Cyber Saturday—IBM's Data Privacy, Marriott's Hacked Passports, German Politicians Doxed

Just a couple months ago, IBM CEO Ginni Rometty inveighed against big tech companies abusing people’s data at a privacy conference in Brussels. She cited a “trust crisis,” ascribing its origins to “the irresponsible handling of personal data by a few dominant consumer-facing platforms.” Rometty did not have to identify the subjects of her criticism by name, Facebook no doubt among them, for people to understand her point.

Now IBM finds itself uncomfortably lumped in with the offenders. The office of the city attorney of Los Angeles has filed suit against an IBM subsidiary for allegedly “deceiving users” about the business unit’s questionable data privacy practices, as the lawsuit states. The city’s complaint follows a recent investigation by the New York Times which drew attention to consumer data exploitation by The Weather Channel app, a forecasting service owned by The Weather Company, whose assets IBM bought for a reported $2 billion in 2015. (It is perhaps worth noting that David Kenny, former CEO of The Weather Company and later head of IBM’s artificial intelligence business, recently became CEO of Nielsen, the world’s largest market research company.)

Here’s the heart of the controversy: When The Weather Channel app requests permission to access a user’s location, it says it requires the information to offer “personalized local weather data, alerts and forecasts.” The app’s automatic pop-up box fails to mention that The Weather Company reserves the right to sell people’s geolocation data to advertisers and other third parties, like hedge funds, for a profit. That information is instead tucked away in a separate, nearly 10,000-word privacy policy, which one must seek out.

IBM maintains that its subsidiary has done no wrong. In response to the lawsuit, Saswato Das, an IBM spokesperson, said in a statement emailed to Fortune that “The Weather Company has always been transparent with use of location data; the disclosures are fully appropriate, and we will defend them vigorously.”

That’s one view. Another view is that The Weather Company breached people’s trust in a way that recalls the transgressions of rival tech companies—transgressions Rometty herself criticized.

In truth, no one’s hands are entirely clean, even if some infractions are more glaring than others. When Facebook CEO Mark Zuckerberg last year told Congress that Facebook users are in control of their data and can delete them as they please, he subsequently dodged questions about so-called shadow profiles, the data his company maintains on people who are not users of Facebook services. Or consider Apple CEO Tim Cook, known to raise a stink about the “surveillance” practices of competitors, as he put it, while also speaking in Brussels. Cook stopped just short of naming the likes of Google and Facebook in his denunciation of advertising-based businesses; never mind that Google reportedly pays Apple billions of dollars to make its self-named search engine the default for Safari, Apple’s web browser.

Is it any wonder the world is undergoing a crisis of trust? Data privacy disclosures ought to be crystal clear. There should be no uncertainty about how one’s data are being used or where they’re flowing. During her talk in Brussels, Rometty told the audience that consumers “have very little power against the dominant internet platform companies.” In the absence of informed consent, she’s right.

Robert Hackett

@rhhackett

robert.hackett@fortune.com

Welcome to the Cyber Saturday edition of Data Sheet, Fortune’s daily tech newsletter. Fortune reporter Robert Hackett here. You may reach Robert Hackett via Twitter, Cryptocat, Jabber (see OTR fingerprint on my about.me), PGP encrypted email (see public key on my Keybase.io), Wickr, Signal, or however you (securely) prefer. Feedback welcome.

THREATS

Passport photos taken here. Marriott disclosed Friday that roughly 5 million unencrypted passport numbers were stolen by hackers in a recent, massive data breach. The hotelier also marked down the total number of customers whose records were looted, estimating up to 383 million people’s records were lost compared to its original estimate of around 500 million. The company has not attributed the attack, although experts suspect it to have been the work of Chinese spies.

Breach at the Bundestag. Hundreds of German lawmakers, including Chancellor Angela Merkel, had their private information—including email addresses, cellphone numbers, and purported chat transcripts—exposed by a Twitter account using the name “G0d” and the handle “@_0rbit.” Twitter suspended the hackers’ account hours after its discovery, despite the account having steadily leaked data over the course of December. It’s unclear how the hacked data were obtained; oddly, the data dump spared members of the country’s far-right Alternative for Germany political party.

Apologies to my censors. The New York Times shined a light on the operations of a “censorship factory” tasked with scrubbing China’s Internet of references to politically sensitive information and commentary. The company, Beijing-based Beyondsoft, follows the orders of China’s Communist Party in eradicating certain content from the web, such as photos of top politicians and references to Nobel Peace Prize-winning dissidents.

I’ve just seen a face. Confusion over biometric privacy laws in the U.S. is leading to different outcomes for tech giants embroiled in legal disputes over facial scanning. An Illinois court recently ruled that Google did not flout local laws by using facial-scanning to help people organize photo galleries through its Photos service. Facebook, on the other hand, is appealing a ruling that its face-identifying “tag” tool violated similar laws. Here, Fortune analyzes the differences between the two cases.

What to do when the rent is too damn high.

Share today’s Cyber Saturday with a friend:

http://fortune.com/newsletter/cybersaturday/

Looking for previous Data Sheets? Click here

ACCESS GRANTED

Real-life river monster. Candiru, a company that is likely Israel’s second-biggest specialty hacking shop, was known to few people until earlier this week. TheMarker, a Hebrew-language business newspaper, published an investigation purporting to out the firm and its executives. Amazingly, one of the reporters said in a post on Twitter that a random Facebook post by a food-catering company helped confirm his team’s reporting.

If you enter the lobby of the Tel Aviv building that acts as its headquarters, you won’t find its name in the directory. You also won’t find a website for it because it doesn’t have one. Its 120 or so employees don’t post profiles on LinkedIn and sign strict confidentiality agreements. Inquiries by TheMarker elicited a polite but firm “no comment.”

The company is known as Candiru, named after an Amazon fish known for its alleged tendency to invade and parasitize the human urethra. The name fits the company’s business, which is offensive cyber, the technology used to hack into computers or smartphones and spy on users.

FORTUNE RECON

These Were the Worst Data Breaches and Vulnerabilities of 2018 by Danielle Abril

From Bad to Worse: Tech’s Biggest Stumbles in 2018 by Eric Zeman

U.S. Demands That Russia Release Retired Marine Accused of Spying by David Meyer

Advancing Both A.I. and Privacy Is Not a Zero-Sum Game by Casimir Wierzynski and Abigail Hing Wen

A New Business Internet Scam Puts Companies in Legal Hot Water by Erik Sherman

An Astronaut Accidentally Called 911 From Space, Causing a Scare at NASA by Emily Price

Why Parents Shouldn’t Worry About Their Kid’s Screen Time by Grace Dobush

ONE MORE THING

The Lost Cities of A to Z. El Dorado. Atlantis. Sasquatch. Many myths and legends are the offspring of historical accounts, distorted and embellished through the faults of oral tradition—a centuries-long game of telephone. Yet there is truth in story. The Kraken found a real-world analog in the giant squid. The Yeti is probably the Tibetan blue bear, misidentified by panicky mountaineers. And Atlantis, an allegorical invention by Plato, may have had its roots in ancient Greek cities overwhelmed by the sea. As Noah Charney, an art historian and author, writes for the Art Newspaper, “myths can lead us to real findings.”