UK ICO not happy with Google's plans to allow device fingerprinting
- Reference: 1734946274
- News link: https://www.theregister.co.uk/2024/12/23/uk_ico_not_happy_with/
- Source link:
Fingerprinting involves building a user profile using information about a device's software and hardware, rather than the use of something like cookies, for advertisement targeting. Despite publicly [1]claiming in 2019 that fingerprinting "subverts user choice and is wrong," Google has apparently decided it's not that big of a deal if third parties are doing it using Google's own services.
While not mentioning fingerprinting by name in a [2]statement or [3]overview of planned Ad Platform changes for February 16, 2025, Google did state that it would allow partners to use "data signals" including IP addresses, "web beacons … or other identifiers" to build device profiles for better serving ads.
[4]
"In the past decade, the way people engage with the internet changed dramatically," Google said to justify the move. The Chocolate Factory cited connected TVs as one device type that needs to serve ads that can't collect user data in the traditional manner.
[5]
[6]
The ICO doesn't want UK businesses to think they'll be off the hook for relying on fingerprinting, however. ICO executive director of regulatory risk, Stephen Almond, said his office will continue to hold businesses accountable because fingerprinting isn't transparent enough to meet UK privacy standards, and is likely to reduce people's choice over how their data is collected and used.
"We think this change is irresponsible," Almond said. "Businesses do not have free rein to use fingerprinting as they please. Like all advertising technology, it must be lawfully and transparently deployed – and if it is not, the ICO will act."
[7]
Almond said the ICO is engaging with Google "on this u-turn in its position." Google [8]confirmed to The Guardian that it was in discussion with the ICO about the shift, but maintains [9]user privacy will be protected despite the change.
Google, which in the past has used the motto " [10]don't [11]be [12]evil " to explain its core philosophy, also reversed course this year on a promise to [13]eliminate third-party cookies from Chrome.
Critical vulnerabilities of the week: Do you believe in trust BeyondTrust?
After dealing with a [14]stolen API key earlier this month, access management firm BeyondTrust is now facing an actively exploited vulnerability in its Privileged Remote Access and Remote Support products.
[15]CVE-2024-12356 (CVSS 9.8), which allows an unauthenticated attacker to inject commands that will be run as a site user, was added to NIST's catalog of actively exploited flaws this week. All versions are affected and patches are available, so don't let this one sit until after the holiday break.
Elsewhere under active exploitation:
CVSS 9.8 - [16]CVE-2021-40407 : Reolink RLC-410W security cameras contain a vulnerability in their device network settings that allow attackers to inject OS commands.
CVSS 9.8 - [17]CVE-2022-23227 : NUUO NVRmini2 security camera control systems contain a vulnerability chain allowing an unauthenticated attacker to gain root access with code execution capabilities.
CVSS 9.8 - [18]CVE-2018-14933 : NUOO NVRmini devices also allow for RCE via shell metacharacters thanks to a failure to neutralize special elements.
Don't close that laptop for the holiday break yet - time to get patching.
Krispy Kreme bandits raise sticky fingers to take credit
The culprits behind a hack of systems belonging to donut chain Krispy Kreme have come forward to take credit, and it was none other than the prolific Play Ransomware gang behind the donut data heist.
Security researcher Dominic Alvieri [19]claimed in a Thursday tweet that Play Ransomware had posted notice that it had purloined Krispy Kreme's data and planned to publish it. Krispy Kreme has kept its sticky lips shut tightly about the nature of the attack, even refusing to tell us whether it was hit by ransomware or some other form of attack.
The Play gang has been one of the most prolific malware slingers in recent memory, with Palo Alto Networks' Unit 42 placing it [20]second behind LockBit 3.0 in the number of victims named in the first half of 2024. Play has been responsible for several high-profile attacks, including the theft of [21]tens of thousands of files from the Swiss government.
[22]
Sticky fingers, indeed.
Speaking of LockBit …
Despite the [23]high-profile disruption of LockBit by an international cadre of law enforcement in early 2024, the gang has remained relevant - and a recent report suggests they're back in full force.
Threat intel firm DarkFeed [24]said this week that LockBit 4.0 had arrived, suggesting the gang is anything but done being an underground industry protagonist. LockBit last [25]released a new version of its ransomware in June 2022, which included new features and even the first-ever ransomware bug bounty program.
DarkFeed's [26]dashboard of active ransomware groups indicates LockBit infections have fallen precipitously over the course of 2024, with RansomHub [27]rising to dominate in its place. If LockBit's boasts are true, don't expect it to stay that way.
It's not clear what new features will be included in LockBit 4.0, but DarkFeed (and us at The Register ) urge potential targets to stay vigilant, prepare defenses, get your systems updated and ensure your users are trained up.
5.6 million patients' data compromised in Ascension healthcare hack
When the [28]Black Basta ransomware gang hit Ascension Healthcare in May, causing the hospital system to [29]resort to pen-and-paper operations as systems were knocked offline, it wasn't immediately clear how many of the Catholic healthcare chain's patients had data stolen, but now we know, and the count is huge.
According to a breach [30]notification from the Maine Attorney General's office, nearly 5.6 million Ascension patients had data exposed in the ransomware attack that took more than a month to resolve, per Ascension's [31]timeline of the incident.
Ascension said the data stolen varies by patient, and it can't confirm what was taken on whom. Stolen data includes medical information, payment information, insurance information, government IDs, and other PII like birthdates and addresses. In short, the perfect batch of info for cybercriminals looking to steal someone's identity.
Ascension is offering the usual credit monitoring, as well as a $1M insurance reimbursement policy, for those affected.
Lazarus ups fake job campaign with new attack chain
North Korean-linked cybercriminals with the Lazarus Group are continuing their [32]Operation Dream Job campaign of targeting professionals in critical sectors with job-related malware lures, but they've introduced some new malware to keep defenders guessing.
Kaspersky threat researchers with SecureList have [33]spotted a new form of malware hiding inside Lazarus-linked archive files claiming to be remote access tools for skill tests called "CookiePlus" that they're warning does a good job hiding itself.
CookiePlus masquerades as the Notepad++ plugin ComparePlus, and hides itself by acting like a malware downloader, thus only transmitting minimal information to its command and control server. Despite that, it's still able to do more.
"The problem for defenders is that CookiePlus can behave just like a downloader," SecureList said. "This makes it difficult to investigate whether CookiePlus downloaded just a small plugin or the next meaningful payload."
Meanwhile, CookiePlus retrieves and decrypts several payloads, putting them to work while actually behaving as "modular malware" that retrieves system information and opens the door for additional attacks.
It might be tough to keep an eye out for this one, so be sure to examine SecureList's IOCs for CookiePlus. ®
Get our [34]Tech Resources
[1] https://blog.google/products/chrome/building-a-more-private-web/
[2] https://support.google.com/marketingplatform/answer/15732590
[3] https://support.google.com/platformspolicy/answer/15738904?sjid=12064725965402941781-NC
[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2Z2nrlzfmiQq7f-id6OB8kgAAAQ8&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[5] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44Z2nrlzfmiQq7f-id6OB8kgAAAQ8&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[6] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33Z2nrlzfmiQq7f-id6OB8kgAAAQ8&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[7] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44Z2nrlzfmiQq7f-id6OB8kgAAAQ8&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[8] https://www.theguardian.com/technology/2024/dec/19/google-advertisers-digital-fingerprints-ico-uk-data-regulator
[9] https://www.theregister.com/2024/06/13/noyb_gdpr_privacy_sandbox/
[10] https://www.theregister.com/2021/12/01/google_sued_evil/
[11] https://www.theregister.com/2021/11/01/google_opinion_column/
[12] https://www.theregister.com/2023/03/20/dont_be_evil_a_gaggle/
[13] https://www.theregister.com/2024/07/23/google_cookies_third_party_continue/
[14] https://www.theregister.com/2024/12/15/prometheus_servers_exporters_exposed/
[15] https://www.theregister.com/2024/12/15/prometheus_servers_exporters_exposed/
[16] https://nvd.nist.gov/vuln/detail/CVE-2021-40407
[17] https://nvd.nist.gov/vuln/detail/CVE-2021-40407
[18] https://nvd.nist.gov/vuln/detail/CVE-2021-40407
[19] https://x.com/AlvieriD/status/1869858882207809866
[20] https://www.theregister.com/2024/08/13/lockbit_ransomware_stats/
[21] https://www.theregister.com/2024/03/08/swiss_government_files_ransomware/
[22] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33Z2nrlzfmiQq7f-id6OB8kgAAAQ8&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[23] https://www.theregister.com/2024/02/20/lockbit_down_operation_cronos/
[24] https://x.com/ido_cohen2/status/1869653961101443294
[25] https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-lockbit
[26] https://darkfeed.io/ransomgroups/
[27] https://www.theregister.com/2024/08/30/ransomhub/
[28] http://theregister.com/2024/05/13/cisa_ascension_ransomware/
[29] https://www.theregister.com/2024/05/09/us_faithbased_healthcare_org_ascension/
[30] https://www.maine.gov/agviewer/content/ag/985235c7-cb95-4be2-8792-a1252b4f8318/e55264f2-ff87-4b28-874d-653cfb735fe6.html
[31] https://about.ascension.org/cybersecurity-event
[32] https://www.theregister.com/2023/10/04/lazarus_group_lightlesscan_malware_upgrade/
[33] https://securelist.com/lazarus-new-malware/115059/
[34] https://whitepapers.theregister.com/
Re: one device type that needs to serve ads
Those few words describe just how far disconnected Google (and others) are from the real world.
Those devices don't need to serve ADS. Their content streams do that already...
FSCK Google.
Come on people just give Google the big finger. Their quest for more and more data on you will never end until people just block them and move elsewhere... You know just like Twatter is losing active subscribers are a great rate of knots because of the obnoxiousness of US President Elongated Muskrat.
He wants to 'own' the UK next and anyone who supports Farage and his crew will be supporting them. A few hundred million ££££ can buy you a lot of people.
Disclaimer. I am not on any of the main social media platforms and I'd rather vote for a dead parrot then any one from Farage's party.
Re: one device type that needs to serve ads
"I'd rather vote for a dead parrot then any one from Farage's party."
well a large amount of the population voted for huge Liebour Tool and it doesn't work !
Re: one device type that needs to serve ads
Don't cry, dearie, your mascara will run.
Re: Traditions
Upvoted despite the NME (it's Christmas after all). I was more a Melody Maker reader until Jazz Journal came out.
Re: Traditions
I liked Melody Maker too but my dad hated the NME for some reason so it was a no-brainer which one to have delivered.
Re: Traditions
Do the Trouser Press, baby!
Re: Traditions
>> connected TVs as one device type that needs to serve ads
I don't think that they _need_ to do anything, except display whatever video I choose to throw at them. (Not even audio, since I've _never_ seen a TV with speakers that don't dent my ears).
Google has this incredibly odd idea that any and all connected devices must show adverts... they're going to be right there with the Sirius Cybernetics execs, first against the wall when the revolution comes.
Re: Traditions
first against the wall when the revolution comes.
When you start adding all the other transgressors such as the crypto bros, AI mafia etc etc you will require a bloody long wall which might indicate prophetic insight on the part of the Chinese.
"you will require a bloody long wall "
No probs.
In the UK they'll use Hadrian's wall.
Re: Traditions
"you will require a bloody long wall"
That's ok. We'll build new wall. A beautiful wall, the bigliest bestest wall ever. And we'll make them pay for it.
"I don't think that they _need_ to do anything, "
But it's not about you. It's about their needs. And about desperate people. IE People they desperately need to know more about.
Their need to collect data.
To sell data to their customers.
Data fetishists aren't all working for governments.
Re: Traditions
You are going to hate Win11 then (if you don't already).
Why an OS needs to feed you ads is bonkers. But that's what MS has decided: They take your money then make more from feeding you ads you don't want and the only option they'll give you is to turn off targeted ads. Unless you find a third party tool to block them entirely.
(Looks to be since KB5036980 update if you're wondering)
Re: Traditions
I suspect that, in the US, Google execs wouldn't be quite the first choice of an angry populous, as recent events in New York have shown.
Re: Traditions
A. No TV, just a computer playing ad-free media on those extremely rare occasions when I feel like watching something.
B. No budget for extras that they advertise. I buy what I need when I need it and ignore the internet advertising unless it makes me laugh.
Google analytics should be under the spotlight
as it, without permission, tracks users and abuses personal data.
But big money is involved so I expect Google to prevail - money usually speaks loudly.
Re: Google analytics should be under the spotlight
I have Google Analytics permanently blocked in NoScript, apparently without ill effect.
Please can we have a more detailed explanation of how "fingerprinting" is done and how we can obstruct it.
Re: Google analytics should be under the spotlight
Oh, the usual. A mix of telephone number, IMEI, MAC, IP, Google login, installed programs, web history, SMS and chat history, etc.
Oh yes, I know, they pinky swear they don't collect them. And I have a bridge to sell.
Re: Oh the usual...
Including your Inside Leg Measurement, size of you know what and angle of dangle.
and other essential but similar measurements that Google simply must have in order to function, NOT!
Re: Google analytics should be under the spotlight
Try these two for starters:
[1]EFF Cover Your Tracks and [2]Am I Unique
Merry Christmas everyone!
V.
[1] https://coveryourtracks.eff.org/
[2] https://amiunique.org/fingerprint
Re: Google analytics should be under the spotlight
Nice! And even nicer that I've passed both with flying colors.
To everyone else, follow the links and check your system!
Re: Google analytics should be under the spotlight
In my case, my rather old (but otherwise perfectly adequate) graphics card seems to leak fingerprinting bits... :-/
Having seen just how much Krispy Kreme are prepared to try and charge for iced doughnuts, I'd put them at about the same level of social acceptability as ransomware scum
They don’t sell doughnuts, they sell blocks of sugar with some alternative in the middle.
I love normal jam doughnuts but one of those is just a sugar rush. So best avoided in my opinion, I know others must like them but not me.
I love normal jam doughnuts but one of those is just a sugar rush. So best avoided in my opinion, I know others must like them but not me.
They are a short cut to diabetes.
" They don’t sell doughnuts, they sell blocks of sugar "
Technically incorrect, they sell blocks of sugar stuck together with fat, probably hydrogenated or saturated.
Exactly Giles. That's exactly what they are.
The first time I tried their donuts I choked on the sugar. It was also the last time.
It wouldn't be so bad if targeted advertising actually WORKED.
All I see at the moment is ads for:
Stuff I've already bought and don't have any need to buy more.
Stuff I've looked at and decided I don't want
Stuff other people bought (as if that's somehow relevant to me)
Stuff that's "trending" (as if that's somehow relevant to me)
Stuff that's a bit like what I just searched for (but only in the coke addled imagination of an intellectually malnourished B-Ark marketing droid)
In short, targeted marketing is shit.
"In short, targeted marketing is shit."
Indeed. But that doesn't matter to Google when idiot companies continue to pay Google (and others) to serve adverts.
Like you, all I see is garbage, and since I run adblockers, that garbage is from companies who actually know what I've bought. Amazon, for example, is offering me "gift ideas" that include a 600x600 ceiling mount LED panel, wonder how the missus will react when she unrwaps that? Or some plumbing valves - "Oooh, thank you darling, how did you know I wanted a chrome plated 15mm x 3/8" flat face 90 degree isolation valve!"
Until marketing dweebs stop being credulous fools happy to pay for internet advertising that doesn't work we will continue to have this problem. I don't see that situation changing anytime soon.
As I keep saying, the only thing Google sells is advertising. As to the marketing dweebs, I suspect a lot of them know perfectly well that it's crap. It's also their job, that budget has to be spent somewhere. The real dweebs in this situation are the boards and C-suite who are handing their marketing departments this money without paying the slightest attention to how it's spent.
Hey! I got my wife one of those as well!
Me too! But she took it back. It was the wrong size.
How do you know ICL1900-G3S's wife? Small world, eh?
targeted advertising
You're lucky. All of the ads I've had to endure until they were nextable/skippable, while watching one of my favorite automotive youtube channels on my tv for the last 90 minutes while logged in as myself, were ads for crap that I won't be purchasing for my other half or her kid. Oh, and a 90+ minute ad for youtu.be itself..i skipped that one immediately, after 55 seconds and the skip button appeared.
On another note, does anyone know how to pause coundown timers in the javascript, for example by redefining them to sleep()? Apparently google thinks that wiping the DOM on timer expiration is amusing.
Re: targeted advertising
Install SmartTubeNext and revel in the improved experience.
"It wouldn't be so bad if targeted advertising actually WORKED"
I think that's the whole point. Targeted ads don't work and companies like Google want them to work. The only way they can see of making them work is to use huge amounts of intrusive personal information about people.
Personally, all the stuff in the article about fingerprinting devices and building user profiles, I presumed was already happening and has been for years. And that's not me being all tin-foil hat. Wasn't this why Google started slurping WiFi SSIDs all those years ago for example, to track where people go, how much time they spend there, what they buy while they are there (via Google pay/wallet) etc? Maybe what's new is the amount of this type of data Google etc. would like to collect and use.
"Targeted ads don't work and companies like Google want them to work."
Doubt that. If targeted advertising worked well, then there would be considerably less total advertising, if only because there's only so many eyeballs belong to people who do (or might) want a given product, and only so much screen real estate to use. Google are close to coining in a billion dollars a day precisely because ad targeting is inefficient, and whilst they want to convince their customers that it is well targeted and effective, the last thing they actually want is that outcome. If an ad placement ticks the placement criteria boxes, Google still get paid for showing it to me, even for something I bought last week and won't need another for a decade, or for showing my wife an ad for Makita power tools. Are you really sure Google want to walk away from easy money like that?
Targeted ads
In the good old days, we had media departments that targeted ads. Food processor ads in/before/after food orientated programmes, car ads in/before/after car orientated programmes. Relevance!
Now targeted seems to mean what the ad slingers (not the agencies, not the clients) want us to see.
A lot of advertising isn't really aimed at getting you to change the categories of stuff you purchase, it's aimed at getting you to purchase different brands. The international soap powder, food and household conglomerates simply wouldn't exist without advertising - and their increasing globalisation is as much driven by greater marketing efficiency as it is by production efficiency.
But most of what they're pushing is stuff that everyone buys - soap powder, floor cleaner, biscuits, breakfast cereal - so it's not clear that targeting (except by gender, since women typically make purchasing decisions) is terribly useful. However, ever since Lord Leverhulme famously complained "Half the money I spend on advertising is wasted, and the trouble is I don't know which half" the pressure has been on to find the answer. But, from a consumer point of view, it's the wrong question. Without the cost of sales associated with marketing, these products would be significantly cheaper - compare the cost of your supermarket's own brand with the Reckitt-Benckiser-Kraft-Mondelez-Unilver-Procter & Gamble alternative. But that also proves that advertising in some form *does* work - because why else would so many people buy the overpriced alternative? And as long as it works, there'll always be someone claiming to know how to make it more efficient and someone else willing to believe them,
only targeted advertising I see, is targeted at everybody from the scammers willing to pay Google to turn a blind eye and Advertising Standard Authority unwilling to do anything!
I have great fun with my Hotmail account these days. MS automation obviously reads the content of incoming emails and rustles up some AI guff advertising and if it can't find an ad to suit
the email, it makes one up.
Best one I had was I sent an email about death from another account to my Hotmail account and the ad generated was a coffin on grass. That's it, a coffin on some grass. PMSL.
True.
You have to be impressed at Google's ability to sell an absolutely crap product to huge numbers of people for millions of bucks for decades. If these companies ever did any competent due diligence, they would realise that it was bollocks and advertise in other ways, getting more people to buy stuff for much less money.
The 'people who bought what you bought also bought this' adverts on Amazon and the persistent search options on ebay are much better and often very useful.
Krispy Kreme bandits raise sticky fingers to take credit
Shouldn't that me "kredit"?
Re: Krispy Kreme bandits raise sticky fingers to take credit
Shouldn't that me "kredit"?
[1]Muphry's Law strikes.
[1] https://en.wikipedia.org/wiki/Muphry%27s_law
So, The Information Commissioners Office is "not happy" with this. Perhaps they should take some decisive action and enforce it for a change.
For companies and organisations which transgress the permitted limits on privacy at present, being savaged by the ICO is about as effective as having an elephant attacked by a sleeping dormouse.
So, The Information Commissioners Office is "not happy" with this. Perhaps they should take some decisive action and enforce it for a change.
I'm sure they're wagging their finger very seriously.
Well they're not happy because so far Google said they would enforce this on their advertisers; now Google is openly saying they won't do anything about it so the ICO will have to do it themselves.
Funnily, this was one of those anti-competitive rules that Google created in order to minimize the data that third parties could have, so that everybody would be forced to use Google's services to target the users. I'm not sure if they removed the rules because they thought they could get more money from advertisers by being nicer to them, or because they thought that they were unable to prevent it anyway, or even they were afraid that this would be counted against them in the many anti-monopoly lawsuits they are fighting. Could be all three.
The ICO likes going after some ordinary bloke or woman who's done something a bit silly with some data (not seriously silly, or with any ill intent, and generally though ignorance rather than specific intent). It seems to see dragging them through the crown court, where the judge tells them not to do it again (which they wouldn't have done anyway) and might order them to pay costs as a good use of ICO powers.
After all, that allows them to say that they are "getting tough" on data breaches, and it's far easier than going after the big boys who do what they like with data - and who will be fully lawyered-up and prepared to drag it out indefinitely if the ICO tries to go after them.
2-Tier Starmer will tell the ICO to back off, he likes the idea of fingerprinting everybody one way or another, to ensure no anti-government discussions or negative reaction to his utopian dictatorship
Traditions
"The Chocolate Factory cited connected TVs as one device type that needs to serve ads that can't collect user data in the traditional manner."
Yeah, I remember how the advertising industry was on the bones of its arse when all it knew was that my mum was watching Corrie while my dad was reading the Mirror and I was reading the NME.