In this edition of AdGuard's Digest: Facebook is accused of hoarding sensitive medical data, Telegram partners with Google and possibly the police, Mozilla fights trackers, school apps spy on children, Twitter misuses user data as the US moves closer to adopting federal privacy law.

Facebook tool harvests medical data from hospital websites

In the news that should surprise no one, Facebook's ad tracking tool was found to be sending sensitive medical data collected from hospital websites to… Facebook. The Markup investigation found that the Meta Pixel tool also known as the Facebook Pixel has been embedded into dozens of US hospital websites, including that of major children's hospital network. Once a patient or a parent clicked a button to make an appointment, Meta Pixel sent the tech giant the name of the condition, the doctor's name, the search word used to find that doctor, and other data. In the case of the children's hospital, Facebook could even get the full name of the child complete with the IP address. The tracker was also found in supposedly secure patient portals, which meant that Facebook could find out what medications visitors were taking and what allergic reactions they had.

Meta, which owns Facebook, has denied that it extended its tentacles to sensitive patient data, saying it had special filters in place to prevent it from being sent. Several hospitals have since removed the code from their websites, and a class-action lawsuit was filed in California accusing Facebook of violating medical privacy laws. The plaintiffs say that they have identified as many as "664 hospital systems or medical provider web properties where Facebook has received patient data via the Facebook Pixel."

Facebook's appetite for data-harvesting seems to know no bounds, and it looks like the tech giant is willing to go to great lengths to gain access to user data. It's hard to take Facebook's claims that it doesn't actually get patient data at face value as the company has been caught red-handed violating user privacy too many times before.

Et tu? Telegram shares data with Google and possibly police

Breaking away from its long-standing policy of not sharing user data with third parties, Telegram has reportedly provided the German police with information on child abuse and terrorism suspects, Spiegel reported. The messenger is also said to have set up a special email account for the police to send their requests to. It was reported last year that Telegram could face a steep to the tune of €55 million if it failed to create such a backchannel.

Telegram has yet to comment on its alleged assistance to German police. If true, it shows that even companies with strict data-sharing policies are not immune to pressure, especially if it is exerted in the name of protecting the innocent. The EU has been peddling legislation aimed at scanning text messangers for indicators of child sexual abuse — we wrote about this in the previous digest. Sadly, it looks like the protection of children is becoming a tool to coerce online platforms into revealing user data.

On its website, Telegram states that it has yet to disclose a byte of data to third parties, either to governments or anybody else.

And while it has neither confirmed nor denied its cooperation with the police, Telegram openly announced that it would be sharing data with Google as part of its premium plan. Telegram's new premium feature relies on Google technology to transcribe audio messages. According to the agreement between Telegram and Google, the latter is prohibited from logging transcripts and audio data and cannot use it for any other purposes, including advertising. However, the very fact that Telegram has entrusted its user data to Google is concerning in itself.

Yummy! Firefox curbs cross-site tracking by putting cookies in jars

Mozilla has set out to organize the internet's kitchen cabinets, confining third-party cookies to the "cookie jars" hidden from everybody but the website that had planted them. The new feature has become default for all Firefox browser desktop users, and is yet to come to mobile. Third-party cookies are small text files planted into your browser by various advertisers so that they can track you across the web. Mozilla now wants to prevent trackers from accessing each other's cookies.

"No other websites can reach into the cookie jars that don't belong to them and find out what the other websites' cookies know about you — giving you freedom from invasive ads and reducing the amount of information companies gather about you", Mozilla says.

Mozilla, unlike some other tech companies (we won't point the finger at them), seems to be walking the talk on privacy. It's worth noting that Mozilla has also decided to allow ad blockers to exist in Firefox in their original, powerful form by cherry-picking parts of Manifest 3 to implement: we wrote about this in more detail here.

EdTech products rat out children to advertisers

About 90% of state-backed EdTech platforms across 49 countries trampled on children's rights during the pandemic by tracking them across the web and off class. Many allowed advertisers to use students' personal data. That is according to Human Rights Watch which reviewed 164 online tools used for distance learning.

"Human Rights Watch observed 146 EdTech products directly sending or granting access to children’s personal data to 196 third-party companies, overwhelmingly AdTech", the report states. The data was mainly sent to AdTech giants — Google and Facebook. What's more, eight websites used a sophisticated tracking method known as 'canvas fingerprinting' that does not require cookies.

Children and parents were mostly kept in the dark about apps' data collection habits. In most cases the child was faced with an impossible choice: either to continue learning or opt out of surveillance.

We at AdGuard think that children's privacy as well as that of adults should be protected by default. A child should not sacrifice privacy for education and vice versa. The practice of targeting children that can be as young as 9 with personalized ads is nothing short of predatory.

The news itself is hardly shocking, however, as data collection methods become ever more clandestine and intrusive…

Copy-pasting is BAD, but it's not about what you think it is

…As evidenced by the case of 11 Android apps with over 45 million downloads that had been secretly sending away user GPS data, email addresses, phone numbers via a third-party SDK named Coelib. AppCencus has reported earlier this year that the software development kit (SDK) in question was part of several Quran-themed apps, a barcode scanner, and a WiFi mouse among others. One of the apps, Simple Weather & Clock Widget, uploaded to the SDK vendor's servers everything a user copied and pasted. Google removed the apps from its Play Store last year, and they all have returned since but without the offending SDK.

We strongly recommend users to install apps only from trusted developers and give them only the most necessary permissions.

Pranksters and privacy advocates' nightmare: Indians may soon see caller names by default

India's telecom regulator has been working on a new mechanism that would require providers to flash a caller's full name on a screen every time a phone rings. Providers will have to source the caller data from their KYC (Know Your Customer) records. When a customer buys a SIM card, an operator verifies their identity and inputs the information into the database.

The Indian government wants to rein in spam callers that are increasingly getting on citizens' nerves. Two-thirds of Indians receive three or more spam calls a day, and over 220 million use caller identification app Truecaller. The latter crowdsources caller data, meaning that it may not be up to date. While KYC records are a much more accurate source of data, the main problem remains — no user consent is required in either of the cases.

The details of the proposal are yet to be thrashed out, but it looks like the Indian government is going after pesky callers at the expense of citizen privacy. The benefit from the policy is questionable: it's not clear how seeing a random name instead of a random number will make much of a difference. The new initiative threatens to deliver another blow to the country's already weak privacy protections. Earlier this year we wrote about a new Indian law that would force all VPN and other online services providers to store user logs for at least 5 years.

Twitter: We collect your data for security purposes only.* Only joking.

Twitter has paid $150 million to settle a case with the US government, which accused the tech giant of misleading its users about what it can do with their personal data. From 2013 to 2019, Twitter claimed that it needed users' phone numbers and email addresses solely to secure their accounts. However, the US Department of Justice said that the social behemoth would then share that data with advertisers. 140 million users have been affected by the practice, which is likely helped to swell Twitter's coffers since its primary source of income is ad revenue.

For its part, Twitter admitted the data "might have been" used for advertising "inadvertently".

The news did not sit well with prospective Twitter buyer, Elon Musk. "If Twitter was not truthful here, what else is not true?" the billionaire wrote. Musk had previously put a deal with a platform on hold, accusing it of failing to disclose the number of spam bots.

We share these concerns. While Twitter has signaled recently that it's ready to become more privacy-oriented and clarified its privacy and security policy (check our previous digest for more on this), the news of the settlement remind us of stark reality — big tech firms may pose as privacy-friendly, but as long as advertising remains their main source of revenue, it all might be smokes and mirrors.

US inches closer to adopting country-wide privacy law

A bipartisan group of Democrat and Republican lawmakers have unveiled a draft of a federal data privacy bill, named 'The American Data Privacy and Protection Act' (ADPPA) after years of back-and-forth. The draft is now up for a debate. The bill is designed to preempt state privacy laws, but with a long list of notable exemptions for Illinois Biometrics Information Privacy Act, parts of the California Privacy Rights Act, as well as for facial recognition and consumer protection laws. The bill would require tech companies to receive an express consent from the individual before collecting or processing sensitive personal data, such as biometric data, private communication, precise geolocation, financial and health data, log-in creditionals, browsing history and sexual orientation. The companies would also be required to publish privacy policies, while individuals will have the right to opt out of the transfer of their data to third parties for targeted advertising. Advertisers won't be able serve minors under 17 years of age targeted ads altogether.

Users will also be able to sue companies in a federal court for damages, but only 4 years after the bill goes into effect.

The draft was released to mixed reviews from privacy experts and lawmakers alike: while some see it as a welcome first step, others argue that it is "riddled with enforcement loopholes". If the law passes through Congress, the US would theoretically come closer to Europe's privacy protection standards enshrined in the GDPR. The devil, however, is in the details and the implementation.