These are the noteworthy stories, in no particular order, that peaked my interest for this week.
- European Commission, experts uneasy over WP29 data portability interpretation
- EDPS calls for strong and smart new rules to protect confidentiality of communications
- New European Union Financial Rules to Give U.S. Consumers Protection as Well
- Hyundai app security blunder allowed crooks to ‘steal victims’ cars’
- Malware Uses Apple Developer Certificate to Infect MacOS and Spy on HTTPS Traffic – Mac Rumors
- BBC exposes flaws in ‘world’s most secure’ email service
- Snapchat tops Facebook and Twitter on privacy — here’s why brands should care
- Data protection boss vows she will use new powers to fine firms up to €20m
- How to . . . tighten up your online privacy
Data portability, communication privacy and American consumers may get EU-style protection
European Commission, experts uneasy over WP29 data portability interpretation
In some cases I believe the article 29 working party’s description may be better suited to everyday situations rather then the drawn up compromise written down in the GDPR. The fact is pretty simple, how do you know for certain that the data was provided by the data subject?
The fact the WP29 also includes data observed by the device of the data subject, clearly goes further then data provided indeed. But as our devices are becoming more and more an extension of us, I think it’s only fair that this inclusion is made in this way.
Interestingly the article states that a health profile does not fall under the data portability clause, although it’s not entirely clear if the author means article 20 of the GDPR or the Wp29 guidance. Although if the data subject viewed the profile, it has also been “observed” by his or her device? And why not include all data provided as well as inferred as well?
This comes down to the fundamental question on who’s data it is in the first place.
I disagree that this is only meant for social media, although maybe primarily I can think of situations where e-mail and financial data would fall under this scope as easily as social media transcripts.
source: IAPP Privacy Advisor (external link)
EDPS calls for strong and smart new rules to protect confidentiality of communications
It seems like the EDPS (European Data Protection Supervisor) is actually warning us for another compromise piece of legislation that leaves gaps in the fundamental privacy protection for EU citizens whilst at the same time allows escapes for large, mostly American based, tech companies to circumvent the added privacy protection mechanisms.
This not only would weaken the overall privacy level but also would create an uneven and unfair competitive advantage for some companies as well.
Creating different classes of communication may seem a wise idea, however it will greatly depend on how technology agnostic those descriptions really are. The European Union can set the tone for privacy protection in communications for years to come, it will greatly depend on this latter point if it will succeed or fail because of the fast pace of technological changes.
source: European Data Protection Supervisor (external link)
An alternative view is presented here Center for Democracy & Technology (external link)
New European Union Financial Rules to Give U.S. Consumers Protection as Well
Indeed, the new privacy regulation in Europe can not be implemented in a checkbox compliancy manner. yet that is precisely the standard mentality within the financial sector I have seen with multiple organisations. Although it seems they want to do the right thing, the level burden of regulations in the financial sector more or less pushes the sector into this level of response.
Another thing that may work against multinationals and the opinion raised in this article is that the GDPR may very well conflict with national and/or local laws in other counties which would mean that making your organisation fully GDPR compliant worldwide breaks laws as well as enforces others.
I hate to say it, but the people quoted in this article seem to have no clue of what they are talking about. Yes some GDPR protection may spill over into the US market, but not to the level suggested in this article.
source: WSJ (external link)
E-mail insecurity, carjacking and correctly signed Apple malware
Hyundai app security blunder allowed crooks to ‘steal victims’ cars’
So before app version X it didn’t apparently transmit sensitive data back home and after version Y they stopped doing it too because they actually couldn’t build the feature in their app in a secure manner. Yes they fixed it, but why are all companies always stating that they take the security and privacy of their customers seriously whilst the security blunder itself clearly shows differently?
Implementing cryptography correctly maybe more difficult then the job this car maker did in it’s app, but then why was it released to the public in the first place? Ah yes, business pressure and maybe even the awesome benefits of things like drag-and-drop coding, agile, scrum and who knows even devops.
Whatever the reason and causes, one thing is painfully clear: security and privacy by design and default as well as basic secure coding principles were certainly not part of the software development lifecycle within this organisation.
source: The Register (external link)
Malware Uses Apple Developer Certificate to Infect MacOS and Spy on HTTPS Traffic
Yes indeed, your mac needs anti-virus, anti-malware and anti-ransomware protection software as well as any other machines including Windows and yes Linux too. It would be interesting to know how the miscreants got hold of a valid developer certificate, okay more precisely the private key used to sign the malware and for which a certificate was issued by Apple.
Whilst users of a Mac must be particularly careless to become infected with this piece of malware, the chance is always present and therefore also mac users need to be vigilant on phishing mails and other threats as well.
source: MacRumors (external link)
BBC exposes flaws in ‘world’s most secure’ email service
If the installation of old softer, 5 years old in one case, vulnerable applications, easily exploitable PHP code as well as too easy default passwords that weren’t even mandatory to be changed wasn’t enough to demonstrate the company behind the Noms doesn’t really know what it is doing, it’s response received by the BBC puts the lid on this box for good:
Late on 27 April, Nomx published a strong defence of its product and disputed the way in which Mr Helme tested the device. Mr Donaldson said Mr Helme’s tests were unrealistic, as they involved actions no typical user would undertake.
Yes and that’s precisely the point, hackers are not “your typical user” and if your product’s security does not take that into account, you are vulnerable and a danger to society.
The line below this quote makes the entire situation even worse. I understand all kind of companies want to cash-in on the feeling and actual insecurity of e-mail and the internet itself, but this company is making the situation even worse and profiting by it at the same time.
source: BBC News (external link)
More details on research undertaken here Ars Technica UK (external link)
Social media and privacy
Snapchat tops Facebook and Twitter on privacy — here’s why brands should care
Interesting to see what user’s (products) their perception is on the different social media platforms. This whilst all of them harvest your data and usage patterns to show you as personal as possible advertising, because that’s their default and only business model and revenue stream.
Maybe it is the feeling that if stuff disappears, or seems to disappear as can be expected, is more privacy friendly then the standard model used by e.g. Facebook. However, does your snapchat data actually disappear at all?
Even if it does, it has already been scanned, inferenced and profiled before it arrives at it’s destination. Probably even sold onwards as part of your profile as well.
So all feelings of privacy aside, this is interesting research but says absolutely nothing on the real privacy value of these type of companies.
source: Yahoo Finance (external link)
Data protection boss vows she will use new powers to fine firms up to €20m
An interesting interview with head of the Irish data protection agency. What is clear is that the Irish DPA maybe understaffed, specifically related to the fact that a lot of international (mostly American) tech companies need to answer to them for privacy violations. This would mean that because of prioritisation, they make get away with minor breaches under the GDPR and the upcoming e-Privacy regulation.
Maybe it would help if the EU sponsors some of this activity to bring a larger assurance level to EU citizens that their fundamental privacy is guaranteed by the US based companies.
As for her note on privacyshield, I remain as per my prediction it will not survive 2017 and probably will fail during the review now planned for September this year if memory serves me well enough.
source: Independent.ie (external link)
How to . . . tighten up your online privacy
Some basic stuff you as user can indeed undertake, however in a lot of cases the advertising industry has already undertaken massive amounts of work to make sure they can still track you despite your best efforts to stay as anonymous as possible online.
I have mentioned some of these, which including browser fingerprinting via audio and video files as well as via the number and types of plugins or widgets installed, in previous articles of this series already. No doubt the industry is thinking of more devious ways to work around our feeble attempts to not being tracked.
And it’s not advertising companies, even large international retailers like Amazon The Atlantic (external link) are doing it and now even are selling the tools for your company to further invite your customer’s privacy at a bargain price.
source: the Irish Times (external link)