This is The Download, a weekday recap of the top technology headlines.
St. Louis rideshare driver has live-streamed hundreds of rides on Twitch without passenger consent; companies claim practice is legal in Missouri
Jason Gargac, a 32-year-old Uber and Lyft driver in St. Louis, Missouri has given around 700 rides since March 2018, with nearly all of them being live-streamed on Twitch without passenger consent. The St. Louis Post-Dispatch detailed Gargac’s actions in lengthy detail by taking advantage of the state’s one-party consent laws. At times, Gargac has inadvertently revealed his riders’ full names and what their homes and neighborhoods look like on his channel.
According to Gargac, he stumbled upon the trend of streaming his passengers on Twitch and decided to try it himself. He is one of the few in Missouri that have done so without asking for the passengers’ permission first. Gargac has a $3,000 camera setup, including front-facing and rear-facing cameras that show the interior of the car and the environment he’s driving in. He has roughly 4,350 Twitch followers, with roughly 100 of them paying at least $5/month to subscribe to the channel and support it financially.
Though many of the interactions are comical or congenial, the Twitch audience can be less than pleasant. Viewers sometimes mock individuals, rate the attractiveness of female passengers, and push the limits of what’s acceptable on Twitch. Gargac told the St. Louis Post-Dispatch that he was forced to create on-screen graphics to prevent his viewers from selectively “clipping” short clips and upskirt shots of female passengers. He’s also had to preemptively mute his microphone whenever personal information is disclosed on his stream, but Gargac doesn’t have complete control over what gets out to the stream.
“I have sex in my bedroom. I don’t have sex in strangers’ cars. Because I have a reasonable expectation of privacy in the bedroom in my own house. I don’t have that in a stranger’s car. If something happens, immediately there can be a response versus hopefully you’ll find my truck in a ditch three years later.”
Jason Gargac; Uber & Lyft driver, to the St. Louis Post-Dispatch
Despite the murky moral consequences of doing this, Gargac is in the clear of consequences from Uber, Lyft, and the state of Missouri. The state can’t do anything about it since he’s not breaking its one-party consent laws. Neither Uber nor Lyft confirmed to the Post-Dispatch that Gargac broke any of their terms, with both companies noting that drivers are responsible for following local laws.
“Recording passengers without their consent is illegal in some states, but not Missouri.”
Uber, in a statement to the St. Louis Post-Dispatch
Venmo: User transaction history public by default because it’s fun to share info with friends, option to go private clearly marked in app
If you haven’t noticed, Venmo requires users to make their transaction history private if they don’t want people to see when they buy things.
Why? Because the PayPal-owned payment app doubles as a social network.
“We make it default because it’s fun to share with friends in the social world. [We’ve seen that] people open up Venmo to see what their family and friends are up to.”
A Venmo representative, to CNET
Venmo sees transactions as a way to interact, just like status updates and tweets.
According to a researcher in Berlin cited by ZDNet, roughly 207 million transactions are already public and searchable on Venmo.
The representative noted that lots of social platforms set their newsfeeds public by default, and that the option to go private is clearly marked in the app.
“Our response to [privacy concerns] is giving customers a choice to choose private or public for each transaction in the right-hand corner.”
A Venmo representative
Facebook suspends Crimson Hexagon data analytics firm as it investigates company’s government contracts
Facebook has suspended Crimson Hexagon, a Boston-based data analytics company, as the company investigates Crimson Hexagon’s contracts with government agencies and whether the firm violated any of Facebook’s developer policies.
Crimson Hexagon pulls public data from social media platforms like Facebook and Instagram to get aggregate insights into consumer behavior. The company advertises Walmart, ABInBev (makers of Budweiser), and Adidas among its customers, but it also has contracts with multiple US government agencies including the State Department and the Department of Homeland Security. Hexagon also counts a Russian nonprofit that used Crimson Hexagon to research Russians’ opinions of President Vladimir Putin’s government.
According to a Facebook spokesperson, Crimson Hexagon didn’t access any data from Facebook and Instagram inappropriately based on its initial findings and the company will be continuing its investigation over the coming days. Facebook’s developer policy says that data obtained form Facebook can’t be used in surveillance tools – a concern particularly when working with government agencies.
“Facebook has a responsibility to help protect people’s information, which is one of the reasons why we have tightened access to user data in many ways in recent years.”
Ime Archibong; Facebook vice president for product partnerships, in a statement
Crimson Hexagon CTO Chris Bingham released a blog post shortly after the Wall Street Journal broke the news of the firm’s suspension where he stressed that Crimson Hexagon only collects public user data and drew distinctions between it and Cambridge Analytica.
“What Cambridge Analytica did was explicitly illegal, while the collection of public data is completely legal and sanctioned by the data providers that Crimson engages with, including Twitter and Facebook, among others.”
Chris Bingham, Crimson Hexagon CTO
Bingham said that the company vets the use cases of “all potential government customers that inquire about the platform.” In a statement, Crimson Hexagon said that it’s “fully cooperating” with Facebook.
Facebook plans to launch Athena internet satellite starting next year
Facebook has confirmed that it’s working on Athena, an experimental satellite that could beam internet connectivity to Earth with millimeter wave radio signals.
“While we have nothing to share about specific projects at this time, we believe satellite technology will be an important enabler of the next generation of broadband infrastructure, making it possible to bring broadband connectivity to rural regions where internet connectivity is lacking or non-existent.”
A Facebook spokesperson, to Wired and CNET
Wired used a Freedom of Information Act request to get emails from the FCC that reportedly show that Facebook plans to launch Athena in early 2019.
Sensitive documents from over 100 companies were exposed on publicly accessible server from Level One Robotics
Security researcher UpGuard Cyber Risk disclosed that sensitive documents from over 100 manufacturing companies, including GM, Fiat Chrysler, Ford, Tesla, Toyota, ThyssenKrupp, and Volkswagen were exposed on a publicly accessible server from Level One Robotics.
The exposure came through rsync, a common file transfer protocol that’s used to backup large data sets.
According to the security researchers, restrictions weren’t placed on the rsync server. That means that any rsync client connected to the rsync port had access to download the data. UpGuard Cyber Risk published an account of how it discovered the data breach to show how a company within a supply chain can affect large companies with seemingly tight security protocols.
This means that someone could access trade secrets closely protected by automakers if they knew where to look.
The breach exposed 157 GB of data, covering 10 years of assembly lines of assembly line schematics, factory floor plans and layouts, robotic configurations, along with documentation, ID badge request forms, and VPN access request forms. The breach even included sensitive non-disclose agreements from companies like Tesla.
Personal details of some Level One employees, including scans of drivers’ licenses and passports, and Level One business data, including invoices, contracts, and bank account details.
The security team discovered the breach July 1, reached Level One by July 9, and the exposure was closed by the following day.
Google will redirect duck.com to page linking to DuckDuckGo, Wikipedia, others
Google owns duck.com. Why is that important? Well, it’s been a sore subject for rival search engine DuckDuckGo for over six years.
However, Google has relented. Google communications VP Rob Shilkin tweeted that a new landing page will give people the option to get to DuckDuckGo, the Wikipedia page for ducks, or to ducks.com (which is owned by Bass Pro Shops).
Either way, DuckDuckGo is happy with the change with its CEO and founder Gabriel Weinberg tweeting his thanks and an additional request:
If you’re not seeing the new landing page, try clearing your browser cache. According to Google, it’s only a matter of time before it finishes rolling out across the web.
In other news…
- Snap will abandon Snapcash, the peer-to-peer payment service launched within Snapchat in partnership with Square, on August 30.
- Trill Project, an anonymous social networking site started by three high school girls, has launched out of private beta with the goal to help people safely express themselves online.
- Apple has launched a new event designed to help people better understand how to use their HomePod speakers via live online chat. The experts will be on standby on July 25 from 11am-3pm PT (2-6pm ET).
- Nickelodeon has launched Screens Up, an AR app that lets viewers use their phones in conjunction with its live programming. Viewers can pull out their phones at specific moments during a broadcast (like during a Double Dare physical challenge, for example) to augment their experience.
- Samsung has launched a Back to School sale on several of the company’s laptops, TVs, and other products that runs until July 28.