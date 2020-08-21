But Premom’s app for Android was also collecting a broad swath of data about its users and sharing it without their permission with three Chinese companies focused on advertising, according to research the International Digital Accountability Council provided to The Washington Post.

IDAC, a nonprofit that monitors and works with apps and developers to protect consumer privacy, sent letters on Aug. 6 to the Federal Trade Commission and the attorney general of Illinois, where Premom is headquartered, alleging the data-sharing was deceptive and potentially ran afoul of federal and state law.

While many apps use third parties to collect analytics or target ads, IDAC researchers say Premom users had no way of opting out of this tracking by both the app and the third parties that received their data, which IDAC contends was a violation of Google’s rules.

“There’s pretty extensive and sensitive data collection going on here with respect to a large number of users who don’t have any reason to know about this data collection,” said Quentin Palfrey, president of IDAC, which launched in April after incubating for more than a year with the Future of Privacy Forum.

“It’s particularly concerning when we see this behavior with respect to an app that’s targeted at women trying to become pregnant,” Palfrey said, though there’s no evidence the app is transmitting health data to third parties. Premom has the ability to track users’ location, log which other apps they have installed, and collect unique identifiers from people’s devices that could allow other companies to trace their activity across other websites, the researchers found.

When The Post reached out to Premom for a response to the researchers’ findings, the company said it would stop sharing data with Jiguang, one of the Chinese companies researchers flagged. Premom, in its Aug. 6 reply, said it was “in the process of removing” Jiguang. The app was updated one day later, according to the Google Play Store. Premom then confirmed that the third-party company’s access was revoked, a statement supported by IDAC researchers who said they no longer saw evidence of transmissions from the app to the company.

Premom “prioritizes the safety of its users’ data above all, and is constantly evaluating its policies, procedures, and use of third-party tools to ensure the application is compliant with global data privacy laws,” its legal counsel and spokesperson Desiree Moore said in an email. “Premom is also committed to limiting its use of any analytical or other tools provided by third parties that do not comport with Premom’s internal privacy standards and practices, and as information evolves."

IDAC researchers also provided The Post with what they said were transmissions showing Premom was sharing similar data with two other Chinese companies, Umeng and UMSNS.

Premom said it “does not currently use” either company and did not reply to requests for comment on researchers’ data showing the sharing took place until June 19, in a previous version of the app.

Researchers say potentially tens of thousands of users who have yet to update the app could still be sharing data without their knowledge.

Google temporarily removed Premom from its Play Store on Aug. 6, after an inquiry from The Post. The app was back online the next day. Google spokesman Scott Westover said the app violated its policies but declined to elaborate on how or whether any changes were made to allow the app to go back up. Premom said the removal was not related to the allegations made by IDAC.

Premom isn’t the first fertility-related app to draw scrutiny from privacy experts.

An analysis by Consumer Reports earlier this year found that five top pregnancy apps shared app data with advertisers. Privacy experts have also raised concerns about Ovia, a pregnancy-tracking app that shares users’ data with their employers and insurers.

In this case, IDAC researchers also expressed concerns that Jiguang masked the data it sent back to its servers through a layer of custom encryption not common in most apps. This makes it difficult for researchers to track. TikTok used a similar obfuscation technique up until November, according to a recent report from the Wall Street Journal.

“The techniques are the ones you see with malware,” Serge Egelman, research director of the Usable Security & Privacy Group at the International Computer Science Institute at the University of California at Berkeley, said of Jiguang’s data collection. Egelman is also chief technology officer at App Census, which partnered with IDAC on the study, though he was not personally involved.

“The data that we collect is strictly limited to what we need to provide the service and functionality as requested by developers,” a representative for Jiguang said in a statement. “Such data collection is 100% in compliance with Chinese laws and regulations and also in compliance with Apple App store and Google Play store data collection rules and regulations. The data we capture is 100% transparent to developers through our developer service agreement.”

Premom’s privacy policy does mention sharing some data with AppsFlyer and Google Analytics, which may send that data to partners such as Pinterest, Facebook and Google. But IDAC researchers say that by explicitly calling the information they share “nonidentifiable,” the company is misleading users about how the kind of data they’re giving away can be used to track them across the Web and build valuable profiles to target them with ads.

“We believe there are material differences between what Premom states in its privacy policies and what our technical tests reveal,” IDAC said in its letters.

The keys

Democrats painted President Trump as an opponent of safe and secure elections on their final convention night.

Democratic presidential nominee Joe Biden described Trump as unwilling to confront Russia about interfering in the 2016 election, offering bounties on U.S. troops in Afghanistan and other offenses.

“Under President Biden, America will not turn a blind eye to Russian bounties on the heads of American soldiers. Nor will I put up with foreign interference in our most sacred democratic exercise: voting,” he said.

Other speakers pilloried the president for his attacks on mail voting and for Postal Service changes they said were aimed at making mail voting tougher. Postmaster General Louis DeJoy, a Trump megadonor, has paused many of those changes, but many Democrats fear the damage from cutbacks to service and removed sorting machines and collection boxes has already been done.

“Trump has admitted he’s trying to sabotage the Post Office to undermine voting by mail and we’re not going to let him do it,” California Secretary of State Alex Padilla (D) said, referring to an especially candid interview the president gave earlier this month, in which the president directly linked his unwillingness to boost Postal Service funding to Democrats' mail voting aims.

Along with Michigan Secretary of State Jocelyn Benson (D), Padilla urged voters to research their voting options, make plans and request and return ballots early if they vote by mail.

“We’re seeing our current president sabotage our right to vote, sabotaging democracy by trying to undo the Postal System,” a Democratic voter said during a video montage.

Trump has attacked mail voting for months despite having voted that way himself twice this year in Florida. Host Julia Louis-Dreyfus joked that she planned to follow Trump’s example and cast her ballot by mail.

Trump, meanwhile, continued his attacks on mail voting throughout the day. Here he is on Twitter:

In a Fox News interview, he repeated several incorrect claims about mail voting including that Arizona will not require signatures on mail ballots – it will – and that Democratic officials will send ballots only to Democratic households.

A Trump-aligned group is publishing baseless Facebook ads discouraging mail voting — and using LeBronJames.

A page associated with the website called Protect My Vote has purchased more than 150 ads reaching thousands of voters with baseless warnings that mail balloting will result in “lost votes and lost rights,” Isaac Stanley-Becker reports.

Some of the ads featured an image of basketball star LeBron James that falsely suggested he condemned voting by mail. An adviser to James, Adam Mendelsohn, called the ads “reprehensible” and said that lawyers were reviewing the ads.

“Protect My Vote” has been boosted by FreedomWorks, a prominent conservative advocacy group that supports Trump. Peter Vicenza, communications director for FreedomWorks, said a “partner group” was responsible for setting up the website and placing the ads, though he declined to provide details about the group.

Facebook is looking into the ads, spokesperson Devon Kearns said.

The ads are renewing Democratic concerns that Facebook isn’t doing enough to keep election misinformation off its platform. The company recently rolled out a Voting Information Center to inform users about mail and in-person voting options, but critics say that’s not enough.

“It’s great to have a portal through which voters can obtain accurate voting information, but it doesn’t do much when what Facebook users are consulting and being shown on the platform is false information from other sources,” said Cindy Otis, vice president of analysis for the Alethea Group, an organization combating disinformation.

Uber's former security chief is facing criminal charges for paying hackers to cover up a 2016 data breach.

That hack gave criminals access to email addresses and phone numbers of 57 million drivers and passengers. Chief Security Officer Joe Sullivan violated the law when he didn't disclose the attack to Federal Trade Commission officials who were investigating an earlier Uber breach, prosecutors allege. Instead, Uber paid $100,000 to the hackers and asked them to sign a non-disclosure agreement.

These appear to be the first criminal charges against an executive as a result of a security incident, Kate Conger at the New York Times reports.

Sullivan could face up to eight years in prison for one count of obstructing justice and one count of concealing a felony.

Sullivan disputed that the company intentionally misled consumers. He also said he acted with the approval of Uber's legal team, a representative told the Times. Sullivan is now chief information security officer at the Internet security company Cloudflare,

Uber is cooperating with the investigation, said Matt Kallman, an Uber spokesman said.

Government scan

Another top Department of Homeland Security cybersecurity official stepped down.

Brian Harrell, a senior official in charge of physical infrastructure protection at the Cybersecurity and Infrastructure Security Agency, resigned on Thursday, CyberScoop reported. He will take up a new position in the private sector.

Harrell's is the latest in a string of high-profile departures in government cybersecurity. Federal Chief Information Security Officer Grant Schneider announced he is leaving the administration at the end of this month.

Securing the ballot

Cuba, Saudi Arabia and North Korea also want to influence U.S. elections, a top Trump counterintelligence official says.

That's in addition to well-known election security threats the United States faces from Russia, China and Iran, William Evanina, director of the National Counterintelligence and Security Center at the Office of the Director of National, said Wednesday, CyberScoop reports.

Daybook

The Senate Committee on Homeland Security and Governmental Affairs will hold a hearing examining the finances and operations of the United States Postal Service during covid-19 and the upcoming elections on Friday at 9 a.m.

The House Committee on Oversight and Reform will hold a hearing on "Protecting the Timely Delivery of Mail, Medicine, and Mail-in Ballots" Monday at 10 a.m.

The Republican National Convention will take place Monday through Thursday.

Secure log off