The biggest privacy outrages in 2014

The biggest privacy outrages in 2014
Fan Chelsea Boyce, left, takes a selfie with actress Jennifer Lawrence on Nov. 17 at a Los Angeles event celebrating the release of "The Hunger Games: Mockingjay - Part 1." Lawrence was one of dozens of actresses whose more intimate selfies and photos were made public by hackers earlier in 2014. (Michael Buckner / Getty Images for Samsung)

If 2013 was the year Edward Snowden revealed how extensively our government has been snooping on us, 2014 was the year we learned -- again -- how little respect tech companies have for our privacy.

The media were filled with privacy outrages in 2014, from the thin safeguards on Apple's online storage service to the creepy social experiments conducted by the likes of Facebook. Here are some of the most noteworthy.





An earlier version of this post identified Clay Johnson as being "of Blue State Digital, the online campaign experts that then-Sen. Barack Obama employed in 2008." Johnson was a co-founder of the group, but he'd left by the time he made the comments quoted in the piece.


Jennifer Lawrence, in the flesh

"The Hunger Games" actress was one of dozens of women whose revealing selfies apparently made their way from Apple's iCloud storage site to a voyeuristic bulletin board on the 4chan website in August and September.


Apple insisted that iCloud had not been hacked, but analysts suspected that one or more data thieves obtained the photos by guessing the victims' passwords. Such a technique was possible because iCloud didn't require two-factor authentication or limit the number of unsuccessful attempts to guess a person's password via the Find My Phone app. The company has since addressed the latter flaw.

The incident sparked a wholly irrelevant debate about whether famous women should ever photograph themselves disrobed or, if they do, whether they should save those photos anywhere that's not protected by a 2-inch-thick steel door and a robotic pit bull. On the plus side, it alerted people to the fact that their phones may be copying material automatically to the Internet, where it is more vulnerable to theft.

Some of the victims said they had deleted the selfies from their phones long ago, and were unaware that copies lived on in the cloud. Lesson learned.

Taking behavioral targeting to the next level

ING, a major Dutch bank, announced a novel initiative in March that must have seemed like a good idea to someone at the time: It would deliver targeted ads to its customers based on how they'd been spending their money. The program was styled as a pilot project, starting with thousands of ING customers and growing from there.

As ZDNet's Martin Gijzemijter explained, the plan was to treat personal bank records the way Google's Gmail treats emails. A team of bank employees would develop profiles of customers based on their debit- and credit-card transactions, then use those profiles to put advertisers' messages in front of the most receptive audience.

I mean, who wouldn't want their bank poring over their purchases in order to reveal their interests to big box stores, fast-food chains, drug companies, fitness centers and the like? Just think how grateful you'll be when you receive coupons for your favorite hemorrhoid cream. Or for bail bondsmen.

A Dutch consumer group denounced the plan and questioned its legality, and shortly thereafter ING announced in an open letter that it was putting the trial run on hold. "Whether we will actually launch a pilot with a select group of interested customers, when, and under what conditions, will be determined after these conversations," the company's chairman wrote. How reassuring.


Emotion contagion -- and manipulation

In June, three data scientists published a peer-reviewed research paper revealing that they had manipulated hundreds of thousands of Facebook users' news feeds for a week to see how they would respond. Specifically, the scientists used software to analyze the emotional content of posts, then altered the news feeds for some users to pack in more happy posts, and for others to make them disproportionately sad.

The result was that users shown a lot of cheery posts had a slightly stronger tendency to employ a few cheerier words themselves, and those shown unhappy posts were a little more likely to wallow in their own suffering. Groundbreaking research, that. As it happens, however, the company's data use policy didn't permit that kind of tinkering at the time.

The blowback was fierce. The Electronic Privacy Information Center filed a complaint with the Federal Trade Commission, and officials of several European countries said they would conduct their own probes.

The Guardian quoted Clay Johnson, formerly of Blue State Digital and the Sunlight Foundation, saying on Twitter that Facebook had conducted a "terrifying" experiment in the "transmission of anger."

"He asked: 'Could the CIA incite revolution in Sudan by pressuring Facebook to promote discontent? Should that be legal? Could Mark Zuckerberg swing an election by promoting Upworthy [a website aggregating viral content] posts two weeks beforehand? Should that be legal?'"

Facebook executives issued at least three apologies for the work, and pledged to follow new guidelines and give research projects a closer look before greenlighting them.

Exactly how Facebook determines which items to put in a user's news feed and what order to put them in is a mystery, given that the company doesn't disclose its algorithms. But at least now people know that the company thinks it's OK to monkey with individuals' feeds for the purpose of questionable social science, and possibly more nefarious ends.

We experiment on human beings!

That's the actual title of a blog post in July by Christian Rudder, one of the founders of the online dating site OkCupid. In it, Rudder offered an apologia for companies that treat their customers as guinea pigs:


"OkCupid doesn't really know what it's doing," Rudder wrote. "Neither does any other website. It's not like people have been building these things for very long, or you can go look up a blueprint or something. Most ideas are bad. Even good ideas could be better. Experiments are how you sort all this out....

"We noticed recently that people didn't like it when Facebook 'experimented' with their news feed. Even the FTC is getting involved. But guess what, everybody: if you use the Internet, you're the subject of hundreds of experiments at any given time, on every site. That's how websites work."

That sounds reasonable enough. And two of the three bits of research that Rudder detailed in the post seemed reasonable too, because they involved looking for behavioral patterns in the data generated by people using the site.

The third one, however, involved surreptitiously changing what the site told its users about other OkCupid customers. Specifically, it told some unwitting users that people the site thought would be bad matches would actually be exceptionally good ones. As a result, it found that simply telling people they were a good match led them to behave as if they were, "even if they should be wrong for each other."

The revelation maddened some OkCupid users, but the Interwebs were surprisingly equanimous about it. As it happens, lots of sites experiment on their users, the poor saps.

The big Snapchat reveal

In a development that should have surprised absolutely no one, one or more hackers assembled a gallery in October of more than 100,000 purloined images and videos that people had sent via Snapchat, an app that enables people to share images and videos that disappear within a few seconds.

The problem with Snapchat is that its service has been hijacked by other developers, whose apps enable people to make permanent copies of the supposedly temporary files they receive from Snapchat users. Some of those apps store these permanent copies in the cloud, creating inviting targets for Peeping Tom hackers.

The moral of the story is not that people shouldn't trust the privacy promises of companies such as Snapchat -- that's a given. The moral is that people who want to keep something secret shouldn't share it with anyone online, friends included.

You too have the new U2 record!

When it unveiled its new iPhones in September, Apple surprised its customers by announcing that every user with an iTunes account around the world would receive a free copy of the new U2 long-player, "Songs of Innocence." And because many of said users' iTunes software was set to download "purchased" content automatically, "Songs of Innocence" showed up on all their Apple devices like an uninvited houseguest.

So, instead of Apple being showered with the thanks of a grateful iNation, it was pummeled with complaints from people who stopped liking U2 after "Achtung Baby" (with the obvious exception of "Beautiful Day," because you'd have to be dead not to love that song). Anyway, Apple responded a few days later by creating a site to help people delete the album, and U2's Bono apologized a month later for the band having gotten "carried away with ourselves."

The message that shouldn't be lost on the Interwebs is that people feel invaded not just when files are taken from their personal accounts, but also when they're planted there.

Uber's 'God View'

2014 wasn't a good year for Uber. After an Uber driver struck and killed a 6-year-old girl in a San Francisco crosswalk on New Year's Eve, lawmakers and state regulators rushed to apply expensive new insurance mandates to fill a glaring gap in coverage. Later, its cutthroat competitive tactics grabbed headlines, as did a top executive's threats to attack the reputation of a female journalist who had criticized the company.

But the worst of the largely self-inflicted wounds came when an Uber executive told a second female reporter that he'd tracked her while she was being ferried to their meeting by an Uber driver. According to Buzzfeed, Uber corporate employees have access to a function called "God's View" that lets them see where cars and customers are in real time.

The company responded by publishing a privacy policy, declaring that rider and driver data could be accessed only for "legitimate business purposes" including detecting fraud and troubleshooting bugs in the Uber app. (Lyft took steps to limit employee access to rider data too.) All the same, the revelation led Sen. Al Franken (D-Minn.) to demand an explanation from Uber for its handling of customer data, while more pundits urged readers to delete their Uber apps and find other ways to get from point A to point B.



Follow Healey's intermittent Twitter feed: @jcahealey