• Skip to main content
  • Skip to primary sidebar

Shamrock Information Security

  • Home
  • About
    • Biography
      • Publications
    • Certifications
    • Company details
  • Services
    • Information Security consultancy
    • Information Security auditing
    • Information Security interim positions
    • Data Protection and GDPR Consultancy
    • Data Protection / Privacy interim positions
    • Data Governance Consultancy
    • Data Protection (Information Privacy) Certification Training
  • Contact us!
  • Blog

2016-12-31 by Drs. Andor Demarteau

The niner noteworthy and the 12 recaps of 2016 (day 6)

Social media and European privacy laws have been at odds for some time now. With the general data protection regulation (GDPR) being adopted in May this year and the ever growing concerns on data protection, specifically on data transfers to the US, it is no wonder that there is enough news to write about.
Specifically when companies like Whatsapp and Facebook decide to do some data sharing without the consent of their user’s (ehm. products).
Whilst that privacy story takes up one-third of this listing, there are enough other stories around on the new upcoming E-Privacy directive revision, Google’s new attempt at a social media chat service, Uber’s data hunger on GPS location data and backdoors left in Skype clients.

In chronological order:

  • EU to crack down on online services such as WhatsApp over privacy
  • WHATSAPP’S PRIVACY CRED JUST TOOK A BIG HIT
  • Google weakens Allo chat app privacy promise
  • Germany calls halt to Facebook’s WhatsApp info slurp
  • Facebook chokes off car insurance slurp because – get this – it has privacy concerns
  • Facebook halts WhatsApp data sharing across Europe over privacy concerns
  • Uber begins background collection of rider location data
  • Skype backdoor missed by Microsoft development team
  • Amazon Echo and Questions of Consumer Privacy

EU to crack down on online services such as WhatsApp over privacy


Interesting trade-off to put America with freedom of speech against Europe with privacy as highest priority. With that the critics in this article apparently also put freedom of speech on an identical level as the unlimited use of customer data for business purposes, something I find repulsive.
That some of the regulations now governing traditional telecoms may not entirely fit onto the over the top services like WhatsApp, iMessage, Skype etc. is clear enough. However I think those services could very well work with most of those provisions in mind.
There is one major difference though which has nothing to do with freedom of speech, for traditional telecoms (sms, calls etc.) you pay for a service whilst with most OTT services you get the service for free whilst you pay with your privacy. With that in mind I can understand why the tech industry is screaming foul over this proposal.
In all fairness though, the way most of those companies handled user privacy in the past considered, they indirectly asked for this to happen themselves.
source: The Guardian (external link)
An article on The Register (external link) sums it up nicely where the E-Privacy directive is concerned, including the ensuing “battle” over it’s revision strategy between Eurocrats and the tech and telecom sectors.

WHATSAPP’S PRIVACY CRED JUST TOOK A BIG HIT


And technically they are, even with this change, still keeping their promise of never selling your data to another company. They are just “sharing” it with the company that owns them.
That the netto effect is identical is obvious to everybody who is concerned with privacy. This is precisely the reason why a European based chat app solution Threema (external link) watched the number of downloads triple over the first weekend after this announcement.
And rightly so, as that app is fully committed to your privacy. Which you can directly assess yourself by having to pay around 3 euro’s for the app.
But this story isn’t done and dusted yet as you can read further down this article here.
source: Wired (external link)

Google weakens Allo chat app privacy promise


For Google to provide more then “just another chat app” it needs all of your data to “personalise” your chatting experience. Like Google doesn’t already know enough about you if you use their services to do that.
The major u-turn made on this should not have been necessary if Google would have been upfront about this in the first place when it launched the new service back in May.
It is interesting to see that merely all other chat apps are moving towards end2end encryption whilst Google doing the exact opposite, that’s not counting Facebook chat who only encrypts message if you specifically request it to do so similarly to Google’s offering.
I suspect this attempt at something of a social media offering by Google probably will go the same way as Google+ and, who still remembers it, Orkut.
source: BBC News (external link)

Germany calls halt to Facebook’s WhatsApp info slurp


yes it’s not only your data as a WhatsApp user, but potentially all the data inside your address book as well, also those of non-WhatsApp users like me for instance. The move by the German DPA was expected but you never know when such agencies take the time and effort to actually do it.
That this move isn’t European only is shown by this article on The register (external link) detailing court proceedings in India with the same effect: to stop Facebook’s data slurp.
It is interesting to see where WhatsApp has come from as a privacy loving chat app to a data slurping and advertising selling part of Facebook.
Also note that even though they were privacy friendly as a company, their security had a lot to be desired several years ago with fully unencrypted communications. The company also has had it’s own fair share of criticism of downloading entire address books and storing them on their servers where only phone numbers would have been sufficient.
To be continued one more time here.
source: The Register (external link)

WhatsApp warned over Facebook data share deal

And the story didn’t end there with more data protection agencies across Europe all wanting a piece of the WhatsApp pie. This went all the way up to the article 29 working party (the EU body consisting of all national DPA’s from the member states).
WhatsApp’s constant talk that it is working with the watchdogs “to address their concerns” is as adorable as it is worth absolutely nothing.
source: BBC News (external link)

Facebook chokes off car insurance slurp because – get this – it has privacy concerns


So was this action really Facebook’s attempt to protect it’s users privacy? Or was it more concerned with it’s own revenue and monetisation of the data on it’s platform? You decide for yourself.
But given the fact that you are the product of Facebook not it’s user and that data access and profiling is their core business and only revenue stream, I think the picture is all too clear.
The last line of the article probably says enough, maybe Admiral should have paid Facebook for the right to use the data. If they had agreed to that it would be another sign of their already deplorable business model.
source: The Register (external link)

Admiral to price car insurance based on Facebook posts

A more in-depth look at what the insurer Admiral is actually planning, or was if Facebook indeed didn’t budge, can be found in this article by
the Guardian (external link)

Facebook halts WhatsApp data sharing across Europe over privacy concerns


And so it ends, at least for now, with the data sharing being stopped for advertising purposes but, in between the lines, continues to “fight spam”. Whatever that means on a encrypted message service.
This will certainly not be the end of the story as we have seen often enough with Facebook and privacy related issues over the years of it’s existence. So don’t be surprised if in 2017 it comes up again.
For now there is only one thing you can do yourself: switch to a more trustworthy messaging service and crucially make sure your friends and family move with you as well.
My suggestions: if you don’t want to pay for it use the free Signal messenger app, otherwise move to the even more secure and non-phonenumber depending service from Threema which is a Swiss based paid alternative.
source: Ars Technica (external link)

Uber begins background collection of rider location data


It boils down to this: Uber says we don’t use more location data from you then just before until 5 minutes after your ride, privacy protection groups say that because they have all that data they probably will use it in some form or shape. Who do you believe more?
And yes, it is indeed true Uber can’t get GPS data on a restricted timeframe because of the way those permissions work in mobile phones. So indeed it comes down to trusting them on their blue eyes not to misuse the data collected.
The most worrying bit in this article is the settlement bit where they are ordered to encrypt GPS data between riders’ phones and Uber servers as well as having them only accessible with 2-factor authentication. The worrying bit is that this in my opinion should be the default for sensitive data like that, that they are ordered to do so as part of a settlement is deeply disturbing.
source: TechCrunch (external link)

Skype backdoor missed by Microsoft development team


Microsoft may have a large base of programmers, but hey it’s the Mac client so who cares? Their internal code review process may not have been as thorough because it indeed was the desktop client for a rival operating system. It wouldn’t be the first time in Microsoft’s history, anyone remembering running Netscape on Windows and the troubles it had may know what I’m referring to.
As for using hardcoded back-doors in development code for small developing teams opposed to writing secure code? I totally disagree, never ever do such a thing. The trouble is, there is always a chance you forget to take one out before rolling production which could have disastrous effects.
source: Haymarket media, SC magazine (external link)

Amazon Echo and Questions of Consumer Privacy


Next to all the cloud stored preferences, which apparently includes your conversations as well, the device is probably WiFi connected and you can wonder how secure the communication is between the device and the Amazon servers.
We have already seen what Samsung smart tv’s can do for your privacy by actually recording and storing everything you say in front of your tv set. Samsung at that time just wrote in their privacy policy either not to have sensitive conversations in front of the tv or switch the voice control feature off.
Will we see something similar with Amazon’s voice assistance device? Since they haven’t responded to privacy concerns questions yet, I am not that optimistic.
source: Identity Force (external link)

Prosecutors Get Warrant for Amazon Echo Data in Arkansas Murder Case

And just before the article would go life, I stumbled upon this story. Yes, the first legal attempt to obtain data from this device apparently already happened, as expected but it would but not this fast.
According to this article though the device only records and stores commands given and all audio recordable at the same time. So not, as in the Samsung case, everything you say within microphone shot (earshot) of the device. Although it does listen constantly for the activation term to which you may wonder where that data is processed.
source: NBC News (external link)

Other articles in this series

  • Day 1: Introduction
  • Day 2: security Breaches
  • Day 3: The InterNOT of Things
  • Day 4: Cryptography
  • Day 5: Interesting facts
  • Day 7: Software security
  • Day 8: Information Security titbits
  • Day 6: Technology impact on privacy
  • Day 10: Legal privacy
  • Day 11: Online surveillance
  • Day 12: The Niner predictions for 2017

Filed Under: Noteworthy Series Tagged With: E-Privacy Regulation, InfoSec, Privacy

Primary Sidebar

Testimonials

IFS, DPC & GDPR

We were introduced to Shamrock Information Security during the development of the AVTN.TV Television News Project. As the projected demands on our systems; need to protect the company from Cyber Attacks; and ensure corporate practices were GDPR compliant increased, Shamrock became invaluable in advising us on the necessary structures and requirements. Their work is most evident within the relevant pages of the AVTN.TV Investment Proposal. I highly recommend their services, and wouldn’t hesitate to commission them in the future.

Phillip Covell, CEO, AVTN.TV

Phillip Covell
AVTN.TV

Great advice on all things to do with privacy and information security

I’ve worked with a lot of privacy and InfoSec professionals over the past couple of decades but few of them had minds as sharp and knowledgeable as those at Shamrock. For insightful and focussed advice on security/privacy matters, Shamrock is hard to beat!

William Hern
trust-hub

Training Feedback

Very knowledgeable trainer nice venue plenty of interaction possible.
If you are looking for an IAPP trainer I can commend this course to you.

Raymond Ford
GDPR Institute

CIPP/E training

I have a lot of experience this field, but there are always areas you are stronger and weaker on. Shamrock covered the exam content thoroughly, such that I was able to focus on the areas that would benefit from some revision.

I would recommend Shamrock training courses for beginners and experts alike.

David Nunn
trust-hub.com
  • Privacy
  • Cookie policy
  • Terms of service
  • Contact us!

Copyright © 2021 · Executive Pro on Genesis Framework · WordPress · Log in