One of the world's largest mobile data brokers, Kochava, has lost its battle to stop the Federal Trade Commission from revealing what the FTC has alleged is a disturbing, widespread pattern of unfair use and sale of sensitive data without consent from hundreds of millions of people. ArsTechnica: US District Judge B. Lynn Winmill recently unsealed a court filing, an amended complaint that perhaps contains the most evidence yet gathered by the FTC in its long-standing mission to crack down on data brokers allegedly "substantially" harming consumers by invading their privacy. The FTC has accused Kochava of violating the FTC Act by amassing and disclosing "a staggering amount of sensitive and identifying information about consumers," alleging that Kochava's database includes products seemingly capable of identifying nearly every person in the United States.

According to the FTC, Kochava's customers, ostensibly advertisers, can access this data to trace individuals' movements -- including to sensitive locations like hospitals, temporary shelters, and places of worship, with a promised accuracy within "a few meters" -- over a day, a week, a month, or a year. Kochava's products can also provide a "360-degree perspective" on individuals, unveiling personally identifying information like their names, home addresses, phone numbers, as well as sensitive information like their race, gender, ethnicity, annual income, political affiliations, or religion, the FTC alleged.

Beyond that, the FTC alleged that Kochava also makes it easy for advertisers to target customers by categories that are "often based on specific sensitive and personal characteristics or attributes identified from its massive collection of data about individual consumers." These "audience segments" allegedly allow advertisers to conduct invasive targeting by grouping people not just by common data points like age or gender, but by "places they have visited," political associations, or even their current circumstances, like whether they're expectant parents. Or advertisers can allegedly combine data points to target highly specific audience segments like "all the pregnant Muslim women in Kochava's database," the FTC alleged, or "parents with different ages of children."

An anonymous reader quotes a report from Ars Technica: Google has been pushing out a tool for removing personally identifiable information -- or doxxing content -- from its search results. It's a notable step for a firm that has long resisted individual moderation of search content, outside of broadly harmful or copyright-violating material. But whether it works for you or not depends on many factors. As with almost all Google features and products, you may not immediately have access to Google's new removal process. If you do, though, you should be able to click the three dots next to a web search result (while signed in), or in a Google mobile app, to pull up "About this result." Among the options you can click at the bottom of a pop-up are "Remove result." Take note, though, that this button is much more intent than immediate action -- Google suggests a response time of "a few days."

Google's blog post about this tool, updated in late September, notes that "Starting early next year," you can request regular alerts for when your personal identifying information (PII) appears in new search results, allowing for quicker reporting and potential removal. I took a trial run through the process by searching my name and a relatively recent address on Google, then reporting it. The result I reported was from a private company that, while putting on the appearance of only posting public or Freedom of Information Act-obtained records, places those records next to links that send you to the site's true owner, initiating a "background check" or other tracking services for a fee.

The first caveat Google carves out in its blog post is whether the page your information appears on also contains "other information that is broadly useful, for instance in news articles." So if your information is appearing because a newspaper or other publication regularly publishes, for example, lists of real estate transactions, Google isn't likely to take that page down. Google then notes that removing your info from a Google search "doesn't remove it from the web," so they suggest a help page they've compiled for contacting a site webmaster about removal. In other words, if Google can see a page with your information on it, so can Bing, DuckDuckGo, and other web-indexing search sites, so removing the original page is important. You could then request Google remove its own indexed result once the webmaster acts through an "outdated information" removal request. [...] Google notes that it generally aims to preserve search results if "the content is determined to be of public interest." This includes "Content on or from government and other official sources," and newsworthy and professionally relevant content. There's a different case for doxxing, notes Ars Technica's Kevin Purdy. "If there is an 'explicit or implicit threat,' or 'calls to action for others to harm or harass,' that can make the removal easier under Google's doxxing policy, initiated in May."

"Yahoo is now part of Oath and there is a new Privacy and Terms contract..." warns long-time Slashdot reader DigitalLogic. CNET reports: Oath notes that it has the right to read your emails, instant messages, posts, photos and even look at your message attachments. And it might share that data with parent company Verizon, too... When you dig further into Oath's policy about what it might do with your words, photos, and attachments, the company clarifies that it's utilizing automated systems that help the company with security, research and providing targeted ads -- and that those automated systems should strip out personally identifying information before letting any humans look at your data. But there are no explicit guarantees on that.
The update also warns that Oath is now "linking your activity on other sites and apps with information we have about you, and providing anonymized and/or aggregated reports to other parties regarding user trends." For example, Oath "may analyze user content around certain interactions with financial institutions," and "leverages information financial institutions are allowed to send over email."

Oath does offer a "Privacy Controls" page which includes a "legacy" AOL link letting you opt-out of internet-based advertising that's been targeted "based on your online activities" -- but it appears to be functioning sporadically.

CNET also reports that now Yahoo users are agreeing to a class-action waiver and mutual arbitration. "What it means is if you don't like what the company does with your data, you'll have a hard time suing."

An anonymous reader writes that the Cybersecurity Information Sharing Act (CISA) was inserted into the omnibus budget deal passed by the House of Representatives late last night. Engadget reports: "Last night's budget bill wasn't all about avoiding a government shutdown. Packed inside the 2,000-page bill announced by Speaker Paul Ryan (R-WI) is the full text of the controversial Cybersecurity Information Sharing Act (CISA) of 2015. If you'll recall, the measure passed the Senate back in October, leaving it up to the House to approve the bill that encourages businesses to share details of security breaches and cyber attacks. Despite being labeled as cybersecurity legislation, critics of CISA argue that it's a surveillance bill that would allow companies to share user info with the US government and other businesses. As TechDirt points out, this version of the bill stripped important protections that would've prevented directly sharing details with the NSA and required any personally identifying details to be removed before being shared. It also removes restrictions on how the government can use the data."

The StarCraft 2 team spent most of Blizzcon talking about the map editor and custom games. We spoke with Alan Dabiri, a Lead Software Engineer for Wings of Liberty who worked on the user interface and helped out on the game's integration with Battle.net. He provided some more details about plans for making the map editor more approachable, the coming updates for Battle.net (including chat channels), and a bit about the development of Heart of the Swarm, the Zerg-themed expansion being worked on now. Read on for our conversation about StarCraft 2.

Marilyn Miller writes "Popular open-source blogging engine WordPress has been upgraded to 2.3 — with some unexpected nasties in the mix. As of version 2.3, WordPress now periodically (every 12 hours) sends personally identifying information (blog name & URI) to the mothership, along with an alarming amount of information including $_SERVER dumps, a list of installed plugins, and your current PHP/MySQL settings. Most unfortunately, it does not provide any way of disabling this functionality, and WordPress does not have any privacy policy protecting this information. In a thread about the issue, lead developer Matt Mullenweg defends his actions and staunchly refuses to add an opt-in interface, telling users to 'fork WordPress' if they aren't willing to put up with this behavior." Update: 09/25 17:52 GMT by KD : This article is misleading enough to be called "just wrong." Matt Mullenweg writes: "As mentioned in our release announcement, the update notification sends your blog URL, plugins, and version info when it checks api.wordpress.org for new and compatible updates. It does not include $_SERVER dumps, or any settings beyond version numbers (for checking compatibility), or your blog name, or your credit card number. We do provide a way of disabling this feature; in fact I link to one of the plugins in the release announcement and in my original response to Morty's thread."

Read on for some of the most interesting comments and exchanges on a handful of yesterday's Slashdot posts (on the age of the Universe, virtual desktops in OS X, trick photography on the Reuters wire, and AOL's latest privacy gaffe) in today's Backslash summary.

This FTC release details what can happen to web sites that collect infomation about underage users without parental consent. "The FTC charged Monarch Services, Inc. and Girls Life, Inc., operators of www.girlslife.com; Bigmailbox.com, Inc., and Nolan Quan, operators of www.bigmailbox.com; and Looksmart Ltd., operator of www.insidetheweb.com with illegally collecting personally identifying information from children under 13 years of age without parental consent, in violation of the COPPA Rule." For collecting things like name and age (and in the case of the BigMailbox.com, making the info available to a 3rd party), the three companies were fined a sum of 100,000 dollars. You might like to read more on COPPA as well, and then the Center for Media Education's report on COPPA. In related news, Spain imposed a fine on Microsoft for violating Spanish laws on data-transfer, for transfering employee information from servers in Spain to the U.S.

therevan writes: "Headline News reports here that TiVo, the digital television recording technology, has been accused by privacy groups of selling user usage info to advertising agencies. Now you're not even safe with your computer unplugged." Though no specific sale is talked about, the article says that TiVO has acknowleged creating an (anonymized) database of viewing information for that purpose. It's not the first time that privacy concerns about TiVO viewing habits have been raised, but the company insist that all such information is separated from personally identifying information.

We've linked to plenty of "secondhand" media pieces about the recent DoS attacks on major commercial Web sites. Fine. Now here's real, hard-core hard-tech info on the subject - in answer to your excellent questions - from somebody who actually knows what's going on, namely Dave Dittrich from the University of Washington. He's been interviewed up the yin-yang this last week by mainstream reporters who probably wouldn't understand half the answers he gives here. But this is Slashdot, so he didn't have to hold back or dumb anything down. Click below and enjoy!