Twitter has advised all users to change their passwords after a bug caused the passwords to be stored in easily readable, plain text on an internal computer log.

The Bug – Passwords Visible Before ‘Hashing’

Twitter reported on their own blog that the bug that stored passwords had been ‘unmasked’ in an internal log. The bug is reported to have written the passwords into that internal log before Twitter’s hashing process had been completed.

The hashing process disguises Twitter passwords, making them very difficult to read. Hashing uses the ‘bcrypt’ function which replaces actual passwords with a random set of numbers and letters. It is this set of replaced characters that should be stored in Twitter’s system, as these allow the systems to validate account credentials without revealing customer password.

Millions Affected?

The fact that the passwords were revealed on an internal server, albeit for what is estimated to be for several months, and that there appears to be no evidence of anyone outside the company seeing the passwords, and no evidence of a theft or passwords turning up for sale on hacker site, indicates that it is unlikely that many of the 330 million Twitter users have anything real to fear from the breach.

Big Breaches

In this case, Twitter appears to have behaved responsibly and acted quickly by reporting the bug to regulators, fixing the bug, and quickly and publicly advising all customers to change their passwords.

Twitter’s behaviour appears to be in stark contrast to the way other companies have handled big breaches. For example, back in November 2017 Uber was reported to have concealed a massive data breach from a hack involving the data of 57 million customers and drivers, and then paid the hackers $100,000 to delete the data and to keep quiet about it.

Breaches can happen for all kinds of reasons, and while Twitter’s breach was very much caused and fixed by Twitter internally, others have been less lucky. For example, an outsourcing provider of the Red Cross Blood Service in Australia accidentally published the Service’s entire database to a public web server, thereby resulting in Australia’s largest ever data breach.

What Does This Mean For Your Business?

If you have a Twitter account, personal or business, the advice from Twitter is quite simply to change your password, and change it on any other service where you may have used the same password. Twitter is also advising customers to make the new password a strong one that isn’t reused on other websites, and to enable two-factor authentication. You may also want to use a password manager to make sure you’re using strong, unique passwords everywhere.

In this case, Twitter has acted quickly, appropriately and transparently, thereby minimising risks to customers and risks to its own brand reputation. Twitter will want this message of responsibility to be received loud and clear, particularly at a time where GDPR (and its hefty fines) is just around the corner, and a time when other competing social networks i.e. Facebook have damaged customer trust by acting less responsibly with their data through the Cambridge Analytica scandal.

Facebook’s WhatsApp messaging service is raising its minimum age in Europe to 16 to comply with GDPR which comes into force on May 25th.

Was 13

Up until now, the minimum age has been 13, and that minimum age will remain for the rest of the world, in line with its Facebook parent company. WhatsApp, founded in 2009, has an estimated 1.5 billion users.

Just Asking

Users will be asked to confirm their minimum age by the new WhatsApp Ireland Ltd in the next few weeks, when they will be prompted to agree to new terms of service and a privacy policy. Some critics have pointed out that even though users will be asked if they are 16 or over, it is unclear from the information that the service holds about users how their age can be accurately checked and verified and, therefore, how the new rule can be enforced.

Based on US Law Until Now

The age 13 limit up until now has been based upon the US law “Children’s Online Privacy Protection Rule” (Coppa), which bans online services from collecting personal information about younger children. This is why the usage of many other popular social media apps e.g. Snapchat, YouTube, Instagram, Pinterest, Twitter, Musical.ly and Reddit are restricted to persons aged 13 and over.

WhatsApp’s parent company Facebook faced criticism after announcing last December that it would be targeting younger children with its ‘Messenger Kids’ service. At the time, Facebook’s primary (stated) motive for the new junior version of its platform was to provide a safer, more age-appropriate version, but some tech and business commentators suggested that it may also be an ideal way for Facebook to recruit its next generation of users, and to capture the attention of 6 to 12-year-olds before Snapchat or a similar social network competitor.

Collecting and Sharing Information

The recent Facebook and Cambridge Analytica scandal has brought the matter of collecting and sharing of our personal data into sharp focus. WhatsApp, however, has said that the new changes do not mean that it will be asking for any new rights to collect personal information in the agreement it has created for the European Union. WhatsApp says that the goal of the change is simply to explain how they use and protect the limited information they have about users.

As well as the age restriction change, WhatsApp is also, therefore, rolling out a feature with the latest version of the app that allows users to download a report detailing the data that WhatsApp holds on them e.g. the make and model of the device they used, their contacts, their groups and any blocked numbers.

Facebook Nominate

Facebook is also updating its data policy to comely with GDPR which involves asking 13 and 15-year-old users to nominate a parent or guardian to give permission for them to share information on the platform. If they won’t / cannot do so, the young users will not be able to see a fully personalized version of the social media platform.

Also, Facebook’s Instagram is launching a data download tool to provide users with a file containing the photos, comments, archived stories, contacts and any other personal data that they’ve posted to the service in the past.

Twitter Too

Twitter Inc is also changing its privacy policy so that users can view information they share with the micro-blogging service and show how it’s being used, ahead of the introduction of GDPR. Twitter has said that the changes are to make the privacy policy visually clear and easy to use, and to clarify legalistic or technical language.

What Does This Mean For Your Business?

This story is another clear reminder that the introduction of GDPR is just around the corner as the tech giants, who have more to lose in fines, potential lost customer numbers, and serious reputational damage, make the necessary legal moves to ensure compliance. For Facebook especially, they have faced some very high profile bad publicity this year over their handling and sharing of personal data, so getting their GDPR compliance house in order may be a way to help avoid any further problems.

There is also a very serious ethical element to this story. It is estimated that Facebook has 20 million under-13-year-olds currently using the network, and there may also be a very large number of children using WhatsApp. Parents may understandably have serious concerns about what content children can have access to and, equally importantly, who can have access to children via social networks. Unsuitable material, commercialisation, bullying (or predatory behaviour by some adults) are just some of the issues to consider.

As well as these concerns, governments (such as the UK) are looking to stop end-to-end encryption in WhatsApp, GDPR is just around the corner, Facebook is now facing more tough questions about its Cambridge Analytica links, Martin Lewis (OBE) is taking Facebook to court for defamation and calling for Facebook to take responsibility for its actions … the pressure is now seriously on big social media platforms to make some changes, particularly where EU users are concerned.

MoviePass CEO, Mitch Lowe, has caused controversy by telling the Hollywood audience at the Entertainment Finance Forum that his MoviePass app can track and gather information about users before and after their trip to the movies.

What Is MoviePass?

MoviePass, based in New York, offers a service whereby, for a flat monthly fee ($9.95 per month), users can go and watch unlimited number of movies in cinemas, with some restrictions. It could be described as a kind of Netflix for moviegoers.

Location Tracking

According to the MoviePass CEO, the company’s app has location-tracking built-in. What some commentators have described as ‘creepy’ though is that the app can track your movements long before and after you’ve been to watch a movie.

Why?

What MoviePass prefers to call ‘location-based marketing’ is reportedly being used to improve the customer’s experience of the service and create more opportunities for subscribers to enjoy all the various elements of what the company thinks make up a good movie night. The company says that by tracking customers and gathering data along the way, it can “create a full-featured movie-going experience”.

How?

The big idea is that subscribers may want refreshments before or after the movie, and may have to travel some distance to the cinema. By knowing a subscriber’s location and route, MoviePass can then, via the phone app, give the subscriber details like discounts on transportation, finding places to park nearby, coupons for nearby restaurants, and other similar opportunities.

What Kind Of Data Is Gathered?

According to online reporting of CEO Lowe’s speech, as well as your location, the MoviePass app is also capable of gathering “an enormous amount of information,” which includes your address, which Mr. Lowe says can be used for demographic information.

Criticism

What MoviePass may see as a kind of personalised, helpful marketing idea, critics appear to see as a potentially dangerous invasion of privacy that could have security consequences for MoviePass subscribers.

What Does This Mean For Your Business?

Using new technology to improve marketing and customer experiences is all very well, but the point here is that customers need to be informed exactly what happens to their data, what is collected by the app, how it’s stored and for how long. This will enable them to make an informed choice, give consent, or decline. In a time when cyber-crime and data mismanagement and theft appear to be rife, customers value their privacy and data security more than ever. Companies need to be transparent about their intentions and methods, and need to be able to show customers that they can be trusted with their valuable personal data.

Also, in this case, it appeared to come as a shock about the capabilities of the app, and to some commentators, it may have appeared to be an inappropriate way and style to reveal what the app is capable of. This is likely to prompt complaints from some customers, and could harm the reputation of MoviePass.

If you are worried about the security implications of apps of this kind, for example, you could try to limit location data collection by going into your phone’s app settings. One other, obvious way to avoid any problems with the app would be to avoid MoviePass for now.

The introduction of GDPR in May this year is also likely to have implications for how MoviePass deals with the data of any EU citizen subscribers, as the company will need to comply with the new Regulation.

Amazon has paid $1 billion for ‘Ring’, a smart doorbell company, so that it can improve how it delivers parcels, and compete with Google and Apple in expanding the opportunities for their digital assistants and app ecosystems.

What Is Ring?

Ring, run by CEO Jamie Siminoff, is a US company that primarily manufactures ‘smart doorbells’. These doorbells work by recording live videos of customers’ doorsteps, then sending the videos to their smartphones.

Filming Couriers

There are obvious security benefits for customers from an innovative IoT product of this kind. In this case however, there is also a big benefit for Amazon in helping its customers trust its new service which allows couriers open people’s front doors and put deliveries inside. The new service, which was first announced in October last year, requires a leap of faith from customers, as they have to trust couriers to enter their premises unaccompanied to deliver parcels (while being filmed).

In the original plans for the service, smart locks and Cloud Cam cameras were to be used to monitor couriers who would scan a package barcode outside the door, and once the delivery has been verified online, the camera would record the delivery person unlock the door (using an app) and making the delivery. The purchase of ‘Ring’ enables Amazon to acquire the system to operate this service effectively in the marketplace very soon.

Part Of A Bigger Battle

The purchase of Ring for $1 billion is further serious evidence of Amazon competing with multiple rivals for all aspects of our homes, and invariably, our business premises.

For example, back in September 2017, Nest (owned by Alphabet / Google) released an internet-connected intruder alarm, a video-streaming doorbell, and a door lock system that was developed in collaboration with Yale. Nest has also just announced that it will be incorporating Google Assistant into its products so that they will work with Google Home.

It is, therefore, not just the lure of the lucrative and growing smart home security market that Amazon has been interested in, but also the competition among the big players – Google, Apple and Amazon – to link up their digital assistants with many different smart home devices e.g. to control the lighting, heating, and now the security.

What Does This Mean For Your Business?

Many businesses receive frequent parcel deliveries during the day, and this type of service may, therefore, be a useful one (particularly for smaller businesses), and could minimise disruption and help efficiency. Amazon has the parcel delivery network, the services e.g. Amazon Business (its online trade counter), and now its point of delivery security system.

This product is an example of how multiple technologies have linked together to provide another new business opportunity in a new and growing market. Some critics have, however, pointed out that this service requires some serious faith and trust from customers, and that it would only take a few incidents to kill that trust and to force the expensive idea onto the back burner. There is still, of course, the broader, general problem of IoT security, which has not been fully addressed in many other products, and could still prove to be the Achilles Heel in this one.

This story is also an example of how Amazon is expanding and diversifying into many different aspects of our home and business lives e.g. parcel delivery, groceries, and now smart security. The story is also an example of how the big home digital assistant manufacturers are now locked in competition to expand the number of products and services that link up to their devices e.g. Amazon Echo, and this market could provide many business opportunities for many other tech companies and manufacturers in the along the way.