Few Bright Spots, Lots of Dark Corners in Corporate Security Practices: 2015 in Review
Corporations that make digital devices and software used by millions around the world for work, play and school had a spotty record of protecting that data in 2015. Because companies are responsible for safeguarding intensely private customer information, it’s important that companies do better. There were bright spots—in June our annual Who Has Your Back? report showed that many major technology companies are adopting best practices around transparency and protecting user data when the government comes knocking. Over one-third of the companies we ranked, including Apple, Dropbox and Yahoo, earned stars in every category we rank—an encouraging sign. When we launched the first report in 2011, no companies had achieved that performance.
Yet we still see poor practices among major companies such as Verizon, AT&T, Dell and others. Massive data breaches continued to erode customer confidence in privacy protection. Irresponsible companies caused massive security catastrophes and loss of personal data. News broke in February that Lenovo had been shipping laptops with a horrifically dangerous piece of software called Superfish, which tampers with Windows' cryptographic security to perform man-in-the-middle attacks against users’ browsing to inject ads.
In September, the California Public Utilities Commission reached a $33 million settlement with Comcast for disseminating the private information of nearly 75,000 customers. According to the CPUC, the company sent all of its telephone subscriber information, including unpublished phone numbers, to a company it had chosen to license and sell subscriber listings. Comcast failed to put a “privacy flag” on the unpublished numbers, which were subsequently distributed to at least one national directory assistance operator and published online where they became available to other data brokers.
In October, Chinese security researchers discovered that an Android software library developed by the Chinese search giant Baidu was capable of allowing attackers to remotely wreak havoc on phones, from sending fake SMS messages to downloading arbitrary files or installing apps without user authorization. Baidu had apparently built the capability into the software to remotely upload files, install apps, and trigger all sorts of other actions, leaving as many as 100 million Android devices at risk.
Things got worse as the year wore on. In a sad case of déjà vu, we learned in November that Dell had done the same thing as Lenovo, shipping laptops pre-installed with an HTTPS root certificate that could allow malicious software or an attacker to impersonate Google, your bank, or any other website.
Among the most troubling cases of privacy failure were facts uncovered by EFF during work on our “Spying on Students” project, which calls attention to the privacy risks of technology supplied to schools by companies like Google. EFF revealed that Google configures Chromebooks used in schools around the country to allow tracking of students’ Internet searches, passwords, and other private information, despite having promised not to. EFF filed a complaint with the Federal Trade Commission seeking an investigation and an order halting Google’s deceptive practices.
This article is part of our Year In Review series; read other articles about the fight for digital rights in 2015. Like what you're reading? EFF is a member-supported nonprofit, powered by donations from individuals around the world. Join us today and defend free speech, privacy, and innovation.