The Washington PostDemocracy Dies in Darkness
The Cybersecurity 202

A newsletter briefing on cybersecurity news and policy.

Planned Parenthood patient information isn't always private online

The Cybersecurity 202

A newsletter briefing on cybersecurity news and policy.

Placeholder while article actions load

Good morning and welcome to The Cybersecurity 202! We don't have a newsletter tomorrow, so we'll see you Tuesday. Have a good July Fourth weekend! 

Below: The TSA is updating its cybersecurity rules for pipelines, and researchers link a $100 million cryptocurrency heist to North Korea. But first: 

Planned Parenthood’s online tracking raises privacy concerns

Women seeking an abortion may have a new kind of worry if they visit Planned Parenthood’s website to find out about clinics close to them.

The organization’s online scheduling tool gives it the ability to share patients’ location — and, sometimes, the type of abortion they selected — with major tech companies, my colleague Tatum Hunter reports.

That could raise privacy concerns as about 20 states ban or prepare to ban abortion in the wake of the Supreme Court ruling overturning Roe v. Wade

To be fair, the state bans passed so far would allow abortion providers — not patients themselves — to be prosecuted. And this is notable, too: third-party tracking is ubiquitous online, and many organizations including nonprofits like Planned Parenthood have long collected such data, according to the Markup

Yet in this new era of state abortion bans, it’s fair to imagine that law enforcement agencies could turn to digital data to gather evidence of crimes. Some experts fear what major technology companies would do if they get subpoenas from state authorities for data. Tech companies still haven’t said what they’ll do in such a situation and employees are getting frustrated, my colleagues report.

‘Necessary’ marketing

The Planned Parenthood scheduler can share information with Google, Facebook, TikTok and tracking tool Hotjar, according to an investigation by Lockdown Privacy, which makes an app that blocks online tracking.

Most concerning: When a user selects a type of abortion and books an appointment, that data — along with information about the clinic, their IP address and behavior on the site — is shared with Google. Users’ IP addresses and data about their behavior on the site is shared with Facebook and TikTok, Lockdown said.

“This was absolutely shocking,” Lockdown founder Johnny Lin said. “We’ve analyzed and reviewed the tracking behaviors of hundreds of apps and websites, and it’s rare to see this degree of carelessness with sensitive health data.”

Planned Parenthood uses trackers for marketing, spokeswoman Lauren Kokum said. She didn’t respond when asked if Planned Parenthood plans to remove the trackers given new state abortion bans, or why the trackers are even running on the scheduling page.

  • “Marketing is a necessary part of Planned Parenthood’s work to reach people who are seeking sexual and reproductive health care, education, and information,” she said.

Facebook, for its part, said that advertisers shouldn’t transfer sensitive data through its site. 

  • “Advertisers should not send sensitive information about people through our business tools,” said Andy Stone, a spokesman for Facebook parent Meta. “Doing so is against our policies and we educate advertisers on properly setting up business tools to prevent this from occurring. When businesses do this, our filtering mechanism is designed to prevent potentially sensitive data it detects from entering our ads system. Based on our review, that happened here.”

Organizations using Google’s analytics software can delete data any time, and the newest version of its tool automatically discards IP addresses, Google Analytics Director Russell Ketchum said.

Planned Parenthood should know better, said Electronic Frontier Foundation senior staff technologist Cooper Quintin

  • “It’s really irresponsible of Planned Parenthood to be creating more data about the visitors to the website and more trails of evidence about the people that are seeking their services,” he said. “Planned Parenthood needs to — right now, right this second — minimize the amount of data that they are sharing with any outside party and minimize the amount of data that they are keeping.”
Surveillance dragnet?

In the run-up to the Supreme Court’s overturning of Roe, scrutiny turned to other firms that had data on abortion clinic visitors. 

For just $160, journalists from Motherboard last month purchased a week’s worth of data from firm SafeGraph about visitors to hundreds of Planned Parenthood locations. SafeGraph chief executive Auren Hoffman later wrote in a blog post that the firm would stop offering the data, and that it didn’t have “any indication that this data has ever been used for bad purposes.”

In the wake of Motherboard’s report on SafeGraph, Democratic senators told Federal Trade Commission Chairwoman Lina Khan that “additional measures need to be taken to protect personal data and ensure the privacy of women as they make decisions that should be between them and their doctors,” they said.

Lawmakers have also turned their attention to online privacy in the post-Roe world. They have introduced legislation to restrict the data that period-tracking apps can collect and disclose, my colleague Cristiano Lima reported.

The Roe ruling also comes as lawmakers work to reach a deal on privacy legislation. But key Democrats say the bill doesn’t sufficiently protect abortion-related data, Cristiano reported this week.

The keys

Canadian police admit to using spyware

The Royal Canadian Mounted Police (RCMP) say it has used the technology in 10 investigations from 2018 to 2020, Politico’s Maura Forrest reports. It’s the first time the police agency has publicly admitted to using spyware, which it says it uses only in its most serious investigations.

The RCMP tied its use of spyware to wiretaps that it said have decreased in effectiveness. “In less than a generation, a high number of Canadians migrated their daily communications from a small number of large telecommunication service providers, all of which provided limited and centrally controlled services to customers, to countless organizations in Canada and elsewhere that provide a myriad of digital services to customers,” it wrote. “That decentralization, combined with the widespread use of end-to-end encrypted voice and text-based messaging services, make it exponentially more difficult for the RCMP to conduct court-authorized electronic surveillance.” 

End-to-end encryption ensures that only the sender and recipient of a message can read its contents. Canadian police have long said that encryption has stymied their investigations. Law enforcement agencies around the world, including the FBI, share those concerns, but privacy experts say that end-to-end encryption is necessary to maintain online privacy.

The TSA is loosening its cybersecurity rules for pipelines

The Transportation Security Administration’s new requirements extend the amount of time pipeline companies have to report hacks from 12 to 24 hours, the Wall Street Journal’s David Uberti reports. It also plans to revise a second set of guidelines for pipeline security. Some experts last year called the second directive overly prescriptive.

The TSA plans to release an update to that second set of rules by July 26. It’s expected to focus less on particular security measures, Uberti reports. The Post obtained and published a copy of that directive last year. 

The pipeline rules came in the wake of a ransomware hack of Colonial Pipeline that led the company to shut down its systems for nearly a week. That breach revealed the TSA's light touch of pipeline cybersecurity oversight, my colleagues reported.

The goal of the update is to move to a “performance-based model that will enhance security and provide the flexibility needed to ensure cybersecurity advances with improvements in technology,” a TSA spokesperson told the Wall Street Journal. “TSA is consulting with industry stakeholders and federal partners while modifying this security directive.”

Industry appears to be open to the update. “We’re encouraged by the changes they’ve made,” Suzanne Lemieux, the director of operations security and emergency response policy at the American Petroleum Institute, told Uberti. “There were a lot of things that weren’t well thought out in the urgency of getting this out [last year].”

Researchers find ‘strong indications’ that North Korean hackers were responsible for $100 million cryptocurrency hack

Cryptocurrency analytics firm Elliptic cited similarities in the way the hack on Harmony’s Horizon blockchain bridge was committed — such as the “nature of the hack and the subsequent laundering of the stolen funds” — and previous North Korean cryptocurrency heists as reasons for its assessment. 

North Korea’s Lazarus Group has been behind a string of cryptocurrency thefts, according to the U.S. government and U.N. investigators. In April, the U.S. government linked the Lazarus Group to a cryptocurrency address used to steal more than $600 million from a video game.

On Monday, hackers began transferring the stolen Harmony cryptocurrency into a service that lets users pool their digital assets to hide their owners’ identities. At least 39 percent of the stolen funds have been transferred, Elliptic said. Harmony is working with the FBI “as part of an investigation” into the hack, Harmony said.

Here's more from cryptocurrency analysis firm Chainalysis, which is working on the Harmony investigation:

Global cyberspace

NATO establishes program to coordinate rapid response to cyberattacks (Politico)

Norway blames "pro-Russian group" for cyber attack (Reuters)

Encryption wars

Cops investigating ‘WhatsApp for gangsters’ arrest key suspect in Caribbean (Motherboard)

Cyber insecurity

Security experts brace for possible Russian cyberattacks (Protocol)

Daybook

  • CISA Director Jen Easterly speaks at the opening of the U.S. Cyber Open today.
  • The United Nations Institute for Disarmament Research holds a conference on cyber stability and protecting critical infrastructure on July 5.

Secure log off

Thanks for reading. See you next week.

Loading...