DoorDash Data Breach, Voice Assistant Privacy Changes, Limiting Ad Tracking

by Tom Eston on September 30, 2019

You’re listening to the Shared Security Podcast, exploring the trust you put in people, apps, and technology…with your host, Tom Eston.

In episode 88 for September 30th 2019: DoorDash announces a data breach affecting 4.9 million people, recent voice assistant privacy changes, and ways that you can limit ad tracking on your mobile device.

Are you a frequent traveler that wants a high-quality, fashionable backpack that keeps your digital privacy in mind? Then you need to check out Silent Pocket’s new Faraday Bag Waterproof Backpack. Check it out at silentpocket.com as well as their other products built to protect your privacy. Don’t forget, as a listener of this podcast you receive 15% off your order at checkout using discount code “sharedsecurity”.

Welcome to the Shared Security Weekly Blaze Podcast where we update you on this week’s most important cybersecurity and privacy news. These podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”.

Popular food delivery company DoorDash said in a blog post late last week that 4.9 million customers, delivery workers, and merchants had their information stolen through a third-party service provider who was not named. Data stolen included name, email and delivery address, order history, phone numbers, last four digits of their credit card or bank account, and hashed (and salted) passwords. Users who joined the service prior to April 5th 2018 were affected by this breach and to add insult to injury about 100,000 delivery works also had their driver’s license information stolen as well. And if that wasn’t enough, this news ironically comes almost a year after many DoorDash users complained that their accounts were hacked. At the time, DoorDash denied that there was a breach and blamed it on credential stuffing attacks, where attackers use user names and passwords previously exposed through known data breaches, then use those credentials on other sites like DoorDash. This is basically a way to pass blame to the user for selecting poor passwords. I think DoorDash has a little bit of explaining to do as we now add this latest breach to the long list or breaches that we’ve had just this year alone. If you happen to be a DoorDash customer check out our show notes to a link to the official news release about the breach for more information.

Sponsorships Available

Several weeks ago on the podcast I talked about how Apple was changing the way that contractors were analyzing recordings from Siri as part of their “grading” program due to privacy concerns around sensitive and private conversations that were recorded. You may recall that this was also a huge problem for Amazon and Google’s voice assistants as well. Well this past week, Google announced significant changes to how their product, the Google Assistant, handles voice recordings. First, Google says that your audio data is not stored by default and that if you do want it stored, so that it can be used to help improve the Google Assistant, than you can opt-in to this feature. Second, Google has updated their audio settings to highlight that when you choose to opt-in you can choose to opt-out and for existing users that have chosen this already, a chance to review and change the setting if you would prefer. Third, Google said that recordings are never linked to a particular user and that only .2% of all audio recordings are ever analyzed by someone. Lastly, the Google Assistant will automatically delete any audio data when it realizes that it was activated unintentionally. In addition, Google is making changes to their data retention policy so that audio data is deleted older than a few months.

And in late breaking news last week, Amazon released several new Echo related products to the market and also announced several new privacy improvements as well. First, Amazon has added two new commands to its Alexa voice assistant in which you can now say “Alexa, tell me what you heard” and, “Alexa, why did you do that?”. The tell me what you heard command lets you know what exactly Alexa is listening to and “why did you do that” is meant to give you more information if Alexa does something random like play a song out of nowhere. In addition, Amazon will now allow people to delete Alexa voice recordings on a rolling 3-month or 18-month basis and is allowing users to opt-out of human reviews of voice recordings. These changes now put Amazon along the same lines as Apple and now Google with current privacy settings of these popular voice assistants.

And now a word from our sponsor, Edgewise Networks.

The biggest problem in security that remains unsolved is unprotected attack paths that allow threats to compromise vulnerable targets in the cloud and data center.

But traditional microsegmentation is too complex and time consuming, and offers limited value that’s hard to measure.

But there’s a better approach… Edgewise “Zero Trust Auto-Segmentation.”

Edgewise is impossibly simple microsegmentation … delivering results immediately, with a security outcome that’s provable, and management that’s zero touch.

At the core of Edgewise Auto-Segmentation is Zero Trust Identity, which automatically builds unique identities for all communicating software and devices by combining cryptographic properties of the workload with risk classifications.

Edgewise protects any application, in any environment, without any architectural changes. Edgewise provides measurable improvement by quantifying attack path risk reduction and demonstrates isolation between critical services—so that your applications can’t be breached.

Visit edgewise.net to find out more about how Edgewise can help stop data breaches.

Did you know that there is a setting on our mobile devices which gives us more control over targeted advertising? I wanted to bring this up on the show because we typically only think about the privacy settings in the apps we use, like Facebook, but Android and Apple iOS also have a very important setting that you can enable at the device level to help limit the information advertisers can obtain about you and your device. How it works is that both Android and iOS have something called an “ad ID” which gets linked to data that advertisers collect from you from the apps that you’re using. This “ad ID” was created in an attempt to reduce the amount of information about your device, such as things that can’t be changed, like your unique device identifier and Wi-Fi MAC address. Advertisers leverage this id instead so that they can have a unique identifier about you and your device without giving away all these other details. By default this “ad ID” is enabled on your device (which is a good thing) but by turning on a setting called “Opt out of Ads Personalization” on Android or “Limit Ad Tracking” in Apple iOS this ad ID is randomly changed or zeroed out. On Android, this setting only changes your ID but in iOS, the ad ID is set to all zero’s. To make this change in Android go to Settings > Privacy > Advanced > Ads and turn on “Opt out of Ads Personalization.” On iOS, go to Settings > Privacy > Advertising and turn on “Limit Ad Tracking”.

What this setting means is that advertisers will have to either start a new profile about you or simply won’t be able to link very specific data back to you so that they can serve ads that are more personalized. Now by enabling this setting it doesn’t mean that you won’t receive any more ads, but it does mean that ads may not be as personalized to you. And since we’re all constantly bombarded by ads, anything we can do it throw a wrench into the how advertisers track you, the better off we’ll all be from a privacy perspective.

That’s a wrap for this week’s show. Visit our website, SharedSecurity.net for previous episodes, links to our social media feeds, our YouTube channel, and to sign-up for our email newsletter. First time listener to the podcast? Please subscribe where ever you like to listen to podcasts and if you like this episode please it share with friends and colleagues. Thanks for listening and see you next week for another episode of the Shared Security Weekly Blaze.

The post DoorDash Data Breach, Voice Assistant Privacy Changes, Limiting Ad Tracking appeared first on Shared Security Podcast.