Netflix silent about ridicule as it discusses punters' viewing habits

Vid biz's admission shows that no data is private

A tweet sent in jest from Netflix's official Twitter account on Sunday evening has called the company's data practices into question.

"To the 53 people who've watched A Christmas Prince every day for the past 18 days: Who hurt you?" a company representative said, via the social media and election-swaying service.

To the general public, the issue can be summarized as no harm, no foul. It was simply humor, at the expense of a few dozen fans of a recent romantic film that Buzzfeed says is "so bad it's good." More than 336,000 Twitter accounts – and presumably some real people among the bots – liked the tweet while more than 85,000 retweeted it.

Marketing mission accomplished.

To privacy advocates and those in the media, the quip set off alarm bells because it's not clear what kind of data is available to Netflix's employees and what kind of rules govern access to that data.

To understand why video privacy is even an issue, rewind several decades to 1987 when reporter Michael Dolan went looking for and found the video rental history of Supreme Court nominee Robert Bork, who had expressed his view that the Constitution does not support privacy protection. Politicians, perceiving that their video viewing habits might come back to haunt them, passed the Video Privacy Protection Act in 1988.

This may seem like a quaint concern in an era when elected officials shrug off charges of pedophilia, sexual assault, and treason, but there was a time when public image mattered.

In any event, this privacy carve-out lasted until 2011, when it was watered down through an amendment supported by Netflix and other data-focused companies. Nowadays, with so much online surveillance and ad tracking, Netflix viewing habits are probably less troubling than browser histories, but even so, the privacy-conscious are not thrilled by Netflix's cavalier attitude.

Netflix, like many online companies, makes clear through its Privacy Statement that it collects a variety of data about customers – name, email address, address or postal code, payment method, and telephone number, along with reviews or ratings, taste preferences, account settings, title selections, viewing history, search queries, customer service interactions, device identifiers, browser technical data, location, and advertising cookies.

The company says it may also augment data with info from brokers of offline data such as demographics, interest-based data, and browsing behavior.

At the same time, Netflix says it cannot guarantee the security of the data it collects: "We use reasonable administrative, logical, physical and managerial measures to safeguard your personal information against loss, theft and unauthorized access, use and modification. Unfortunately, no measures can be guaranteed to provide 100% security. Accordingly, we cannot guarantee the security of your information."

Nor can Netflix stop talking about it. The tweet in question appears to coincide with the company's publication on Monday of its 2017 year-in-review. And the vid biz is shaming without naming others, such as the Canadian user watched the Lord of the Rings films 361 times.

Spotify has indulged in similar snark marketing based on user-data. Who needs ad copywriters when there's long-tail data to be cherry-picked?

It's all innocent fun until lack of data oversight becomes an issue, as it did when a Twitter contractor shut down President Trump's Twitter account for 11 minutes last month. Other companies, like Google, with Street View engineers deciding to collect Wi-Fi data in 2006, and Uber's 2014 scandal about tracking people using "God View," have been caught misusing data that should have been off-limits. And they're hardly outliers.

The Register thrice asked Netflix to explain itself but has yet to receive any response.

In its defense, Netflix might say its data is anonymized. Such data, however, can often be de-anonymized, as University of Texas researches did with a portion of a Netflix data set in 2007.

But that's not really the issue. The problem is more that an offhanded remark by a Netflix employee serves as a reminder of how our data has become our Achilles Heel.

There's a saying attributed to Cardinal Richelieu, "If you give me six lines written by the hand of the most honest of men, I will find something in them which will hang him."

Though he may not have said these exact words, the sentiment is true enough: In an adversarial situation – a court hearing, a job interview, or a border crossing – who among us could not be put on the defensive by captured data? ®

Updated to add

After this story was published, Netflix responded to our query: “The privacy of our members’ viewing is important to us. This information represents overall viewing trends, not the personal viewing information of specific, identified individuals,” a spokesperson said via email.

Other stories you might like

  • Never fear, the White House is here to tackle web trolls
    'No one should have to endure abuse just because they are attempting to participate in society'

    A US task force aims to prevent online harassment and abuse, with a specific focus on protecting women, girls and LGBTQI+ individuals.

    In the next 180 days, the White House Task Force to Address Online Harassment and Abuse will, among other things, draft a blueprint on a "whole-of-government approach" to stopping "technology-facilitated, gender-based violence." 

    A year after submitting the blueprint, the group will provide additional recommendations that federal and state agencies, service providers, technology companies, schools and other organisations should take to prevent online harassment, which VP Kamala Harris noted often spills over into physical violence, including self-harm and suicide for victims of cyberstalking as well mass shootings.

    Continue reading
  • Cisco warns of security holes in its security appliances
    Bugs potentially useful for rogue insiders, admin account hijackers

    Cisco has alerted customers to another four vulnerabilities in its products, including a high-severity flaw in its email and web security appliances. 

    The networking giant has issued a patch for that bug, tracked as CVE-2022-20664. The flaw is present in the web management interface of Cisco's Secure Email and Web Manager and Email Security Appliance in both the virtual and hardware appliances. Some earlier versions of both products, we note, have reached end of life, and so the manufacturer won't release fixes; it instead told customers to migrate to a newer version and dump the old.

    This bug received a 7.7 out of 10 CVSS severity score, and Cisco noted that its security team is not aware of any in-the-wild exploitation, so far. That said, given the speed of reverse engineering, that day is likely to come. 

    Continue reading
  • Microsoft fixes under-attack Windows zero-day Follina
    Plus: Intel, AMD react to Hertzbleed data-leaking holes in CPUs

    Patch Tuesday Microsoft claims to have finally fixed the Follina zero-day flaw in Windows as part of its June Patch Tuesday batch, which included security updates to address 55 vulnerabilities.

    Follina, eventually acknowledged by Redmond in a security advisory last month, is the most significant of the bunch as it has already been exploited in the wild.

    Criminals and snoops can abuse the remote code execution (RCE) bug, tracked as CVE-2022-30190, by crafting a file, such as a Word document, so that when opened it calls out to the Microsoft Windows Support Diagnostic Tool, which is then exploited to run malicious code, such spyware and ransomware. Disabling macros in, say, Word won't stop this from happening.

    Continue reading

Biting the hand that feeds IT © 1998–2022