Searching Google for “Gravy Analytics breach” results in FTC action against said company for illegally tracking consumers. Among the results are mentions of HIPAA violations… which in 2025 USA is actually a really big deal.
For all of the “but I have nothing to hide” crowd, you need to modify your slogan to, “but I have nothing to hide, right now.”
I would like to add the following conditions to further illustrate how fraught that sentiment is.
- from the people currently in power
- from the laws as they currently stand
- given my understanding of all the laws that exist
- from a wacko down the street with a short fuse and weaponry
If you don't have something to hide, your life is lame. LOL
Seriously, though, what would the HIPAA violation be for location data? Knowledge of someone going to a doctor's office doesn't sound like a HIPAA violation. AFAIK, violations only relate to what is communicated between doctors (and other healthcare professionals) and patients.
Location data generated by your phone is not covered by HIPAA (source: [1]) whereas the location of a patient undergoing treatment is. Thus, there's nothing that stops a data broker inferring that you are visiting a psychiatrist or a reproductive health clinic and sharing that insight with buyers, but the clinic/doctor cant share that you were treated at such and such location since that is personal health information (PHI).
The web page below has quite some discussion on what this means for patient privacy and how to disable certain location services on your phone.
Things like this were previous a pain, but now with AI being able to easily shift through these things to identify high value targets (adversary's military personnel, politicians/executives for blackmailers) maybe something will finally be done. Heck I bet if someone provided a weaponized AI platform to digest this information and float everything of interest in it to the top that might finally get something done.
I think at some point the system needs to switch to aggregating violence/damage inflicted when it's against thousands/millions of people. A business can't just ruin one persons life without consequence. Slightly damaging millions of lives should rise to a similar level at some point.
Sure, but I can't. But I can weaponize leaked/hacked data sets to bring attention and get the government to care since they don't currently seem to care about the data being collected nor it being laxly protected.
Maybe we should do a South Park with their TrollTrace plotline and make the data publicly available (maybe purposefully exclude the last 6-12 months of data for a little bit of secrecy), and watch the public rage while they can look up the movements of everyone they know!
Though I don’t think that would even work, as people’s anger would be directed at the public directory rather then the source of the data and how it was gathered…
(Edit: Don’t actually do this, as it could / probably will, do more harm than good. But until the majority of people get angry at such data collection, it will just continue to happen)
I wrote one but never published it. I'm working on resurrecting the blog (writing an article right now) I appreciate the interest and I'll dig up the draft and publish it later this week.
Please do. I find Twitch to be a fascinating corner of the internet. From the shared lingo via third-party emotes to the depressing TTS messages of the chatters, it's all gold.
The real 'data breach' was that they had the data in the first place. The hacker is likely less of a threat to me than many of the parties they sold the data to before.
For all of the “but I have nothing to hide” crowd, you need to modify your slogan to, “but I have nothing to hide, right now.”
reply