Checklist 237: The LinkedIn Data Leak

On this week’s Checklist, we’ll cover:

• The LinkedIn data leak
• Is the healthcare industry sharing your data?
• ID in Apple Wallet … in Apple Watch!
• A listener makes a great point

The LinkedIn data leak

LinkedIn, the social networking platform for professionals, has just been hit with one of the year’s biggest data breaches.

Last week, security researchers at Restore Privacy found data from over 700 million LinkedIn users up for sale on a hacking forum. That’s a lot of people, obviously. But even more noteworthy is that according to LinkedIn’s own figures, this represents around 92% of the platform’s active users!

While financial data and account credentials were not exposed, a lot of other information was. The data for sale on the hacking forum included:

• full names
• phone numbers, email addresses, and physical addresses
• usernames and profile data
• location data
• personal and professional information
• connected social media accounts and usernames

Even without login details, bad guys can still use this kind of information for all sorts of malicious purposes. So yes, this latest LinkedIn data leak is bad. But the big question is: How did it happen?

No one is quite sure yet. The hackers claim that they got the data through LinkedIn’s API. LinkedIn says that this isn’t possible, at least not for some of the data that was leaked. While they’re still investigating, they believe it’s more likely that the attackers simply scraped the data from LinkedIn and a number of other websites.

The folks at Restore Privacy say that in the coming weeks and months, everyone who uses LinkedIn should watch for phishing attempts, scams, and hacks. Check out these past Checklist episodes for tips on how to deal with identity theft, phishing attacks, social engineering scams, and account compromises. As for how to keep your data safe going forward, a first step would be to consider limiting the amount of personal information that you share on social platforms. Also, look into privacy-protecting tools such as:

• Secure web browsers that respect your privacy and don’t sell your data for advertising purposes
• Secure and private email services that don’t sell access to your inbox or scan your emails
• Privacy-friendly search engines that don’t spy on your web activity or collect your data

Is your healthcare provider sharing your data?

We’ve just talked about the LinkedIn data leak … but could your healthcare provider be leaking your data too? A recent piece in The Verge discussed the issue of hospitals and healthcare organizations sharing patient data without consent.

Here’s what’s going on. Medical researchers need large data sets to do their work — and to improve treatments and patient outcomes. But the Health Insurance Portability and Accountability Act (HIPAA) prohibits healthcare providers from sharing patient data without consent.

That isn’t the end of the story, however. HIPAA contains a provision that allows for data sharing as long as the data is anonymized. In other words, if a hospital de-identifies your medical records, they can share those records with researchers and other third parties.

If that worries you, you’re not alone. Eric Perakslis, chief science and digital officer at Duke University, says:

I’ve always kind of called de-identification a privacy placebo. It works about as well as the thermostat in a hotel room. There’s a lot of ways around it.

The problem is that de-identified data can sometimes be re-identified by bad actors. And that opens up the door to medical insurance fraud, identity theft, and of course, serious breaches of patient privacy.

But while Perakslis worries that the practice of sharing de-identified patient data could create problems, he’s not totally against it. He points out that there could be many benefits to skilled researchers being able to analyze large data sets. But he cautions that at the moment, researchers aren’t sufficiently aware of the potential privacy risks of what they’re doing. He thinks that the answer is for researchers to consider patient privacy as an integral part of what they’re doing:

I actually don’t believe there’s anything wrong with the technologies. It’s really more a matter of saying, “If we’re going to do this type of research, how do we ensure we’re protecting the people that might be harmed by it?”

An ID in Apple Wallet addendum

On last week’s Checklist, we talked all about ID in Apple Wallet. The new feature will allow users to upload their official ID to their Apple Wallet app.

Our conversation centered around ID in Apple Wallet on iPhones. But there has also been some buzz about how the new digital ID feature will work on Apple Watch.

Two Apple execs recently talked to Yahoo! Finance about the new feature. In the interview, they say that the ID on Watch will work pretty much the same way that Apple Pay does:

Very much like how Apple Pay works, you can digitally present it, and the information can show up for the person who is looking at your ID … and we manage which information is available to which person. Kind of like you do in [the Health app].

Of course, outside of Apple HQ, not everyone uses Apple Pay … or the Health app, for that matter. But it’s still early days, as Apple acknowledges.

A listener writes in

One Checklist listener sent us an insightful comment about last week’s episode. Gary in Boise writes:

Nice episode … however, you didn’t bring this point up. You’re driving and law enforcement pulls you over. You park safely and follow instructions. The officer will undoubtedly request your license and registration then walk back to the patrol vehicle to call you in. I do not want to hand over my iPhone! I have also seen articles that some feel the need to use shortcuts to trigger a recording of any interaction with law enforcement. Again, this will inhibit the use during these circumstances and it was not mentioned.

It’s a great point, and one that deserves real consideration.

On previous Checklists, we’ve talked about the dangers of handing over your device — and even about the steps you can take to prevent unauthorized access to your iPhone by law enforcement! Before last week’s show, we were actually planning a segment on this very topic. But as we discovered, Apple’s implementation of ID in Apple Wallet means that you shouldn’t ever have to give your device to a law enforcement officer or anyone else.

Because the feature works via NFC — just a quick “tap” of your device to another one — you wouldn’t be physically handing your iPhone to an officer. Instead, you’d just tap whatever device they were using to read digital IDs. At least, that’s how Apple envisions it. And since we were covering Apple’s planned implementation on last week’s show, we decided to drop the segment.

However, Gary does raise a valid concern — and he’s in good company. The American Civil Liberties Union (ACLU) also worries that law enforcement officers could abuse digital IDs if they become commonplace. In fact, the ACLU is so concerned that they are urging legal protections to prevent this from happening:

Given rampant questionable police searches of mobile devices, statutory protections against such searches — already needed — will become even more vital if people’s smartphones are to become a central and routine part of interactions with law enforcement

Looking again at ID in Apple Wallet, Apple seems to have worked out the technological side of user privacy pretty well. But as always, the human element is much harder to account for. And if some nefarious authority really wanted to sneak a peek at your iPhone, it’s not hard to imagine them saying: “Sorry, there’s something wrong with my reader. I’m going to need to see your phone for a second …”

Apple’s plan for digital ID does seem solid — technically speaking. But as we know, technology is only as good as the people who use it … or misuse it. It sounds like Gary will be keeping an eye on the issue, and we will too. Many thanks to Gary for listening, and for writing in!

Do you have a comment about a recent Checklist? A question that you’d like to have answered on a future episode? Write to us and let us know! We always love to hear from our listeners. And if you’d like to keep learning about digital security and privacy while you’re waiting for the next Checklist, be sure to check out our show archives.