Category Archives: Digital ID

Crooks stole more than $1.5M worth of Bitcoin from General Bytes ATMs

Cryptocurrency ATM maker General Bytes suffered a security breach over the weekend, the hackers stole $1.5M worth of cryptocurrency.

Cryptocurrency ATM manufacturers General Bytes suffered a security incident that resulted in the theft of $1.5M worth of cryptocurrency. GENERAL BYTES is the world’s largest Bitcoin, Blockchain, and Cryptocurrency ATM manufacturer.

The company revealed that the threat actors exploited a zero-day vulnerability, tracked as BATM-4780, that resides in the master service interface that Bitcoin ATMs use to upload videos. Once exploited the flaw, the remote attackers uploaded a JavaScript script and executed it with ‘batm’ user privileges.

“The attacker identified a security vulnerability in the master service interface used by Bitcoin ATMs to upload videos to server.” reported the Security Incident notice published by the company.

“The attacker scanned the Digital Ocean cloud hosting IP address space and identified running CAS services on ports 7741, including the General Bytes Cloud service and other GB ATM operators running their servers on Digital Ocean (our recommended cloud hosting provider). Using this security vulnerability, attacker uploaded his own application directly to application server used by admin interface. Application server was by default configured to start applications in its deployment folder.”

Once executed the uploaded script the attackers gained access to the database and were able to read and decrypt API keys used to access funds in hot wallets and exchanges.

The attackers were able to send funds from hot wallets and download user names and password hashes. The hackers were also able to turn off the two-factor authentication (2FA).

The threat actors also gained access to terminal event logs and scan for any instance where customers scanned private key at the ATM.

The company provided information on how to secure GB ATM servers (CAS) and recommends all its customers to implement the recommended measures.

“Please keep your CAS behind a firewall and VPN. Terminals should also connect to CAS via VPN. With VPN/Firewall attackers from open internet cannot access your server and exploit it. If your server was breached please reinstall the whole server including operation system.” continues the notice. “Additionally consider your all user’s passwords, and API keys to exchanges and hot wallets to be compromised. Please invalidate them and generate new keys & password. The CAS security fix is provided in two server patch releases, 20221118.48 and 20230120.44.”

The notice provides a list of crypto addresses used in the attack along with three IP addresses used by attackers.

The analysis of the wallets included in the notice revealed that the attackers stole more than $1.5 million worth of Bitcoin (56 BTC) from roughly 15 operators. Attackers also stole funds in other cryptocurrencies.

In August, threat actors exploited a zero-day vulnerability in the General Bytes Bitcoin ATM servers to steal BTC from multiple customers.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, General Bytes)

The European Commission has banned its staff from using TikTok over security concerns

The European Commission has banned its employees from using the Chinese social media app TikTok over security concerns.

The European Union has banned the popular Chinese video-sharing app TikTok from the mobile devices of its employees over security concerns. The app developed by the Chinese firm ByteDance has over 1 billion active users worldwide, it has come under close scrutiny in the US and other countries for its alleged link with the Government of Beijing.

The US already warned of the alleged link between the Chinese company and the Communist Party, accusing TikTok of collecting and sharing data for Chinese intelligence.

A senior official told POLITICO that all staff was ordered on Thursday morning to remove the popular app from their official devices. The staff was also ordered to uninstall the app from their personal devices by March 15 if they were also used for professional business.

An alternative option for the staff is to delete work-related apps from their personal phones if want continues to use TikTok. 

“To protect Commission’s data and increase its cybersecurity, the EC Corporate Management Board has decided to suspend the TikTok application on corporate devices and personal devices enrolled in the Commission mobile device service,” said the email sent to staff on Thursday morning.

“The reason why this decision has been taken is to … increase the commission’s cybersecurity,” commission spokesperson Sonya Gospodinova said at a press briefing in Brussels. “Also, the measure aims to protect the commission against cybersecurity threats and actions which may be exploited for cyberattacks against the corporate environment of the commission.”

Source: Messagero

A similar move was adopted by the US Government that is banning the use of TikTok on all government devices by the end of February 2023 due to national security concerns related to TikTok’s ties to China

TikTok has yet to comment on the decision.

In January 2020, the US Army banned the use of the popular TikTok app on mobile phones used by its personnel for security reasons.

In November, the short-form video-sharing service updated its privacy policy for European Economic Area (“EEA”), the UK, and Switzerland and confirmed that its users’ data can be accessed by its personnel, including Chinese employees.

European user data could be also accessed by TikTok staff in Brazil, Canada and Israel as well as the US and Singapore, where user data is currently stored.

In December, TikTok parent company ByteDance revealed that several employees accessed the TikTok data of two journalists to investigate leaks of company information to the media. 

According to an email from ByteDance’s general counsel Erich Andersen which was seen by the AFP news agency, the Chinese company was attempting to discover who shared company information with a Financial Times reporter and a former BuzzFeed journalist.

The company fired an undisclosed number of employees who were involved in the data leak because they violated the company’s Code of Conduct, but it did not reveal their names.

In an attempt to discover the location of the unfaithful employees, the Chinese personnel analyzed their IP addresses, but this method was approximate.

While Western governments are banning the app from government devices, the company announced that it plans to open two more European data centers to allay data privacy and security concerns.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, EU Commission)

Twitter restricted in Turkey after the earthquake amid disinformation fear

Global internet monitor NetBlocks reported that Twitter has been restricted in Turkey in the aftermath of the earthquake.

Global internet monitor NetBlocks reported that network data confirm that Twitter has been restricted in Turkey in the aftermath of the earthquake.

The data show that multiple internet providers in Turkey blocked the popular platform as of Wednesday 8 February 2023. TurkTelekom and Turkcell have completely blocked access to Twitter, while Vodafone still allows slower access to Twitter, reported the Balkaninsight website. NetBlocks metrics confirm that the social network Twitter has been restricted by “means of SNI filtering on major internet providers.”

The decision of the government to block Twitter followed growing public anger towards the Turkish government’s response to the devastating earthquakes.

Turkish authorities raise concerns over disinformation online that can destabilize the political contest in the country while responding to this emergency.

“Network data confirm the restriction of Twitter on multiple internet providers in Turkey as of Wednesday 8 February 2023.” reported Netblocks. “Service was restored the next morning after state media reported that Turkish authorities had held a meeting with Twitter’s head of policy on disinformation and the need for content takedowns.”

However, the use of VPN services can be used by people in the country to circumvent internet censorship measures. Twitter remains a crucial source of information for relatives of victims, survivors, and rescuers.

It is important to highlight that natural disasters usually have a significant impact on internet connectivity. NetBlocks reported similar problems in Turkey after the earthquake as reported the by following tweet from the organization:

The use of internet filtering in the aftermath of an earthquake is absurd, because of its impact on the population that is facing a tragic situation.

This isn’t the first time that the government restricted access to social media following events like terror attacks and protests.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Turkey)

FBI confirms that North Korea-linked Lazarus APT is behind Harmony Horizon Bridge $100 million cyber heist

The U.S. FBI attributes the $100 million cyber heist against Harmony Horizon Bridge to North Korea-linked Lazarus APT.

The U.S. Federal Bureau of Investigation (FBI) this week confirmed that in June 2022 the North Korea-linked Lazarus APT group and APT38 stole $100 million worth of cryptocurrency assets from the Blockchain company Harmony Horizon Bridge.

“The FBI continues to combat malicious cyber activity, including the threat posed by the Democratic People’s Republic of Korea (DPRK) to the U.S. and our private sector partners. Through our investigation, we were able to confirm that the Lazarus Group and APT38, cyber actors associated with the DPRK, are responsible for the theft of $100 million of virtual currency from Harmony’s Horizon bridge reported on June 24, 2022.” reads the report published by the FBI.

The company reported the incident to the authorities, the FBI started investigating the cyber heist with the help of several cybersecurity firms. 

Harmony’s Horizon Bridge allows users to transfer their crypto assets from one blockchain to another, the company immediately halted the bridge to prevent further transactions and notified other exchanges.

The blockchain security firm CertiK published a detailed analysis of the incident, it confirmed that the threat actors were able to access the owners of Horizon’s multiSig wallets, then drained the funds from Harmony.

“On June 23, 2022 at 11:06:46 AM +UTC, the bridge between Harmony chain and Ethereum experienced multiple exploits. Our expert analysis has identified twelve attack transactions and three attack addresses.” reads the analysis published by CertiK. “Across these transactions the attacker netted various tokens on the bridge including ETH, USDC, WBTC, USDT, DAI, BUSD, AAG, FXS, SUSHI, AAVE, WETH, and FRAX. The transactions vary in value but range from $49,178 to upwards of $41,200,000. The attacker accomplished this by somehow controlling the owner of the MultiSigWallet to call the confirmTransaction() directly to transfer large amounts of tokens from the bridge on Harmony, which led to a total loss around $97M worth of asset on the Harmony chain which the attacker has consolidated into one main address.”

On June 27, the threat actors behind the cyber heist culprit have begun transferring the funds (roughly $39 million) through the Tornado Cash mixer service to launder the illicit profits.

The blockchain security firm Elliptic was able to analyze the transactions even after the use of the mixer service, it first reported that the North Korea-linked Lazarus APT was behind the attack.

“There are strong indications that North Korea’s Lazarus Group may be responsible for this theft, based on the nature of the hack and the subsequent laundering of the stolen funds. Lazarus is believed to have stolen over $2 billion in cryptoassets from exchanges and DeFi services.” reads the report published by Elliptic. “The theft was perpetrated by compromising the cryptographic keys of a multi-signature wallet – likely through a social engineering attack on Harmony team members. Such techniques have frequently been used by the Lazarus Group.”

According to the firm the threat actors compromed the cryptographic keys of a multi-signature wallet, likely through a social engineering attack aimed at Harmony team members.

Elliptic researchers pointed out that the relatively short periods during which the stolen funds stop being moved out of Tornado cash are consistent with nighttime hours in Asia-Pacific time zone.

The FBI experts reported that on January 13, 2023, North Korean threat actors used the RAILGUN privacy protocol to launder over $60 million worth of ethereum (ETH) stolen during the June 2022 cyber heist. Then the threat actors sent a portion of the stolen funds to several virtual asset service providers and converted them to bitcoin (BTC).  

The good news is that part of these funds were frozen, in coordination with the virtual asset service providers. The remaining bitcoin subsequently moved to a number of addresses shared by the FBI in its report.

The FBI also revealed that the attack leveraged the malware TraderTraitor campaign in the Harmony intrusion.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Harmony)

[adrotate banner=”5″]

[adrotate banner=”13″]

Meta Platforms expands features for EE2E on Messenger App

Meta Platforms announced the implementation of more features into its end-to-end encrypted Messanger App.

Meta Platforms started gradually expanding testing default end-to-end encryption for Messenger.

The company announced that over the next few months, its users will continue to see some of their chats gradually being upgraded with end-to-end encryption. 

“We will notify people in these individual chat threads as they are upgraded. We know people will have questions about how we select and upgrade individual threads, so we wanted to make clear that this is a random process.” reads the announcement.

Meta Platforms pointed out that the process of choosing the users and upgrading the conversations to support E2EE is random to prevent a negative impact on company infrastructure and people’s chat experience.

The IT giant also announced it has introduced some features in Messenger to end-to-end encrypted chats, including support for themes, custom emojis and reactions, group profile photos, link previews, active status, and bubbles on Android.

“Building a secure and resilient end-to-end encrypted service for the billions of messages that are sent on Messenger every day requires careful testing. We’ll provide updates as we continue to make progress towards this goal over the course of 2023.” concludes the announcement.

The announcement of expanding features for EE2E on Messenger App is good news for the users, however, it is important to understand how the company manages metadata.

Metadata includes a lot of information that can be used to track habits of users, and more, for this reason it is essential to extend the encryption also to them.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Meta)

[adrotate banner=”5″]

[adrotate banner=”13″]

The Irish DPC fined WhatsApp €5.5M for violating GDPR

The Irish Data Protection Commission (DPC) fined Meta’s WhatsApp €5.5 million for violating data protection laws.

The popular messaging app WhatsApp has been fined €5.5m by the Irish Data Protection Commission (DPC) for violating the General Data Protection Regulation (GDPR).

The DPC has given six months to the Meta-owned company to bring its data processing operations in compliance with the privacy regulation.

“The Data Protection Commission (“DPC”) has today announced the conclusion of an inquiry into the processing carried out by WhatsApp Ireland Limited (“WhatsApp Ireland”) in connection with the delivery of its WhatsApp service, in which it has fined WhatsApp Ireland €5.5 million (for breaches of the GDPR relating to its service).” reads the DPC’s announcement. “WhatsApp Ireland has also been directed to bring its data processing operations into compliance within a period of six months.”

On May 2018, ahead of the adoption of the GDPR, WhatsApp updated the Terms of Service imposing users to agree to the revised terms in order to continue using the messaging app.

The inquiry concerned a complaint filed by the non-profit organization NOYB – European Center for Digital Rights on 25 May, 2018.

The Irish regulator pointed out that by making the accessibility of its services conditional on users accepting the updated Terms of Service, WhatsApp Ireland forced them to consent to the processing of their personal data. The company claimed that the updates aimed at improving the security end the service, but it clearly breached the GDPR.

The company was not transparent about what processing operations were being carried out on the users personal data. According to the DPC, the lack of transparency contravened Articles 12 and 13(1)(c) of the GDPR. 

“The final decision adopted by the DPC on 12 January 2023 reflects the EDPB’s binding determination, as set out above.” continues the announcement. “Accordingly, the DPC’s decision includes findings that WhatsApp Ireland is not entitled to rely on the contract legal basis for the delivery of service improvement and security (excluding what the EDPB terms as “IT security”) for the WhatsApp service, and that its processing of this data to-date, in purported reliance on the contract legal basis, amounts to a contravention of Article 6(1) of the GDPR.”

WhatsApp announced that it will appeal the fine.

“We strongly believe that the way the service operates is both technically and legally compliant,” a WhatsApp spokesperson said. “We rely upon contractual necessity for service improvement and security purposes because we believe helping keep people safe and offering an innovative product is a fundamental responsibility in operating our service.”

In a post published by NOYB, the organization claims that WhatsApp doesn’t encrypt metadata and share it with Facebook and Instagram, which use this information to customize ads.

The organization pointed out that metadata can be used to acquire knowledge of the communication behaviour of users,  including who communicates with whom and when, who uses the app when, for how long and how often.

“While the communication itself is encrypted, the phone numbers and associated Facebook or Instagram accounts of people are collected. Such information can then be used to personalize ads for users on other Meta platforms like Facebook and Instagram. The DPC seems to have refused to investigate this core matter of the complaints.” reads the post published by Noyb.

The bad news is that the DPC doesn’t plan to open an investigation whether WhatsApp processes user metadata for advertising.

“WhatsApp says it’s encrypted, but this is only true for the content of chats – not the metadata. WhatsApp still knows who you chat with most and at what time. This allows Meta to get a very close understanding of the social fabric around you.” explained NOYB founder, Max Schrems. “Meta uses this information to, for example, target ads that friends were already interested in. It seems the DPC has now simply refused to decide on this matter, despite 4.5 years of investigations.”

Early this year, the Data Protection Commission (DPC) concluded two inquiries into the data processing operations of Meta Platforms Ireland Limited (“Meta Ireland”) over the delivery of its Facebook and Instagram services.

DPC fined Meta Platforms a total of €390 million (roughly $414 million).

The inquiries were related to Facebook and Instagram services; one complaint was made by an Austrian data subject and was related to the data processing operations of Facebook, and the second one was made by a Belgian data subject in relation to Instagram.

Both complaints were made on the date on which the GDPR came into operation, on 25 May 2018.

In advance of 25 May 2018, Meta Ireland had changed the Terms of Service for its Facebook and Instagram services.

The DPC has now imposed fines of more than €1.3bn on Meta, Instagram and WhatsApp.

November 2022 – Irish data protection commission (DPC) fined Meta $414 million for not protecting Facebook’s users’ data from scraping.

September 2022 – The Irish Data Protection Commission has fined Instagram €405 million for violations of the General Data Protection Regulation.

September 2021 – The Irish Data Protection Commission has fined WhatsApp €225 million over data sharing transparency for European Union users’ data with Facebook.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Facebook)

[adrotate banner=”5″]

[adrotate banner=”13″]

Europol arrested cryptocurrency scammers that stole millions from victims

An international police operation led by Europol led to the arrest of cryptocurrency scammers targeting users all over the world.

An international law enforcement operation conducted by authorities from Bulgaria, Cyprus, Germany and Serbia, supported by Europol and Eurojust, has dismantled a cybercrime ring involved in online investment fraud. The European police have supported this investigation since June 2022 following an initial request from German authorities.

“The suspects used advertisements on social networks to lure victims to websites covertly operated by the criminals, which offered seemingly exceptional investment opportunities in cryptocurrencies.” reads the press release published by Europol.

The gang was using call centres to lure victims into investing large amounts of money into fake cryptocurrency schemes. The suspects used advertisements on social networks to lure victims to websites covertly operated by the criminals, which offered seemingly exceptional investment opportunities in cryptocurrencies.

According to the press release published by Europol, 261 individuals have been questioned, some of whom are awaiting prosecution (42 in Bulgaria, 2 in Cyprus, 3 in Germany and 214 in Serbia);    

The police searched 22 locations (5 in Bulgaria, 2 in Cyprus, 15 in Serbia) including: 4 call centres and 11 residences in Serbia; 2 residences in Cyprus; 2 companies and 3 residences in Bulgaria.

The police also seized three digital wallets containing about $1 million worth of cryptocurrencies, about €50,000 ($54,000) in cash, three cars, computers and backups, and documents.

“Seizures include 3 hardware wallets with about USD 1 million in cryptocurrencies on it and about EUR 50 000 in cash, 3 vehicles, electronic equipment and data back-ups, documents.” continues the press release.

Most victims, mainly from Germany, were initially lured into investing low sums, then they were persuaded to make transfers of higher amounts.
The financial damage to German victims is over two million euros. The bad news is that this is the tip of the iceberg because a large number of frauds were unreported by the victims, for this reason, overall financial damage could be in the hundreds of millions of euros.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, cryptocurrency)

[adrotate banner=”5″]

[adrotate banner=”13″]

French CNIL fined Tiktok $5.4 Million for violating cookie laws

French data protection watchdog fined short-form video hosting service TikTok €5 million for breaking cookie consent rules.

The Commission nationale de l’informatique et des libertés (CNIL) has fined short-form video hosting service TikTok €5 million (about $5.4 million) for violating cookie consent rules.

French data protection watchdog claims that users are not able to refuse cookies, as easily as they accept them, the ByteDance-owned company also failed to sufficiently inform of the purposes of the different cookies

“On December 29, 2022, the CNIL sanctioned the social network TIKTOK for a total amount of 5 million euros for two reasons: users of “tiktok.com” could not refuse cookies as easily as accept them and they could not were not sufficiently informed of the purposes of the different cookies.” reads a statement published by CNIL.

Between May 2020 and June 2022, the CNIL conducted multiple audits on the “tiktok.com” website and on the documents requested from the company by the CNIL. The CNIL only assessed the website in “an unauthenticated space”, while the mobile app was not scrutinized.

“The Restricted Committee considered that making the refusal mechanism more complex actually amounts to discouraging users from refusing cookies and encouraging them to favor the ease of the “Accept all” button.” continues the statement. “She concluded that this process violated the freedom of consent of Internet users and constituted a violation of Article 82 of the Data Protection Act since it was not as simple to refuse cookies as to accept them at the time from online control in June 2021 until the implementation of a “Refuse all” button in February 2022.

On December 2022, French CNIL fined APPLE 8 million euros for not collecting the consent of iPhone’s French users (iOS 14.6 version) before depositing and/or writing identifiers used for advertising purposes on their terminals.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, TikTok)

[adrotate banner=”5″]

[adrotate banner=”13″]

Irish Data Protection Commission fined Meta $414 Million

The Irish Data Protection Commission (DPC) fined Meta Platforms €390 million over data processing operations for the delivery of its services

The Data Protection Commission (DPC) concluded two inquiries into the data processing operations of Meta Platforms Ireland Limited (“Meta Ireland”) over the delivery of its Facebook and Instagram services.

DPC fined Meta Platforms a total of €390 million (roughly $414 million).

“Final decisions have now been made by the DPC in which it has fined Meta Ireland €210 million (for breaches of the GDPR relating to its Facebook service), and €180 million (for breaches in relation to its Instagram service).” reads the announcement published by DPC. “Meta Ireland has also been directed to bring its data processing operations into compliance within a period of 3 months.”

The inquiries were related to Facebook and Instagram services; one complaint was made by an Austrian data subject and was related to the data processing operations of Facebook, and the second one was made by a Belgian data subject in relation to Instagram.

Both complaints were made on the date on which the GDPR came into operation, on 25 May 2018.

In advance of 25 May 2018, Meta Ireland had changed the Terms of Service for its Facebook and Instagram services.

Meta Ireland considered that, by accepting the updated Terms of Service, the users gave the company the consent to process their data to deliver its Facebook and Instagram services, including the provision of personalised services and behavioural advertising

“Following a consultation process, it became clear that a consensus could not be reached. Consistent with its obligations under the GDPR, the DPC next referred the points in dispute to the European Data Protection Board (“the EDPB”).” continues the DPC. “The final decisions adopted by the DPC on 31 December 2022 reflect the EDPB’s binding determinations as set out above. Accordingly, the DPC’s decisions include findings that Meta Ireland is not entitled to rely on the “contract” legal basis in connection with the delivery of behavioural advertising as part of its Facebook and Instagram services, and that its processing of users’ data to date, in purported reliance on the “contract” legal basis, amounts to a contravention of Article 6 of the GDPR.”

The fine will have a severe impact on the ad revenue of the social media giant, Meta believes its approach is compliant with the EU GDPR and announced it will appeal the DPC’s findings.

“It’s important to note that these decisions do not prevent personalised advertising on our platform. The decisions relate only to which legal basis Meta uses when offering certain advertising. Advertisers can continue to use our platforms to reach potential customers, grow their business and create new markets.” states Meta. “The decisions also do not mandate the use of Consent – another available legal basis under GDPR – for this processing.”

“That’s why we strongly disagree with the DPC’s final decision, and believe we fully comply with GDPR by relying on Contractual Necessity for behavioural ads given the nature of our services. As a result, we will appeal the substance of the decision.” Meta added.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Meta)

[adrotate banner=”5″]

[adrotate banner=”13″]

Google will pay $29.5M to settle two lawsuits over its location tracking practices

Google will pay $29.5 million to settle two different lawsuits in the US over its deceptive location tracking practices.

Google decided to pay $29.5 million to settle two different lawsuits brought by the states of Indiana and Washington, D.C., over its deceptive location tracking practices.

The IT giant will pay $9.5 million to D.C. and $20 million to Indiana after the states filed two lawsuits against the company charging it with having tracked users’ locations without their express consent.

“Given the vast level of tracking and surveillance that technology companies can embed into their widely used products, it is only fair that consumers be informed of how important user data, including information about their every move, is gathered, tracked, and utilized by these companies. Significantly, this resolution also provides users with the ability and choice to opt of being tracked, as well as restrict the manner in which user information may be shared with third parties,” said Attorney General Karl A. Racine while announcing that Google will pay $9.5 million. “I am proud of how the exceptional lawyers and professionals in my office have creatively applied the District’s strong consumer protection laws to set the standard nationally and provide users far greater control of their personal information.”

“We sued because Google made it nearly impossible for users to stop their location from being tracked. Now, thanks to this settlement, Google must also make clear to consumers how their location data is collected, stored, and used.” Racine added.

Google is currently facing two similar lawsuits in Texas and Washington.

In November, Google agreed to pay $391.5 million to settle with 40 US states for misleading users about the collection of personal location data. The settlement is the largest attorney general-led consumer privacy settlement ever, states the announcement published by DoJ.

“Google misled its users into thinking they had turned off location tracking in their account settings, when, in fact, Google continued to collect their location information. In addition to the multimillion-dollar settlement, as part of the negotiations with the AGs, Google has agreed to significantly improve its location tracking disclosures and user controls starting in 2023.” reads the DoJ’s press release.

Oregon Attorney General Ellen Rosenblum, who led the settlement along with Nebraska AG Doug Peterson, pointed out that for years Google has prioritized profit over their users’ privacy.

The authorities started the investigation into Google collection practice following a 2018 Associated Press article that revealed Google “records your movements even when you explicitly tell it not to.”

According to the article, there are two settings responsible for the location data collection, the “Location History” and “Web & App Activity”. The former is “off” by default while the latter is automatically enabled when users set up a Google account, including all Android users.

Location data represent the core of the digital advertising business of the IT giant. However, location data can be used to expose a person’s identity and routines, and even infer personal details.

Google violated state consumer protection laws by misleading consumers about its location tracking practices since at least 2014. Google confused its users about the use of the account and device settings to limit Google’s location tracking.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, privacy)

[adrotate banner=”5″]

[adrotate banner=”13″]