and hotel bookings ended up on search results, or Fitbit info was pushed to a site in the Philippines. Basically: Change your password, everyone!
Dave Kotinsky / Getty Images

Over 5.5 million sites use the security and web performance company Cloudflare, including some incredibly huge and popular sites like Yelp. A bug in HTTPS caused some data to be pushed to the wrong place — dating site messages and hotel bookings ended up on search results, or Fitbit info was pushed to a site in the Philippines. Basically: Change your password, everyone!

ADVERTISEMENT

16. TV ads hijacked Google Home smart speakers to sell you burgers.

View this video on YouTube

youtube.com

Burger King made a TV ad where a pitchman says "Ok, Google, what is the Whopper burger?" If you owned a Google Home smart speaker, your device would be prompted by the voice on TV to start reading the Wikipedia entry for the Whopper.

Pretty clever! The ad even went on to win a major advertising industry award. But it is a little scary that marketers can use your smart devices to deliver ads to you this way.

17. Netflix reminded everyone through this joke tweet that it has the ability to track user viewing habits at a highly granular level.

To the 53 people who've watched A Christmas Prince every day for the past 18 days: Who hurt you?

18. India finally made its fingerprint and retina scanning ID system mandatory for everyone.

Aadhaar is the identification system for India, similar to Social Security numbers, but with a biometric ID. It started as a voluntary system, but in early 2017 a new law made it essentially mandatory. BuzzFeed tech reporter Pranav Dixit explains: "Last month, the government passed a finance bill making it mandatory for every Indian who files tax returns to input their Aadhaar number. Asked if the government was forcing citizens to get Aadhaar despite the Supreme Court mandate, finance minister Arun Jaitley replied simply, 'Yes, we are.'In the future, Indians may be required to use Aadhaar to log on to public Wi-Fi hotspots, buy train tickets, access bank accounts, withdraw pension money, use matrimonial websites, and buy tickets for cricket matches — among other things.Critics paint a grim picture of India with mandatory Aadhaar: an Orwellian state with every action of every citizen under constant scrutiny at all times.
BuzzFeed News

Aadhaar is the identification system for India, similar to Social Security numbers, but with a biometric ID. It started as a voluntary system, but in early 2017 a new law made it essentially mandatory. BuzzFeed tech reporter Pranav Dixit explains:

"Last month, the government passed a finance bill making it mandatory for every Indian who files tax returns to input their Aadhaar number. Asked if the government was forcing citizens to get Aadhaar despite the Supreme Court mandate, finance minister Arun Jaitley replied simply, 'Yes, we are.'

In the future, Indians may be required to use Aadhaar to log on to public Wi-Fi hotspots, buy train tickets, access bank accounts, withdraw pension money, use matrimonial websites, and buy tickets for cricket matches — among other things.

Critics paint a grim picture of India with mandatory Aadhaar: an Orwellian state with every action of every citizen under constant scrutiny at all times.

19. Amazon in India wants to use that biometric ID to track packages.

BuzzFeed News obtained chats between customers in India and customer service agents from Amazon telling them that if they didn't upload their biometric ID, it might delay being able to track their packages. It's one thing to give the government your biometric ID; it's another to give it to Amazon.
Screenshot / BuzzFeed News

BuzzFeed News obtained chats between customers in India and customer service agents from Amazon telling them that if they didn't upload their biometric ID, it might delay being able to track their packages. It's one thing to give the government your biometric ID; it's another to give it to Amazon.

ADVERTISEMENT

20. So do Uber and Airbnb...

Airbnb is considering using Aadhaar for hosts, and Uber and Ola are thinking of using it to verify drivers.
Noah Seelam / AFP / Getty Images

Airbnb is considering using Aadhaar for hosts, and Uber and Ola are thinking of using it to verify drivers.

21. US intelligence has been illegally overreaching by snooping into citizens' financial records.

Under law, banks have to report suspicious transactions over $10,000, and hand over lists of these transactions to a government agency every day. But FinCEN, the agency that has the legal access to these lists of transactions says, another agency — the Treasury's intelligence department — has been accessing the information. Sources told BuzzFeed News that this is effectively a backdoor for the CIA and other intelligence agencies to snoop on Americans' finances.
Mandel Ngan / AFP / Getty Images

Under law, banks have to report suspicious transactions over $10,000, and hand over lists of these transactions to a government agency every day. But FinCEN, the agency that has the legal access to these lists of transactions says, another agency — the Treasury's intelligence department — has been accessing the information. Sources told BuzzFeed News that this is effectively a backdoor for the CIA and other intelligence agencies to snoop on Americans' finances.

22. Facebook wants you to send it your nudes so it can block other people from posting those nudes as revenge porn.

As part of a revenge-porn prevention measure Facebook piloted in Australia, you can upload your nudes through Messenger; then Facebook will digitally scan them using machine learning and block anyone else from uploading that exact same photo. Facebook says it's not storing the photos anywhere, only a digital "hash" of it (basically a 1s and 0s version). Buuuut...at least one employee has to see the photos and verify it's actually a nude and not, like, a photo of Trump.
knowyourmeme.com

As part of a revenge-porn prevention measure Facebook piloted in Australia, you can upload your nudes through Messenger; then Facebook will digitally scan them using machine learning and block anyone else from uploading that exact same photo. Facebook says it's not storing the photos anywhere, only a digital "hash" of it (basically a 1s and 0s version). Buuuut...at least one employee has to see the photos and verify it's actually a nude and not, like, a photo of Trump.

23. Facebook has been using your phone's contacts to create a "shadow profile" with people who have you in their email or phones.

You know how the "People You May Know" section is eerily creepy? Like, it might find your old landlord, or a family friend you've never emailed or don't have mutual friends with? A Gizmodo investigation showed how Facebook creates a network of contacts far beyond what you'd expect when you allow them access to your contacts list on your phone. You might never realize how much Facebook knows about you from access to your contacts until that one moment a really uncanny person shows up in your suggested friends.
Screenshot / BuzzFeed News

You know how the "People You May Know" section is eerily creepy? Like, it might find your old landlord, or a family friend you've never emailed or don't have mutual friends with? A Gizmodo investigation showed how Facebook creates a network of contacts far beyond what you'd expect when you allow them access to your contacts list on your phone. You might never realize how much Facebook knows about you from access to your contacts until that one moment a really uncanny person shows up in your suggested friends.

ADVERTISEMENT

24. The Department of Homeland Security now has a rule saying it will look at immigrants' social media profiles.

Finally, my twitter voice has found its audience! Hello DHS, let me welcome you to your favorite new feed & tell yo… https://t.co/Q4JfQZnGPj

DHS published a rule that will affect immigrants — including permanent residents and naturalized citizens — that they will look at "social media handles, aliases, associated identifiable information, and search results" as part of someone's immigration file. The idea for this started under Obama after the San Bernardino shooting, in hopes that looking at social media could potentially stop violence or terrorist attacks. But advocates say this infringes on privacy and potentially free speech.

25. And ICE is asking tech companies like Microsoft to build tools to let them track visa holder's social media.

ProPublica reported that at a conference for government technology contractors like Microsoft, Deloitte, Accenture, and Motorola, a representative from Immigration and Customs Enforcement said in a presentation that they were looking for tools that could monitor immigrants' social media and monitor for potential threats.
Drew Angerer / Getty Images

ProPublica reported that at a conference for government technology contractors like Microsoft, Deloitte, Accenture, and Motorola, a representative from Immigration and Customs Enforcement said in a presentation that they were looking for tools that could monitor immigrants' social media and monitor for potential threats.

26. Google introduced Clips, a camera that is ALWAYS ON and automatically takes photos.

The camera is always on and can sense using AI when it's time to take a great pic — like when you're looking at it or subjects are in view. It's apparently great for kids and pets, who are hard to get to sit still when you pull out a camera. All the pics are stored on the machine locally. But still...
Google

The camera is always on and can sense using AI when it's time to take a great pic — like when you're looking at it or subjects are in view. It's apparently great for kids and pets, who are hard to get to sit still when you pull out a camera. All the pics are stored on the machine locally. But still...

27. Amazon introduced Show, which makes video call "drop ins" to other people with a Show.

Here's how BuzzFeed's Mat Honan describes how it works: "Let’s say my father has activated Drop In for me on his Echo Show. All I have to do is say, 'Alexa, drop in on Dad.' It then turns on the microphone and camera on my father’s device and starts broadcasting that to me. For the several seconds of the call, my father’s video screen would appear fogged over. But then there he’ll be. And to be clear: This happens even if he doesn’t answer. Unless he declines the call, audibly or by tapping on the screen, it goes through. It just starts. Hello, you look nice today." Creepy!
Amazon

Here's how BuzzFeed's Mat Honan describes how it works:

"Let’s say my father has activated Drop In for me on his Echo Show. All I have to do is say, 'Alexa, drop in on Dad.' It then turns on the microphone and camera on my father’s device and starts broadcasting that to me. For the several seconds of the call, my father’s video screen would appear fogged over. But then there he’ll be. And to be clear: This happens even if he doesn’t answer. Unless he declines the call, audibly or by tapping on the screen, it goes through. It just starts. Hello, you look nice today."

Creepy!

ADVERTISEMENT

28. Turns out Android phones were tracking your location, even if you had location services turned off.

To send push alerts and messages, Android had been collecting cell tower info on phones who had locations services turned off. That's enough to let someone know roughly where you are — what city, for example. After Google was contacted by Quartz about this, it said it would stop doing it.
Afp / AFP / Getty Images

To send push alerts and messages, Android had been collecting cell tower info on phones who had locations services turned off. That's enough to let someone know roughly where you are — what city, for example. After Google was contacted by Quartz about this, it said it would stop doing it.

29. Hinge created a matchmaking app, and it means that anyone can download it and see which of their Facebook friends are using Hinge.

The idea is to helpfully suggest matches for your friends looking for love. But what it can do is allow someone who isn't on regular Hinge to be able to view all of their Facebook friends who are on the dating app. While it's always been possible to accidentally find someone you know on a dating app, this is an instant way to find out which of your acquaintances is single and dating. It could embarrass someone who doesn't want coworkers or family to know they're dating, or even out someone interested in same-sex dating.
Hinge

The idea is to helpfully suggest matches for your friends looking for love. But what it can do is allow someone who isn't on regular Hinge to be able to view all of their Facebook friends who are on the dating app.

While it's always been possible to accidentally find someone you know on a dating app, this is an instant way to find out which of your acquaintances is single and dating. It could embarrass someone who doesn't want coworkers or family to know they're dating, or even out someone interested in same-sex dating.

30. Australia will add driver's license photos to a national facial recognition system to find people on security cameras.

Driver's license photos will be pooled across states and territories to make one big database of photos that will be scanned with facial recognition software. It will be used by law enforcement for cases of identity theft, and prevent people from getting two licenses. Prime Minister Malcolm Trumbull said the government could also use it to identify people on CCTV footage. G'day, surveillance state!
Getty

Driver's license photos will be pooled across states and territories to make one big database of photos that will be scanned with facial recognition software. It will be used by law enforcement for cases of identity theft, and prevent people from getting two licenses.

Prime Minister Malcolm Trumbull said the government could also use it to identify people on CCTV footage. G'day, surveillance state!

31. E-commerce app Wish makes your wish lists public.

Wish is the No. 1 advertiser on Facebook, and is valued at $8.5 billion. And yet for some reason it gives all shoppers public "profiles" and doesn't have an option to make their wishlists or saved items lists private. So think twice before adding some of their very weird sex toys to your wish lists.
Wish

Wish is the No. 1 advertiser on Facebook, and is valued at $8.5 billion. And yet for some reason it gives all shoppers public "profiles" and doesn't have an option to make their wishlists or saved items lists private. So think twice before adding some of their very weird sex toys to your wish lists.

ADVERTISEMENT

32. Twitter admitted it accidentally posted your city location if you were uploading a GIF.

To be fair, this only occurred for a week, and it fixed it. But a good reminder that a random software bug could cost you some privacy.

33. Mattel announced plans to make a smart speaker for babies (but then canceled it).

After consumers and lawmakers expressed concern about about how the device will record children and how it will protect and store the information, Mattel decided it didn't "fully align with Mattel's new technology strategy." The Aristotle was supposed to be a smart baby monitor that would play soothing music if an infant was crying, and for toddlers it would read stories or teach manners.
nabi / Via shop.nabitablet.com

After consumers and lawmakers expressed concern about about how the device will record children and how it will protect and store the information, Mattel decided it didn't "fully align with Mattel's new technology strategy." The Aristotle was supposed to be a smart baby monitor that would play soothing music if an infant was crying, and for toddlers it would read stories or teach manners.

34. Roomba is planning on selling maps of your home.

The smart vacuum has been collecting data about your home and now connects to Alexa. Roomba sees selling this data as a new business model where it can connect your data (if you opt in) to Apple, Google, or Amazon.
bedbathandbeyond.com

The smart vacuum has been collecting data about your home and now connects to Alexa. Roomba sees selling this data as a new business model where it can connect your data (if you opt in) to Apple, Google, or Amazon.

35. And this.

Ok, just kidding. It's a fake camera, it doesn't really record or send it to elves.

BUT. It's one more tiny step in indoctrinating children into feeling comfortable with constantly being watched by an omniscient authoritarian power (Santa). Is it just a cute holiday toy, or is it another example of the chipping away of our expectation of privacy? Answer me that, Santa!

For more Best of 2017 content, click here!

  • Picture of Katie Notopoulos

    Katie Notopoulos is a senior editor for BuzzFeed News and is based in New York. Notopoulos writes about tech and internet culture and is cohost of the Internet Explorer podcast.

    Contact Katie Notopoulos at katie@buzzfeed.com.

    Got a confidential tip? Submit it here.

ADVERTISEMENT
ADVERTISEMENT
ADVERTISEMENT
ADVERTISEMENT
ADVERTISEMENT