Categories
Check Point china computer security Cyberattacks and Hackers Mobile Applications TikTok (ByteDance) Uncategorized Video Recordings, Downloads and Streaming

Major TikTok Security Flaws Found

TEL AVIV — TikTok, the smartphone app beloved by teenagers and used by hundreds of millions of people around the world, had serious vulnerabilities that would have allowed hackers to manipulate user data and reveal personal information, according to research published Wednesday by Check Point, a cybersecurity company in Israel.

The weaknesses would have allowed attackers to send TikTok users messages that carried malicious links. Once users clicked on the links, attackers would have been able to take control of their accounts, including uploading videos or gaining access to private videos. A separate flaw allowed Check Point researchers to retrieve personal information from TikTok user accounts through the company’s website.

“The vulnerabilities we found were all core to TikTok’s systems,” said Oded Vanunu, Check Point’s head of product vulnerability research.

TikTok learned about the conclusions of Check Point’s research on Nov. 20 and said it had fixed all of the vulnerabilities by Dec. 15.

The app, whose parent company is based in Beijing, has been called “the last sunny corner on the internet.” It allows users to post short, creative videos, which can easily be shared on various apps.

It has also become a target of lawmakers and regulators who are suspicious of Chinese technology. Several branches of the United States military have barred personnel from having the app on government-issued smartphones. The vulnerabilities discovered by Check Point are likely to compound those concerns.

TikTok has exploded in popularity over the past two years, becoming a rare Chinese internet success story in the West. It has been downloaded more than 1.5 billion times, according to the data firm Sensor Tower. Near the end of 2019, the research firm said TikTok appeared to be on its way to more downloads for the year than better-known apps from Facebook, Instagram, YouTube and Snap.

But new apps like TikTok offer opportunities for hackers looking to target services that haven’t been tested through years of security research and real-world attacks. And many of its users are young and perhaps not mindful of security updates.

“TikTok is committed to protecting user data,” said Luke Deshotels, the head of TikTok’s security team.

“Like many organizations, we encourage responsible security researchers to privately disclose zero day vulnerabilities to us,” he added. “Before public disclosure, Check Point agreed that all reported issues were patched in the latest version of our app. We hope that this successful resolution will encourage future collaboration with security researchers.”

Mr. Deshotels said there was no indication in customer records that a breach or an attack had occurred.

TikTok’s parent company, ByteDance, is one of the world’s most valuable tech start-ups. But TikTok’s popularity and its roots in China, where no large corporation can thrive outside the good graces of the government, have prompted intense scrutiny of the app’s content policies and data practices.

American lawmakers have expressed concern that TikTok censors material that the Chinese government does not like and allows Beijing to collect user data. TikTok has denied both accusations. The company also says that although ByteDance’s headquarters are in Beijing, regional managers for TikTok have significant autonomy over operations.

Check Point’s intelligence unit examined how easy it would be to hack into TikTok user accounts. It found that various functions of the app, including sending video files, had security issues.

“I would expect these types of vulnerabilities in a company like TikTok, which is probably more focused on tremendous growth, and on building new features for their users, rather than security,” said Christoph Hebeisen, the head of research at Lookout, another cybersecurity company.

One vulnerability allowed attackers to use a link in TikTok’s messaging system to send users messages that appeared to come from TikTok. The Check Point researchers tested the weakness by sending themselves links with malware that let them take control of accounts, uploading content, deleting videos and making private videos public.

The researchers also found that TikTok’s site was vulnerable to a type of attack that injects malicious code into trusted websites. Check Point researchers were able to retrieve users’ personal information, including names and birth dates.

Check Point sent a summary of its findings to the Department of Homeland Security in the United States.

The Committee on Foreign Investment in the United States, a panel that reviews investment deals on national security grounds, is also looking into ByteDance’s 2017 acquisition of Musical.ly, a lip-syncing app that the company later merged into TikTok. That deal set the stage for TikTok’s rapid rise in the United States and Europe.

There are also concerns about the company’s data privacy practices. In February, the Federal Trade Commission filed a complaint against TikTok, saying it illegally collected personal information from minors. The complaint claimed that Musical.ly had violated the Children’s Online Privacy Protection Act, which requires websites and online companies to direct children under 13 to get parental consent before the companies collect personal information.

TikTok agreed to pay $5.7 million to settle the complaint and said it would abide by COPPA. TikTok is still being investigated by the British Information Commissioner’s Office to determine if it violated European privacy laws that offer special protections to minors and their data.

Ronen Bergman reported from Tel Aviv, Sheera Frenkel from San Francisco, and Raymond Zhong from Hong Kong.

Categories
5G (Wireless Communications) Apple Inc Computers and the Internet Driverless and Semiautonomous Vehicles Home Automation and Smart Homes Innovation International Consumer Electronics Show Mobile Applications Netflix Inc Television Television Sets and Media Devices Uncategorized Wearable Computing Wireless Communications

The Tech That Will Invade Our Lives in 2020

The 2010s made one thing clear: Tech is everywhere in life.

Tech is in our homes with thermostats that heat up our residences before we walk through the door. It’s in our cars with safety features that warn us about vehicles in adjacent lanes. It’s on our television sets, where many of us are streaming shows and movies through apps. We even wear it on ourselves in the form of wristwatches that monitor our health.

In 2020 and the coming decade, these trends are likely to gather momentum. They will also be on display next week at CES, an enormous consumer electronics trade show in Las Vegas that typically serves as a window into the year’s hottest tech developments.

At the show, next-generation cellular technology known as 5G, which delivers data at mind-boggling speeds, is expected to take center stage as one of the most important topics. We are also likely to see the evolution of smart homes, with internet-connected appliances such as refrigerators, televisions and vacuum cleaners working more seamlessly together — and with less human interaction required.

“The biggest thing is connected everything,” said Carolina Milanesi, a technology analyst for the research firm Creative Strategies. “Anything in the home — we’ll have more cameras, more mics, more sensors.”

If some of this sounds the same as last year, it is — but that’s because new technologies often take time to mature.

Here’s what to watch in tech this year.

In the last few years, Amazon, Apple and Google have battled to become the center of our homes.

Their virtual assistants — Alexa, Google Assistant and Siri — respond to voice commands to play music from speakers, control light bulbs and activate robot vacuums. Smart home products work well, but they are complicated to set up, so most people use virtual assistants just for basic tasks like setting a kitchen timer and checking the weather.

Then in December, Amazon, Apple and Google came to what appeared to be a truce: They announced that they were working together on a standard to help make smart home products compatible with one another.

In other words, when you buy an internet-connected light bulb down the line that works with Alexa, it should also work with Siri and Google Assistant. This should help reduce confusion when shopping for home products and improve the ease with which connected gadgets work with one another.

Ms. Milanesi said that eliminating complexity was a necessary step for the tech giants to achieve their ultimate goal: seamless home automation without the need for people to tell the assistants what to do.

“You want the devices to talk to each other instead of me being the translator between these device interactions,” she said. “If I open my door, then the door can say to the lights that the door is open and therefore the lights need to turn on.”

If and when that happens, your home will truly — and finally — be smart.

In 2019, the wireless industry began shifting to 5G, a technology that can deliver data at such incredibly fast speeds that people will be able to download entire movies in a few seconds.

Yet the rollout of 5G was anticlimactic and uneven. Across the United States, carriers deployed 5G in just a few dozen cities. And only a handful of new smartphones last year worked with the new cellular technology.

In 2020, 5G will gain some momentum. Verizon said it expected half the nation to have access to 5G this year. AT&T, which offers two types of 5G — 5G Evolution, which is incrementally faster than 4G, and 5G Plus, which is the ultrafast version — said it expected 5G Plus to reach parts of 30 cities by early 2020.

Another sign that 5G is really taking hold? A broader set of devices will support the new wireless standard.

Samsung, for one, has begun including 5G support on some of its newer Galaxy devices. Apple, which declined to comment, is also expected to release its first 5G-compatible iPhones this year.

And 5G will be going to work behind the scenes, in ways that will emerge over time. One important benefit of the technology is its ability to greatly reduce latency, or the time it takes for devices to communicate with one another. That will be important for the compatibility of next-generation devices like robots, self-driving cars and drones.

For example, if your car has 5G and another car has 5G, the two cars can talk to each other, signaling to each other when they are braking and changing lanes. The elimination of the communications delay is crucial for cars to become autonomous.

It’s a time of intense competition in wearable computers, which is set to lead to more creativity and innovation.

For a long while, Apple has dominated wearables. In 2015, it released Apple Watch, a smart watch with a focus on health monitoring. In 2016, the company introduced AirPods, wireless earbuds that can be controlled with Siri.

Since then, many others have jumped in, including Xiaomi, Samsung and Huawei. Google recently acquired Fitbit, the fitness gadget maker, for $2.1 billion, in the hope of playing catch-up with Apple.

Computer chips are making their way into other electronic products like earphones, which means that companies are likely to introduce innovations in wearable accessories, said Frank Gillett, a technology analyst for Forrester. Two possibilities: earphones that monitor your health by pulling pulses from your ears, or earbuds that double as inexpensive hearing aids.

“That whole area of improving our hearing and hearing the way other people hear us is really interesting,” he said.

We have rushed headlong into the streaming era, and that will only continue.

In 2019, Netflix was the most-watched video service in the United States, with people spending an average of 23 minutes a day streaming its content, according to eMarketer, the research firm. In all, digital video made up about a quarter of the daily time spent on digital devices last year, which included time spent on apps and web browsers.

Netflix’s share of the overall time we spend watching video on devices will probably decline in 2020, according to eMarketer, because of the arrival of competing streaming services like Disney Plus, HBO Max and Apple TV Plus.

“Even though Americans are spending more time watching Netflix, people’s attention will become more divided as new streamers emerge,” Ross Benes, an analyst at eMarketer, said in a blog post.

So if you don’t like “The Mandalorian,” “The Morning Show” or “Watchmen,” you won’t change the channel. You will just switch to a different app.

Categories
California Car Services and Livery Cabs Delivery Services Freelancing, Self-Employment and Independent Contracting Labor and Jobs Law and Legislation Lyft Inc Mobile Applications Postmates Inc Suits and Litigation (Civil) Uber Technologies Inc Uncategorized Wages and Salaries

Uber and Postmates File Suit to Block California Freelancer Law

Uber and Postmates filed a lawsuit in federal court in California on Monday, seeking an injunction to prevent the state’s landmark freelancer law from taking effect against them on Jan. 1 as scheduled.

The action underlines how high the stakes are for Uber and Postmates with the new California law, called Assembly Bill 5. The law could potentially threaten their businesses because under it, workers must be classified as employees rather than contractors under certain conditions, such as if a company controls how they do their work or if the work is a regular part of the company’s business.

Most employment experts have said the new law will require Uber and its rival, Lyft, along with delivery services like Postmates, to classify their drivers in California as employees. That could add 20 to 30 percent to Uber’s and Lyft’s labor costs and lead to many hundreds of millions of dollars in additional expenses a year, if not more.

As employees, drivers would be protected by minimum wage and overtime rules and would be eligible for workers’ compensation and unemployment insurance. The companies would have to pay half of their payroll taxes for Medicare and Social Security.

Postmates said it was seeking to delay the law from taking effect to gain time to figure out a compromise so that its workers would not be classified as full-time employees. Postmates and Uber argued in their complaint that California’s State Legislature had exempted certain industries while denying an exemption to what are known as “gig work” companies on essentially irrational grounds.

The suit is unlikely to stop the law from taking effect against workers outside the gig companies. A federal judge will decide whether to grant a preliminary injunction blocking the law from being enforced against the gig companies, which could later turn into a permanent injunction.

Uber said in a statement that it was bringing a legal challenge against the new law “on the basis of lack of equal protection and due process under both federal and state law.” The ride-hailing company declined to comment further.

Postmates said, “This lawsuit is an effort to preserve on-demand work opportunities,” added that it was urging state lawmakers, organized labor and Gov. Gavin Newsom to negotiate a compromise.

But Assemblywoman Lorena Gonzalez of San Diego, the bill’s author, said in a statement that “Uber is in court bizarrely trying to say A.B. 5 is unconstitutional.” She added, “The one clear thing we know about Uber is they will do anything to try to exempt themselves from state regulations that make us all safer and their driver employees self-sufficient.”

Uber and Lyft both said in documents they filed in anticipation of their public offerings in 2019 that having to classify drivers as employees could significantly hurt their financial performance. Both companies’ stocks have dropped since they went public this year.

California legislators passed the new law in September and it was signed into law. Uber, one of the main targets of the legislation, had previously declared that it did not plan to reclassify its drivers as employees and that it thought its drivers could retain their independent status even under the new law. Uber and Lyft have both also announced that they would each kick in $30 million for a state ballot initiative to essentially exempt their drivers from the new law.

In addition to Uber and Postmates, two workers — one who drives using Uber and another who delivers food through the Postmates app — also joined the lawsuit.

Categories
Biobot Analytics Inc Computers and the Internet Corporate Social Responsibility Delivery Services DynamiCare Health Entrepreneurship Food Greenhouse Gas Emissions Lemontree Foods Inc Mobile Applications Nonprofit Organizations OpenAQ Opioids and Opiates Pear Therapeutics Inc Pinterest Propel Inc Social Media Start-ups Two Thousand Nineteen Uncategorized

The 2019 Good Tech Awards

Two years ago, I started what has become one of my favorite annual traditions. Instead of a year-end column rounding up all the dubious and objectionable things technology companies did over the last year — a true fish-in-a-barrel assignment — I highlighted some examples of “good tech.” I wanted to give kudos to the kinds of tech projects that don’t always make headlines but that improve people’s lives in tangible ways.

I’ll admit, handing out awards for good technology in 2019 feels a little like congratulating Godzilla for not destroying all of Tokyo. There was plenty of bad tech news to write about this year: Facebook’s foibles, Amazon’s aggression, SoftBank’s stumbles. But to me, the tech industry’s very public shortfalls make celebrating its quieter successes even more important. The tech industry, after all, is not a monolith, and many engineers and entrepreneurs work on projects that help society. So here, with no further ado, are this year’s winners.

To OpenAQ, for educating us about the air we breathe.

Air pollution is a vastly underestimated problem. Polluted air is linked to one in eight deaths worldwide, and studies have shown that bad air quality can cause cognitive impairment in young people and increase the risk of dementia and Alzheimer’s disease in the elderly. But until recently, there was no good source of air quality data that researchers and activists could rely on.

Christa Hasenkopf, an atmospheric scientist, decided to fix that. She and a software developer started OpenAQ, an open-source platform that collects air quality data from governments and international organizations in a single place and makes it free and accessible. Want to know how the nitrogen dioxide levels in Hyderabad, India, compare with those in Kampala, Uganda? OpenAQ can tell you. Want to build an app that alerts people in your city when air quality dips below a healthy threshold? You can do that, too.

The company says it has processed 188 million air quality measurements this year, making it a powerful weapon for policymakers, environmental groups and concerned citizens trying to clean up the air.

To DynamiCare Health, Biobot Analytics and Pear Therapeutics, for using tech to address the opioid crisis.

Few public health problems in the United States have proved as intractable as the opioid epidemic. But in 2019, three Massachusetts start-ups used technology to chip away at it.

DynamiCare Health, based in Boston, has built a mobile app meant to help keep recovering users of opioids and other drugs on the wagon. The app — already in use in eight addiction treatment systems across the country — allows users to test their breath and saliva remotely, check into group meetings and therapy sessions, and earn money on an electronic debit card by meeting their sobriety goals.

Biobot, a company started by two graduates of the Massachusetts Institute of Technology, analyzes sewage samples to determine the opioid use levels in a given neighborhood. (Opioid use leaves telltale byproducts called metabolites, which can be chemically detected in urine.) Once this data is collected, public health officials can use it to set priorities for treatment programs, detect spikes in use in a neighborhood and monitor the effectiveness of prevention programs over time.

Pear Therapeutics, another Boston outfit, makes “digital therapeutics” — essentially apps that use cognitive behavioral therapy techniques to help recovering addicts stick with their treatment programs. Its anti-opioid program, Reset-O, was cleared by the Food and Drug Administration late last year and can now be prescribed by doctors in conjunction with other treatments.

To Lemontree, Goodr and Propel, for helping feed the hungry.

Lemontree, a nonprofit food-delivery app based in New York, was started by Alex Godin, an entrepreneur who sold a workplace collaboration start-up to Meetup several years ago. The company sells Blue Apron-style meal kits to low-income families for $3 apiece. Meal kits are packed by volunteers, and they can be bought with food stamps.

Goodr, described by its founder, Jasmine Crowe, as a “food delivery app in reverse,” is a platform based in Atlanta that helps save some of the 72 billion pounds of food wasted in the United States every year and give it to people in need. Restaurants sign up on the site to have their excess food picked up and donated to local nonprofits and homeless shelters. Goodr operates in six cities, including Chicago, Miami and Philadelphia, and says it has diverted 2.1 million pounds of food and provided 1.8 million meals since 2017.

Propel, a Brooklyn start-up, is the creator of Fresh EBT, a popular app that helps low-income users manage their food stamps and other benefits. After doing battle with a larger government contractor last year, Propel recovered this year and says more than two million households use it every month.

To Pinterest, for taking a stand against social media toxicity.

When you think of Pinterest, you probably picture mood boards, D.I.Y. hacks and mommy-bloggers. But the social network spent much of 2019 doing the kinds of tough, principled work that its bigger rivals often neglected.

In August, the company announced that users searching for vaccine-related information would be shown results from authoritative sources like the World Health Organization and the Centers for Disease Control and Prevention, rather than being led down rabbit holes filled with misinformation. The company also introduced a “compassionate search” experience, which offers mental health advice and exercises to users whose behavior indicates they might be feeling anxious or depressed, such as people who search for things like “sad quotes” or who look up terms relating to self-harm. And in December, Pinterest joined other wedding websites in announcing that it would limit the promotion of wedding venues that were once slave plantations.

Pinterest hasn’t always operated flawlessly. But while its competitors were giving grandiose speeches and supplicating at the White House, the company’s content-moderation choices stood out as an example of a social network with a moral compass.

To Big Tech’s climate activists, for pressuring executives to walk the walk.

In a year when climate change was the subject of mass global demonstrations, Silicon Valley’s silence could have been deafening. Tech companies like Amazon, Microsoft and Google count fossil fuel companies and anti-environmental groups among their customers — a fact that doesn’t sit well with some employees. Those employees made their dissatisfaction known this year, joining climate strikes and walkouts and publicly calling on their own executives to do more to fight climate change.

In April, more than 4,200 Amazon employees sent an open letter to Jeff Bezos, the company’s chief executive, urging him to end the company’s contracts with oil and gas companies and commit to ambitious carbon-reduction goals. Amazon later announced a plan to become carbon neutral by 2040.

To Gypsy Guide, for enlightening my summer road trip.

If I’m being honest, the best app I used in 2019 wasn’t TikTok or some new A.I.-powered facial recognition app. It was Gypsy Guide, a simple, understated app that gives guided audio tours of national parks and other tourist destinations. The app uses your phone’s GPS to track your route through a park, and it narrates relevant facts as you drive past them. My wife and I drove through Yellowstone and the Grand Tetons this summer, and Gypsy Guide (which could really use a new name) quickly became our car soundtrack.

Gypsy Guide is not the slickest app in the world, and it’s not making anyone a billionaire. But it kept us entertained for hours, and it taught me things I wouldn’t have known. (Did you know that a concave depression in a mountain caused by a glacier’s erosion is called a “cirque”? Me neither.) It was a good reminder that not every tech start-up has to address some deep, existential need to be worthwhile. There are simpler pleasures, too.

Categories
California Computers and the Internet Data-Mining and Database Marketing e-commerce Law and Legislation Mobile Applications privacy Uncategorized

What Does California’s New Data Privacy Law Mean? Nobody Agrees

Millions of people in California are now seeing notices on many of the apps and websites they use. “Do Not Sell My Personal Information,” the notices may say, or just “Do Not Sell My Info.”

But what those messages mean depends on which company you ask.

Stopping the sale of personal data is just one of the new rights that people in California may exercise under a state privacy law that takes effect on Wednesday. Yet many of the new requirements are so novel that some companies disagree about how to comply with them.

Even now, privacy and security experts from different companies are debating compliance issues over private messaging channels like Slack.

The provision about selling data, for example, applies to companies that exchange the data for money or other compensation. Evite, an online invitation service that discloses some customer information for advertising purposes, said it would give people a chance to opt out if they do not want their data shared with third parties. By contrast, Indeed, a job search engine that shares users’ résumés and other information, posted a notice saying that people seeking to opt out “will be asked to delete their account.”

Image
Credit…Jeenah Moon for The New York Times

The issue of selling consumer data is so fraught that many companies are unwilling to discuss it publicly. Oracle, which has sold consumer information collected by dozens of third-party data brokers, declined to answer questions. T-Mobile, which has sold its customers’ location details, said it would comply with the law but refused to provide details.

“Companies have different interpretations, and depending on which lawyer they are using, they’re going to get different advice,” said Kabir Barday, the chief executive of OneTrust, a privacy management software service that has worked with more than 4,000 companies to prepare for the law. “I’ll call it a religious war.”

The new law has national implications because many companies, like Microsoft, say they will apply their changes to all users in the United States rather than give Californians special treatment. Federal privacy bills that could override the state’s law are stalled in Congress.

The California privacy law applies to businesses that operate in the state, collect personal data for commercial purposes and meet other criteria like generating annual revenue above $25 million. It gives Californians the right to see, delete and stop the sale of the personal details that all kinds of companies — app developers, retailers, restaurant chains — have on them.

“Businesses will have to treat that information more like it’s information that belongs, is owned by and controlled by the consumer,” said Xavier Becerra, the attorney general of California, “rather than data that, because it’s in possession of the company, belongs to the company.”

Some issues, like the practices that qualify as data selling, may be resolved by mid-2020, when Mr. Becerra’s office plans to publish the final rules spelling out how companies must comply with the law. His office issued draft regulations for the law in October. Other issues may become clearer if the attorney general sues companies for violating the privacy law.

For now, even the biggest tech companies have different interpretations of the law, especially over what it means to stop selling or sharing consumers’ personal details.

Google recently introduced a system for its advertising clients that restricts the use of consumer data to business purposes like fraud detection and ad measurement. Google said advertisers might choose to limit the uses of personal information for individual consumers who selected the don’t-sell-my-data-option — or for all users in California.

Facebook, which provides millions of sites with software that tracks users for advertising purposes, is taking a different tack. In a recent blog post, Facebook said that “we do not sell people’s data,” and it encouraged advertisers and sites that used its services “to reach their own decisions on how to best comply with the law.”

Uber responded to Facebook’s notice by offering a new option for its users around the world to opt out of having the ride-hailing service share their data with Facebook for ad targeting purposes.

“Although we do not sell data, we felt like the spirit of the law encompassed this kind of advertising,” said Melanie Ensign, the head of security and privacy communications at Uber.

Evite, the online invitation service, decided in 2018 to stop selling marketing data that grouped its customers by preferences like food enthusiast or alcohol enthusiast. Since then, the company has spent more than $1 million and worked with two firms to help it understand its obligations under the privacy law and set up an automated system to comply, said Perry Evoniuk, the company’s chief technology officer.

Although Evite no longer sells personal information, the site has posted a “do not sell my info” link. Starting Wednesday, Mr. Evoniuk said, that notice will explain to users that Evite shares some user details — under ID codes, not real names — with other companies for advertising purposes. Evite will allow users to make specific choices about sharing that data, he said. Customers will also be able to make general or granular requests to see their data or delete it.

“We took a very aggressive stance,” Mr. Evoniuk said. “It’s beneficial to put mechanisms in place to give people very good control of their data across the board.”

Companies are wrangling with a part in the law that gives Californians the right to see the specific details that companies have compiled on them, like precise location information and facial recognition data. Residents may also obtain the inferences that companies have made about their behavior, attitudes, activities, psychology or predispositions.

Apple, Facebook, Google, Microsoft, Twitter and many other large tech companies already have automated services enabling users to log in and download certain personal data. Amazon said it would introduce a system that allowed all customers of its United States site to request access to their personal information.

But the types and extent of personal data that companies currently make available vary widely.

Apple, for instance, said its privacy portal allowed people whose identities it could verify to see all of the data associated with their Apple IDs — including their App Store activities and AppleCare support history.

Microsoft said its self-service system enabled users to see the most “relevant” personal information associated with their accounts, including their Bing search history and any interest categories the company had assigned them.

Lyft, the ride-hailing company, said it would introduce a tool on Wednesday that allowed users to request and delete their data.

A reporter who requested data from the Apple portal received it more than a week later; the company said its system might need about a week to verify the identity of a person seeking to see his or her data. Microsoft said it was unable to provide a reporter with a list of the categories it uses to classify people’s interests. And Lyft would not say whether it will show riders the ratings that drivers give them after each ride.

Experian Marketing Services, a division of the Experian credit reporting agency that segments consumers into socioeconomic categories like “platinum prosperity” and “tough times,” is staking out a tougher position.

In recent comments filed with Mr. Becerra’s office, Experian objected to the idea that companies would need to disclose “internally generated data about consumers.” Experian did not return emails seeking comment.

The wide variation in companies’ data-disclosure practices may not last. California’s attorney general said the law clearly requires companies to show consumers the personal data that has been compiled about them.

“That consumer, so long as they follow the process, should be given access to their information,” Mr. Becerra said. “It could be detailed information, if a consumer makes a very specific request about a particular type of information that might be stored or dispersed, or it could be a general request: ‘Give me everything you’ve got about me.’”