A security issue was discovered in aws-iam-authenticator where an allow-listed IAM identity may be able to modify their username and escalate privileges.

**Hausler, Micah**

unread,

Jul 11, 2022, 6:40:08 PM (yesterday) Jul 11

to kubernete...@googlegroups.com, d...@kubernetes.io, kubernetes-sec...@googlegroups.com, kubernetes-se...@googlegroups.com, distributo...@kubernetes.io, kubernetes+a...@discoursemail.com

Hello Kubernetes Community,

A security issue was discovered in aws-iam-authenticator where an allow-listed IAM identity may be able to modify their username and escalate privileges. 

This issue has been rated **high** (https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N), and assigned CVE-2022-2385

**Am I vulnerable?**

Users are only affected if they use the AccessKeyID template parameter to construct a username and provide different levels of access based on the username.

**Affected Versions**

*   v0.5.2 - v0.5.8

**How do I mitigate this vulnerability?**

Upgrading to v0.5.9 mitigates this vulnerability.

Prior to upgrading, this vulnerability can be mitigated by not using the {{AccessKeyID}} template value to construct usernames.

**Fixed Versions**

*   aws-iam-authenticator v0.5.9

**Detection**

This issue affected the logged identity, and is not discernible from valid requests.

**Additional Details**

See the GitHub issue for more details: https://github.com/kubernetes-sigs/aws-iam-authenticator/issues/472

**Acknowledgements**

This vulnerability was reported by Gafnit Amiga from Lightspin

Micah Hausler

Principal Engineer

Amazon Web Services

CVE-2022-2385: [Security Advisory] CVE-2022-2385: AccessKeyID validation bypass

Nautilus treadmills T616 S/N 100672PRO21140001 through 100672PRO21171980 and T618 S/N 100647PRO21130111 through 100647PRO21183960 with software before 2022-06-09 allow physically proximate attackers to cause a denial of service (fall) by connecting the power cord to a 120V circuit (which may lead to self-starting at an inopportune time).

*   Recalled Nautilus T618 Treadmill
    
*   Recalled Nautilus T616 Treadmill
    

Name of Product:

Nautilus Treadmills

Hazard:

The treadmills can start on their own, posing a fall hazard to a user.

Recall Date:

June 09, 2022

**Recall Details**

Description:

This recall involves Nautilus treadmills with model number T616 and serial numbers 100672PRO21140001 through 100672PRO21171980 and with model number T618 and serial numbers 100647PRO21130111 through 100647PRO21183960.  Nautilus and the model number are printed on the plastic shroud at the front of the treadmill’s walking belt. The serial number is on the base-frame of the treadmill beneath the belt.

Remedy:

Consumers should immediately stop using the recalled treadmills and contact Nautilus to receive a free USB flash drive with a software upgrade and installation instructions. Nautilus will automatically ship the USB flash drive and instructions at no cost to customers who purchased the treadmills directly from Nautilus. The instructions will direct consumers to plug the flash drive into the USB port on the treadmill to upload the software upgrade. 

Incidents/Injuries:

Nautilus has received 21 reports of the treadmills self-starting. No injuries have been reported.

Sold At:

Best Buy, Walmart and other stores nationwide and online at www.Nautilus.com and www.Amazon.com from April 2021 through November 2021 for about $1,150 for Model T616 and about $1,500 for Model T618.

Manufacturer(s):

Zhejiang Arcana Power Health Tech. CO. LTD., of China

Importer(s):

Nautilus Inc., of Vancouver, Wash.

This recall was conducted, voluntarily by the company, under CPSC’s Fast Track Recall process. Fast Track recalls are initiated by firms, who commit to work with CPSC to quickly announce the recall and remedy to protect consumers.

About the U.S. CPSC

The U.S. Consumer Product Safety Commission (CPSC) is charged with protecting the public from unreasonable risk of injury or death associated with the use of thousands of types of consumer products. Deaths, injuries, and property damage from consumer product-related incidents cost the nation more than $1 trillion annually. CPSC's work to ensure the safety of consumer products has contributed to a decline in the rate of injuries associated with consumer products over the past 50 years.

Federal law prohibits any person from selling products subject to a Commission ordered recall or a voluntary recall undertaken in consultation with the CPSC.

For lifesaving information:

*   Visit CPSC.gov.
*   Sign up to receive our e-mail alerts.
*   Follow us on Facebook, Instagram @USCPSC and Twitter @USCPSC.
*   Report a dangerous product or a product-related injury on www.SaferProducts.gov.
*   Call CPSC’s Hotline at 800-638-2772 (TTY 301-595-7054).
*   Contact a media specialist.

CVE-2022-35648: Nautilus Recalls Treadmills Due to Fall Hazard

The new open source security-as-code platform will help developers and security teams automatically detect security policy violations across the organization's cloud infrastructure.

As more organizations migrate their data, applications, and workloads to the cloud, securing the infrastructure remains a challenge. Security teams don't always know exactly what is happening within each cloud environment, making it difficult to detect when security policies are being violated.

That's the problem Paladin Cloud aims to solve with its security-as-code platform.

Paladin Cloud’s platform is intended to help developers and DevOps teams safeguard their applications and data, both in testing and production. It accomplishes this goal by providing teams with full visibility into the organization's various cloud services and systems. The platform includes a plug-in-based architecture that helps developers connect to and ingest data from sources including code repositories, threat intelligence systems, container scanning, API gateways, and cloud-based enterprise systems such as Kubernetes.

Supported vendor systems include Qualys Vulnerability Assessment Platform, Bitbucket, Trend Micro Deep Security, Tripwire, Venafi Certificate Management, and Red Hat. Security teams can write rules based on data collected by these plugins to get a complete picture of the organization's cloud security posture.

"The platform discovers assets, evaluates policy, creates issues for policy violations, and prioritizes remediation," according to a page on Paladin Cloud's GitHub repository. If fixes for policy violations have already been defined, then the platform can go ahead and execute those actions to remediate the issues. This way, the platform provides automatic detection and remediation of violations, such as unauthorized access, misconfigured systems, and insecure APIs.

Organizations can also take advantage of the platform's extensible policy management to oversee hybrid clouds, where the data and applications are hosted on both public and private infrastructure.

Paladin Cloud lists various out-of-the-box features on its GitHub page, including continuous asset discovery, ability to search all discovered resources, custom policies and custom auto-fix actions, dynamic asset grouping to view compliance, exception management, OAuth2 support, and role-based access control.

The platform is now generally available for Amazon Web Services, Google Cloud, and Microsoft Azure. Along with announcing the platform's availability, the company announced a $3.3 million seed financing round.

Paladin Cloud Launches New Cloud Security and Governance Platform

"HavanaCrypt" is also using a command-and-control server that is hosted on a Microsoft Hosting Service IP address, researchers say.

Threat actors are increasingly using fake Microsoft and Google software updates to try to sneak malware on target systems.

The latest example is "HavanaCrypt," a new ransomware tool that researchers from Trend Micro recently discovered in the wild disguised as a Google Software Update application. The malware's command and-control (C2) server is hosted on a Microsoft Web hosting IP address, which is somewhat uncommon for ransomware, according to Trend Micro.

Also notable, according to the researchers, is HavanaCrypt's many techniques for checking if it is running in a virtual environment; the malware's use of code from open source key manager KeePass Password Safe during encryption; and its use of a .Net function called "QueueUserWorkItem" to speed up encryption. Trend Micro notes that the malware is likely a work-in-progress because it does not drop a ransom note on infected systems.

HavanaCrypt is among a growing number of ransomware tools and other malware that in recent months have been distributed in the form of fake updates for Windows 10, Microsoft Exchange, and Google Chrome. In May, security researchers spotted ransomware dubbed "Magniber" doing the rounds disguised as Windows 10 updates. Earlier this year, researchers at Malwarebytes observed the operators of the Magnitude Exploit Kit trying to fool users into downloading it by dressing the malware as a Microsoft Edge update.

As Malwarebytes noted at the time, fake Flash updates used to be a fixture of Web-based malware campaigns until Adobe finally retired the technology because of security concerns. Since then, attackers have been using fake versions of other frequently updated software products to try to trick users into downloading their malware — with browsers being one of the most frequently abused.

Creating fake software updates is trivial for attackers, so they tend to use them to distribute all classes of malware including ransomware, info stealers, and Trojans, says an analyst with Intel 471 who requested anonymity. "A non-technical user might be fooled by such techniques, but SOC analysts or incident responders will likely not be fooled," the analyst says.

Security experts have long noted the need for organizations to have multi-layered defenses in place to defend against ransomware and other threats. This includes having controls for endpoint detection and response, user and entity behavior-monitoring capabilities, network segmentation to minimize damage and limit lateral movement, encryption, and strong identity and access control -- including multi-factor authentication. 

Since adversaries often target end users, it is also critical for organizations to have strong practices in place for educating users about phishing risks and social engineering scams designed to get them to download malware or follow links to credential harvesting sites.

**How HavanaCrypt Works**

HavanaCrypt is .Net malware that uses an open-source tool called Obfuscar to obfuscate its code. Once deployed on a system, HavanaCrypt first checks to see if the "GoogleUpdate" registry is present on the system and only continues with its routine if the malware determines the registry is not present.

The malware then goes through a four-stage process to determine if the infected machine is in a virtualized environment. First it checks the system for services such as VMWare Tools and vmmouse that virtual machines typically use. Then it looks for files related to virtual applications, followed by a check for specific file names used in virtual environments. Finally, it compares the infected systems' MAC address with unique identifier prefixes typically used in virtual machine settings. If any of checks show the infected machine to be in a virtual environment, the malware terminates itself, Trend Micro said.

Once HavanaCrypt determines it's not running in a virtual environment, the malware fetches and executes a batch file from a C2 server hosted on a legitimate Microsoft Web hosting service. The batch file contains commands for configuring Windows Defender in such a manner that it allows detected threats. The malware also stops a long list of processes, many of which are related to database applications such as SQL and MySQL or to desktop applications such as Microsoft Office.

HavanaCrypt's next steps include deleting shadow copies on the infected systems, deleting functions for restoring data, and gathering system information such as the number of processors the system has, processor type, product number, and BIOS version. The malware uses the QueueUserWorkItem function and code from KeePass Password Safe as part of the encryption process.

"QueueUserWorkItem is a standard technique for creating thread pools," says the analyst from Intel 471. "The use of thread pools will speed up encryption of the files on the victim machine."

With KeePass, the ransomware author has copied code from the password manager tool and used this code in their ransomware project. "The copied code is used to generate pseudorandom encryption keys," the analyst notes. "If the encryption keys were generated in a predictable, repeatable way, then it might be possible for malware researchers to develop decryption tools."

The attacker's use of a Microsoft hosting service for the C2 server highlights the broader trend by attackers to hide malicious infrastructure in legitimate services to evade detection. "There is a great deal of badness hosted in cloud environments today, whether it's Amazon, Google, or Microsoft and many others," says John Bambenek, principal threat hunter at Netenrich. "The highly transient nature of the environments makes reputation systems useless."

Fake Google Software Updates Spread New Ransomware

The latest criminal use of a legitimate red-teaming tool helps attackers stay under the radar and better access living-off-the-land binaries.

In a fresh campaign that takes a page from the advanced persistent threat known as APT29, hackers are shifting away from the Cobalt Strike post-exploitation toolkit, instead embracing Brute Ratel C4 (BRc4).

BRc4 is the latest upstart in the red-team tooling world; like Cobalt Strike, it's an adversarial attack simulation tool designed for penetration testers. It’s a command-and-control (C2) framework that's not easily detected by endpoint detection and response (EDR) technology or other anti-malware tools.

A report from Palo Alto Networks' Unit 42 research team found evidence of attackers subverting Brute Ratel's free licensing protections and utilizing the tool to run criminal attack campaigns.

The infrastructure they uncovered is extensive, researchers noted.

"In terms of C2, we found that the sample called home to an Amazon Web Services (AWS) IP address located in the United States over port 443," they explained. "Further, the X.509 certificate on the listening port was configured to impersonate Microsoft with an organization name of 'Microsoft' and organization unit of 'Security.'"

Pivoting on the certificate and other artifacts, "we identified a total of 41 malicious IP addresses, nine BRc4 samples, and an additional three organizations across North and South America who have been impacted by this tool so far," they added.

**Living-Off-the-Land Techniques**

Unit 42 said the sample utilizing BRc4 uses known APT29 techniques, including well-known cloud storage and online collaboration applications. In this case, the sample studied was packaged up as a self-contained ISO that included a Windows shortcut LNK file, a malicious payload library, and a legitimate copy of Microsoft OneDrive Updater.

"Attempts to execute the benign application from the ISO-mounted folder resulted in the loading of the malicious payload as a dependency through a technique known as DLL search order hijacking," the report explained.

This technique of using legitimate tools and native utilities is known as "living off the land," and threat actors are increasingly using living-off-the-land binaries (LOLBins) to drop malicious payloads.

Last week for instance, researchers with Cyble reported an uptick in LNK file-based builders growing in popularity on Dark Web marketplaces, as various malware families lean on them for payload delivery.

"We have observed a steadily increasing number of high-profile threat actors shifting back to .LNK files to deliver their payloads," the Cyble researchers wrote. "Typically, threat actors use LOLBins in such infection mechanisms because it makes detecting malicious activity significantly harder."

**Where Red Team Tools Fit In**

Tools like Cobalt Strike and BRc4 aren't purely living-off-the-land approaches, "since you still have to introduce a piece of malware onto the system as opposed to using the operating systems built in tooling," explains Tim McGuffin, director of adversarial engineering at LARES Consulting.

However, these tools are nevertheless popular with attackers for their ability to evade detection mechanisms, fundamentally for the same reason as a living-off-the-land attack works — because they're otherwise viewed as legitimate software.

"Brute Ratel is an otherwise legitimate tool that might be present in victim networks," explains John Bambenek, principal threat hunter at Netenrich. "Since its use is likely whitelisted, it allows for attackers to operate more discretely than they would otherwise be able to do."

This is an unfortunate cycle that the security world has seen occur for a long time, as attackers are drawn to red-team tools like flies to honey.

According to Ivan Righi, senior cyber threat intelligence analyst for Digital Shadows, it's no surprise that BRc4 makes for an attractive tool. Not only does it have offensive security capabilities similar to Cobalt Strike that can be abused for malicious purpose, but it is also less known than Cobalt Strike.

"Many security solutions may not yet detect Brute Ratel as malicious, as opposed to Cobalt Strike, which is generally more well-known for being used for malicious purposes," Righi says.

According to McGuffin, security practitioners should be concerned about all toolkits like these, whether open source, commercial, or custom. But he believes that they shouldn't get caught up in the whack-a-mole game of detecting the framework or the tooling itself. Instead, they should focus on hardening their systems.

"An emphasis on endpoint hardening can be placed on prevention against any C2 tooling. An example is Microsoft's Attack Surface Reduction 'Application Allow-listing' guidance," he says. "The setting prevents unknown binaries from being introduced, and network egress hardening to prevent C2 callbacks to Command-and-Control servers."

Stealthy Cyber-Campaign Ditches Cobalt Strike for Rival 'Brute Ratel' Pen Test Tool

OpenVPN Access Server 2.10 and prior versions are susceptible to resending multiple packets in a response to a reset packet sent from the client which the client again does not respond to, resulting in a limited amplification attack.

CVE-2021-4234: Access Server Release Notes | OpenVPN

The unsecured server exposed more than 1.5 million files, including airport worker ID photos and other PII, highlighting the ongoing cloud-security challenges worldwide.

A misconfigured Amazon S3 bucket resulted in 3TB of airport data (more than 1.5 million files) being publicly accessible, open, and without an authentication requirement for access, highlighting the dangers of unsecured cloud infrastructure within the travel sector.

The exposed information, uncovered by Skyhigh Security, includes employee personal identification information (PII) and other sensitive company data affecting at least four airports in Colombia and Peru.

The PII ranged from photos of airline employees and national ID cards — which could present a serious threat if leveraged by terrorist groups or criminal organizations — to information about planes, fuel lines, and GPS map coordinates.

The bucket (now secured) contained information dating back to 2018, the report says, noting Android mobile apps also were contained within buckets, which security personnel tap to help with incident reporting and data handling.

"Airport security protects the lives of travelers and airport staff," the report explains. "As such, this breach is extremely dangerous with potentially devastating consequences should the bucket’s content end up in the wrong hands."  

As travel picks up dramatically following restrictions during the pandemic, Fortune Business Insights found that the global smart airport market size is set to be driven by the rising preference of the masses for air travel. The report also says that the expansion of commercial aviation is set to affect the market positively in the coming years, as airports increasingly turn to cloud service providers to house and process massive amounts of passenger and operational data.

Perhaps it's no wonder that travel-related organizations have been increasingly targeted of late. For instance, airlines have been the target of ransomware this year, including India's low-cost carrier SpiceJet, which weathered an attack in May that caused widespread flight delays. 

At the same time, multiple cybercrime groups have been spotted selling stolen credentials and other sensitive PII pilfered from travel-related websites and cloud databases, according to security firm Intel 471's tracking.

**Cloud Security Still Porous**

Back in 2019, Gartner stated that "90% of organizations that fail to control public cloud use will inappropriately share sensitive data." And that worry continues today: A recent IDC survey of CISOs in the US found that 80% of respondents are not able to identify excessive access to sensitive data in cloud production environments.

"Unfortunately, news headlines like these highlight examples of a data breach due to a simple, but harmful misconfiguration: an unsecured, exposed cloud storage service," according to Skyhigh's analysis. "Complexities around identity management, access permissions, secure configurations, data protection, and so much more, continuously result in poor cloud security hygiene and ultimately, data exposures."

And indeed, there has been no shortage of cloud security incidents recently — with misconfigurations leading the way. Cybercrime goals in subverting open databases can go beyond data pilfering, it should be noted, as shown by the recent discovery of Denonia, a Go-language-based cryptominer malware. It's designed to exploit AWS Lambda, the serverless function execution service.

Also, vulnerabilities in cloud products and services have become a growing concern for organizations, with a Linux container-escape flaw in Microsoft's Azure Service Fabric among the latest vulnerabilities disclosed.

The good news? One potential cloud security resource was recently established by security researchers at Wiz in the form of a community-based database — cloudvulndb.org — which currently lists some 70 cloud security issues and vulnerabilities.

**How to Protect Against Cloud Threats**

A recent survey of 500 security practitioners and 200 executives, conducted by cloud automation firm Lacework, indicated organizations must change the way they're securing cloud infrastructure and services.

Skyhigh’s report notes increasing read/write privileges are often the go-to for further strengthening cloud security. However, "in reality it will take far more than that; thanks to the extensive manners by which cloud storages can be accessed and misused," the report states.

So, other measures that the firm said should be implemented include: 

*   Enable automatic scanning for vulnerable storage across AWS S3 buckets and Azure Blobs.
*   Use continuous configuration audits for IaaS accounts and services to enforce consistent protection.
*   Enforce compliance checks against industry best practices to maintain secure postures.
*   Run data loss prevention and malware scans to detect violations in cloud-storage services and protect sensitive data from being exfiltrated.
*   Put measures in place to detect insider threats as well as threats from compromised accounts and privileged-access misuse.
*   And apply automatic remediation to take appropriate action against misconfigurations, vulnerabilities, and exposures.

Cloud Misconfig Exposes 3TB of Sensitive Airport Data in Amazon S3 Bucket: 'Lives at Stake'

Come up with a clever caption, and our panel of experts will reward the winner with a $25 Amazon gift card.

You don't have to be in the security biz for safety to be your top concern. What do you think is going on here? Send us your caption ideas for the above cartoon, and the winner of The Edge's July contest will receive a $25 Amazon gift card. We offer four convenient ways for you to submit your ideas:

*   Email _\[email protected\]_ with the subject line "The Edge July 2022 Toon."
*   Via social media: Twitter, Facebook, and LinkedIn_._

The contest closes on Wednesday, July 28, 2022.

**Last Month's Winner**

Many readers stepped up to the plate with witty captions for last month's cartoon contest. (We thank you!) Congratulations go to Beth Lawler, case manager at Lowenstein Sandler LLP, for the caption appears below. Your Amazon gift card is on the way.

    

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Name That Edge Toon: On Guard

Ubuntu Security Notice 5500-1 - Eric Biederman discovered that the cgroup process migration implementation in the Linux kernel did not perform permission checks correctly in some situations. A local attacker could possibly use this to gain administrative privileges. Lin Ma discovered that the NFC Controller Interface implementation in the Linux kernel contained a race condition, leading to a use-after-free vulnerability. A local attacker could use this to cause a denial of service or possibly execute arbitrary code.

    ==========================================================================Ubuntu Security Notice USN-5500-1July 01, 2022linux, linux-aws vulnerabilities==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 16.04 ESMSummary:Several security issues were fixed in the Linux kernel.Software Description:- linux: Linux kernel- linux-aws: Linux kernel for Amazon Web Services (AWS) systemsDetails:Eric Biederman discovered that the cgroup process migration implementationin the Linux kernel did not perform permission checks correctly in somesituations. A local attacker could possibly use this to gain administrativeprivileges. (CVE-2021-4197)Lin Ma discovered that the NFC Controller Interface (NCI) implementation inthe Linux kernel contained a race condition, leading to a use-after-freevulnerability. A local attacker could use this to cause a denial of service(system crash) or possibly execute arbitrary code. (CVE-2021-4202)It was discovered that the PF_KEYv2 implementation in the Linux kernel didnot properly initialize kernel memory in some situations. A local attackercould use this to expose sensitive information (kernel memory).(CVE-2022-1353)It was discovered that the virtual graphics memory manager implementationin the Linux kernel was subject to a race condition, potentially leading toan information leak. (CVE-2022-1419)Minh Yuan discovered that the floppy disk driver in the Linux kernelcontained a race condition, leading to a use-after-free vulnerability. Alocal attacker could possibly use this to cause a denial of service (systemcrash) or execute arbitrary code. (CVE-2022-1652)It was discovered that the Atheros ath9k wireless device driver in theLinux kernel did not properly handle some error conditions, leading to ause-after-free vulnerability. A local attacker could use this to cause adenial of service (system crash) or possibly execute arbitrary code.(CVE-2022-1679)It was discovered that the Marvell NFC device driver implementation in theLinux kernel did not properly perform memory cleanup operations in somesituations, leading to a use-after-free vulnerability. A local attackercould possibly use this to cause a denial of service (system) or executearbitrary code. (CVE-2022-1734)赵子轩 discovered that the 802.2 LLC type 2 driver in the Linux kernel did notproperly perform reference counting in some error conditions. A localattacker could use this to cause a denial of service. (CVE-2022-28356)Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 16.04 ESM:  linux-image-4.4.0-1145-aws      4.4.0-1145.160  linux-image-4.4.0-229-generic   4.4.0-229.263  linux-image-4.4.0-229-lowlatency  4.4.0-229.263  linux-image-aws                 4.4.0.1145.149  linux-image-generic             4.4.0.229.235  linux-image-lowlatency          4.4.0.229.235  linux-image-virtual             4.4.0.229.235After a standard system update you need to reboot your computer to makeall the necessary changes.ATTENTION: Due to an unavoidable ABI change the kernel updates havebeen given a new version number, which requires you to recompile andreinstall all third party kernel modules you might have installed.Unless you manually uninstalled the standard kernel metapackages(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,linux-powerpc), a standard system upgrade will automatically performthis as well.References:  https://ubuntu.com/security/notices/USN-5500-1  CVE-2021-4197, CVE-2021-4202, CVE-2022-1353, CVE-2022-1419,  CVE-2022-1652, CVE-2022-1679, CVE-2022-1734, CVE-2022-28356

Ubuntu Security Notice USN-5500-1

A new bill proposes the strongest Federal data privacy protections yet for reproductive and sexual health data.
The post My Body, My Data Act would lock down reproductive and sexual health data appeared first on Malwarebytes Labs.

A new bill entered into both the House of Representatives and the Senate proposes the strongest Federal data privacy protections yet for an increasingly scrutinized form of data in the United States—reproductive and sexual health data.

The “My Body, My Data Act of 2022” was announced in early June in response to a leaked draft of a Supreme Court opinion that reported to show the Court’s intentions to overturn a seminal decision from 1973 that guaranteed a Constitutional right to have a choice to an abortion. Congresswoman Sara Jacobs (D-CA), sponsor of the bill in the House of Representatives, said in a press release that she was focused on protecting reproductive health data in light of the new,  judicial threat.

“Since the Supreme Court leak, I’ve heard from so many people who are panicked about their personal reproductive health data falling into the wrong hands,” Jacobs said. “The My Body, My Data Act will protect that information, protect our privacy, and reaffirm our rights to make our own decisions about our bodies.”

The bill, which has 46 cosponsors in the House and 11 cosponsors in the Senate, would stop companies from collecting, using, retaining, and disclosing “personal reproductive or sexual health information” unless a company first receives express consent from a user or if a company is using such information to specifically deliver a service that a user has requested. The bill’s definition of “personal reproductive or sexual health information” is broad, including any information that could reveal a person’s attempts to “research or obtain” reproductive health services, any reproductive or sexual health conditions, such as pregnancy, menstruation, and whether a person is sexually active, and any information about procedures that a person has undergone related to reproductive or sexual health.

If passed, the bill would also extend new rights to consumers to access and delete personal reproductive or sexual health information from the companies that collect it.

Since the bill’s announcement last month, it has only gained more attention.

On June 24, the Supreme Court decided in the case _Dobbs v. Jackson Women’s Health Organization_ that the right to an abortion, which was guaranteed under a right to privacy as decided in 1973, was not “deeply rooted in this Nation’s history or tradition.” Voting 6 – 3, the Court overturned _Roe v. Wade_.

With the Court’s decision, immediate fear arose that reproductive health data could be requested by law enforcement only to be used as evidence to prosecute individuals seeking abortions—or even those who miscarried. The Digital Defense Fund responded to the Court’s decision by updating its resources on how individuals can keep their reproductive health decisions both private and secure. The group’s resources include a section on keeping reproductive health data out of the hands of “Big Tech.”

Further, several period-tracking apps independently announced efforts to anonymize user data so that even if law enforcement requested data about certain users, those companies could not respond in a meaningful way. Users have reportedly flocked to period-tracking apps that are making these promises, but as TechCrunch recently uncovered, one such company that announced new, pro-user plans last week—Stardust—was still sharing users’ phone numbers with third parties.

> “TechCrunch ran a network traffic analysis of Stardust’s iPhone app on Monday to understand what data was flowing in and out of the app. The network traffic showed that if a user logs into the app using their phone number (rather than through a login service provided by Apple or Google), Stardust will periodically share the user’s phone number with a third-party analytics service called Mixpanel.”

TechCrunch also reported that Stardust’s efforts to bring “end-to-end encryption” were potentially faulty, as the company’s founder described a data transfer process that may only provide encryption for data in transit and for data that is stored on Amazon’s web servers.  

The period-tracking app morass is familiar, then: Once again, users in America of any number of services are left to independently manage their interactions with companies that could be sharing their data with an immeasurable number of third parties which, to most consumers, are entirely unknown.

The My Body, My Data Act could change that, requiring new restrictions not on how data is technologically stored, but on whether such data is ever collected in the first place.

The bill also includes what is called a “private right of action,” meaning that consumers who have had their privacy rights violated under the law could be able to sue individual companies for those violations. The inclusion of a private right of action is exceedingly rare in nearly any data privacy law that has been introduced in both statewide legislation and before the Federal government.

The bill is currently supported by Planned Parenthood, NARAL, National Abortion Federation, URGE, National Partnership for Women & Families, and Feminist Majority.

Tag

#amazon