Rina Steenkamp - Privacy and technology
[Accountability as the basis for regulating privacy - can information security regulations inform privacy policy? | Against notice skepticism | The case for online obscurity | Dispelling the myths surrounding de-identification - anonymization remains a strong tool for protecting privacy | Regulating privacy by design | A breach of confidence | FireEye Advanced Threat Report - 1H 2011 | Interim report, September 5, 2011, DigiNotar Certificate Authority breach | Opinion on the compatibility of [ACTA] with the [ECHR] and the EU Charter of Fundamental Rights | Improved response to disasters and outbreaks by tracking population movements with mobile phone network data - A post-earthquake geospatial study in Haiti | Mining the Dutch National ICT Dashboard | Consumer behaviour in a digital environment | In the matter of an applicaton of the United States of America for an order authorizing the release of historical cell-site information | The evolving landscape of internet control | 2011 Canadians and privacy survey | W32.Xpaj.B - Making easy money from complex code | ACTA and access to medicines]
An article by Mary J. Culnan.
From the Abstract:
"This paper argues that the current approach to regulating privacy based on 'notice and choice' or 'harm' is not effective and needs to be revisited. This approach places too much burden on the individual, frequently deals with harm only after the fact, and has failed to motivate organizations to proactively prevent privacy or security incidents resulting from their information processing activities. As an alternative, the paper proposes augmenting the current approach with new regulations based on accountability where firms are delegated responsibility to develop risk management programs for privacy tailored to their individual circumstances."
Mary J. Culnan: Accountability as the basis for regulating privacy - can information security regulations inform privacy policy? (PDF)
[Open link in this window | Open link in new window]
FPF: "Privacy papers for policy makers, vol 2" released today
[Open link in this window | Open link in new window]
An article by M. Ryan Calo.
From the introduction to the article:
"Requiring notice is a very popular way to regulate. It is also among the most heavily criticized. This article undermines the case for notice skepticism by exposing two erroneous assumptions critics of notice commonly make.The first assumption is that notice is monolithic. It is not. Notice consists of several, distinct strategies. [...] The second assumption is that notice must consist of language or its symbolic equivalent."
M. Ryan Calo: Against notice skepticism (PDF)
[Open link in this window | Open link in new window]
FPF: "Privacy papers for policy makers, vol 2" released today
[Open link in this window | Open link in new window]
An article by Woodrow Hartzog and Frederic Stutzman.
From the introduction:
"This article has three main purposes: 1) To demonstrate that obscurity is a crucial component of online privacy that has largely been ignored by the law; 2) To conceptualize online obscurity in a useful way for privacy doctrine; and 3) To propose ways that our conceptualization could be implemented to remedy the tension between privacy law and Internet users‘ experience and expectations."
Woodrow Hartzog and Frederic Stutzman: The case for online obscurity (PDF)
[Open link in this window | Open link in new window]
FPF: "Privacy papers for policy makers, vol 2" released today
[Open link in this window | Open link in new window]
An article by Ann Cavoukian, Ph.D. and Khaled El Emam, Ph.D..
From the introduction:
"Recently, the value of de-identification of personal information as a tool to protect privacy has come into question. Repeated claims have been made regarding the ease of re-identification. We consider this to be most unfortunate because it leaves the mistaken impression that there is no point in attempting to de-identify personal information, especially in cases where de-identified information would be sufficient for subsequent use, as in the case of health research. The goal of this paper is to dispel this myth — the fear of re-identification is greatly overblown."
Ann Cavoukian, Ph.D. and Khaled El Emam, Ph.D.: Dispelling the myths surrounding de-identification - anonymization remains a strong tool for protecting privacy (PDF)
[Open link in this window | Open link in new window]
FPF: "Privacy papers for policy makers, vol 2" released today
[Open link in this window | Open link in new window]
An article by Ira S. Rubinstein.
From the article:
"This Article seeks to clarify the meaning of privacy by design and to suggest how privacy officials might develop appropriate regulatory incentives that offset the certain economic costs and somewhat uncertain privacy benefits of this new approach."
Ira S. Rubinstein: Regulating privacy by design (PDF)
[Open link in this window | Open link in new window]
FPF: "Privacy papers for policy makers, vol 2" released today
[Open link in this window | Open link in new window]
A report by the Parliamentary and Health Service Ombudsman.
From the foreword:
"Ms M complained that, without her knowledge, her personal details were changed in error on one government agency’s computer system and her personal details were then changed across a network of government computer systems that linked the records of HM Revenue & Customs, the Child Support Agency and the Department for Work and Pensions. As a consequence of the original mistake, her personal financial information was then sent to her former partner, and her child support entitlement was reassessed and reduced without her participation or knowledge. To compound matters, when Ms M discovered the error and queried how it had happened, none of these public bodies could tell her. Instead of taking responsibility for what had happened, they passed her from one organisation to another. Far from attempting to sort things out and provide Ms M with an assurance that her personal data was secure, each of these bodies denied responsibility for making the mistake."
Parliamentary and Health Service Ombudsman: A breach of confidence (PDF)
[Open link in this window | Open link in new window]
HawkTalk: Personal data sharing - when it goes wrong, it's a nightmare?
[Open link in this window | Open link in new window]
A report by FireEye.
From the executive summary:
"Based on our analysis of 1H2011 threat data, today’s cyber criminals are breaking through traditional security defenses at an alarming rate despite the $20B invested in IT security in 2010. We are clearly in a new era of dynamic cyber attacks that are very successful at evading traditional defenses, leaving virtually every enterprise vulnerable to data theft, cyber-espionage and intellectual property alteration, theft and destruction. [...] Based on the threat data we reviewed, criminals have developed workarounds to bypass traditional defenses using dynamic code as well as utilizing sophisticated social engineering to fool even the most educated users."
FireEye: FireEye Advanced Threat Report - 1H 2011 (PDF)
[Open link in this window | Open link in new window]
FireEye: FireEye advanced threat report 1H2011
[Open link in this window | Open link in new window]
Ms Smith: Report - Malicious infections on 99% of enterprise networks
[Open link in this window | Open link in new window]
A report by Fox-IT.
Findings fom paragraph 4.4 of the report:
"The most critical servers contain malicious software that can normally be detected by anti-virus software. The separation of critical components was not functioning or was not in place. We have strong indications that the CA-servers, although physically very securely placed in a tempest proof environment, were accessible over the network from the management LAN.The network has been severely breached. All CA servers were members of one Windows domain, which made it possible to access them all using one obtained user/password combination. The password was not very strong and could easily be brute-forced.The software installed on the public web servers was outdated and not patched.No antivirus protection was present on the investigated servers.An intrusion prevention system is operational. It is not clear at the moment why it didn't block some of the outside web server attacks. No secure central network logging is in place."
Fox-IT: Interim report, September 5, 2011, DigiNotar Certificate Authority breach (PDF)
[Open link in this window | Open link in new window]
Rijksoverheid: Kamerbrief Digitale inbraak DigiNotar
[Open link in this window | Open link in new window]
Govcert.nl: Interim rapport over digitale inbraak DigiNotar gepubliceerd
[Open link in this window | Open link in new window]
Naked Security: Operation Black Tulip - Fox-IT's report on the DigiNotar breach
[Open link in this window | Open link in new window]
SANS Blog: DigiNotarSSL incident response report - no logging, weak password, no protected network
[Open link in this window | Open link in new window]
AG: DigiNotar stevig in de fout
[Open link in this window | Open link in new window]
Security.nl: DigiNotar zo lek als een mandje
[Open link in this window | Open link in new window]
Nu.nl: 'Diginotar negerde misbruik en was slecht beveiligd'
[Open link in this window | Open link in new window]
WebWereld: Fox-IT: Diginotar gebruikte niet eens virusscanner
[Open link in this window | Open link in new window]
An opinion by Douwe Korff and Ian Brown.
From Summary & Conclusions:
"Overall, ACTA tilts the balance of IPR protection manifestly unfairly towards one group of beneficiaries of the right to property, IP right holders, and unfairly against others. It equally disproportionately interferes with a range of other fundamental rights, and provides or allows for the determination of such rights in procedures that fail to allow for the taking into account of the different, competing interests, but rather, stack all the weight at one end."
Douwe Korff and Ian Brown: Opinion on the compatibility of [ACTA] with the [ECHR] and the EU Charter of Fundamental Rights (PDF)
[Open link in this window | Open link in new window]
WebWereld: 'ACTA-verdrag schendt mensenrechten'
[Open link in this window | Open link in new window]
A report by Linus Bengtsson, Xin Lu, Anna Thorson, Richard Garfield, Johan von Schreeb.
Linus Bengtsson, Xin Lu, Anna Thorson, Richard Garfield, Johan von Schreeb: Improved response to disasters and outbreaks by tracking population movements with mobile phone network data - A post-earthquake geospatial study in Haiti
[Open link in this window | Open link in new window]
The Register: Haiti study - Mass mobile tracking can be laudable
[Open link in this window | Open link in new window]
An analysis report by the Software Improvement Group.
From the Summary:
"The Dutch National ICT Dashboard, launched on the 18th of May 2011, is a public website that provides Dutch citizens with an overview of the large and/or high-risk IT projects of the national government, based on information provided by the various ministries to the parliament. The top pages of the dashboard show overall scores of each project, while underlying pages provide more detailed information per project. We have automatically retrieved all project information from the dashboard and computed key performance indicators for all projects and for the portfolio of projects as a whole that can serve as alternatives to the overall scores provided by the dashboard itself."
Software Improvement Group: Mining the Dutch National ICT Dashboard (PDF)
[Open link in this window | Open link in new window]
AG: Overheid sukkelt in slaap voor stoplicht
[Open link in this window | Open link in new window]
A report by European Parliament/Internal Market and Consumer Protection.
From section 4.3.5:
"The internet has made it easier for firms to target advertising to specific consumer groups. Instead of spending large amounts on mass broadcasting, firms can pay for highly targeted activities for select groups of consumers. This activity has become known as 'behavioural targeting' or 'micro targeting'. According to the online advertising industry, this is highly cost effective for businesses because advertisements are targeted at consumers who are most likely to respond to them. In the UK, two thirds of companies report that behavioural advertising performs better than other online advertising [...]. As a result, the online advertising industry has observed a trend towards online advertising strategies that increase the relevance of advertisements to potential consumers and hence target ads."
European Parliament/Internal Market and Consumer Protection: Consumer behaviour in a digital environment (PDF)
[Open link in this window | Open link in new window]
SOLV: Studie over e-commerce in Europa gepubliceerd
[Open link in this window | Open link in new window]
More at... [11/09/25 (NL/01)]
More at... [11/09/25 (NL/02)]
More at... [11/09/25 (NL/03)]
More at... [11/09/25 (NL/04)]
More at... [11/09/25 (NL/05)]
More at... [11/09/25 (NL/06)]
More at... [11/09/25 (NL/07)]
A decision by Nicholas G. Garaufis, United Stated District Judge.
From the Conclusion:
"While the government's monitoring of our thoughts may be the archetypical Orwellian intrusion, the government's surveillance of our movements over a considerable time period through new technologies, such as the collection of cell-site-location records, without the protections of the Fourth Amendment, puts our country far closer to Oceania than our Constitution permits. It is time that the courts begin to address whether revolutionary changes in technology require changes to existing Fourth Amendment doctrine."
Nicholas G. Garaufis, United Stated District Judge: In the matter of an applicaton of the United States of America for an order authorizing the release of historical cell-site information (PDF)
[Open link in this window | Open link in new window]
Wired Threat Level: Judge calls location-tracking Orwellian, while Congress moves to legalize it
[Open link in this window | Open link in new window]
Out-law.com: US judge says Government should have a warrant to obtain geolocation data
[Open link in this window | Open link in new window]
Ars Technica: Judge ways warrant required for cell phone location data
[Open link in this window | Open link in new window]
A summary of recent research and recommendations by Hal Roberts, Ethan Zuckerman, Robert Faris, Jillian York, and John Palfrey.
From the Overview:
"We also found that a majority of the surveyed bloggers perceived themselves at risk of arrest or persecution for posting political content. Many posted some (but not all) risky content anyway. This finding suggests that projects that focus on providing unfiltered access to international websites are not sufficient. International platforms like YouTube, Twitter, and Facebook that allow local communities to interact and post content certainly play an important role in political activism in repressive countries. But the most important space in this battle may not be in the firewalls between filtering countries and the rest of the world but rather within the local communities in the country where people prefer local over foreign content and daily struggle with decisions about how to self censor to minimize risk of offline persecution."
Hal Roberts, Ethan Zuckerman, Robert Faris, Jillian York, and John Palfrey: The evolving landscape of internet control (PDF)
[Open link in this window | Open link in new window]
Berkman Center: The evolving landscape of internet control
[Open link in this window | Open link in new window]
BoF: Drie nieuwe trucs van de moderne internetdictator
[Open link in this window | Open link in new window]
A survey by the Office of the Privacy Commissioner of Canada.
From the key findings:
"A majority of Canadians indicated they believed that if an organization is found to have contravened a privacy law, government agencies that oversee Canadian privacy laws should take action:
- Legally requiring that a delinquent organization put the necessary privacy protections in place was the most popular requested action. Almost all respondents (97%) believed this should be done. Making non-binding recommendations to the organization about how to improve privacy protection was the least popular of the possible actions tested, yet it was still seen by 78% of Canadians as something that should be done.
- As well, large majorities felt it would be appropriate to name the organization publicly (95%), fine the organization (91%) and/or take the organization to court (84%)."
Office of the Privacy Commissioner of Canada: 2011 Canadians and privacy survey
[Open link in this window | Open link in new window]
OPC: Canadians and privacy survey results - how do you feel about your privacy?
[Open link in this window | Open link in new window]
A report by Symantec.
From the Abstract:
"W32.Xpaj.B is one of the most complex and sophisticated file infectors Symantec has encountered. Given this level of complexity, it was decided to conduct a deep analysis of this threat. [...] An investigation of the server revealed [...] details of a click-fraud operation spread over multiple computers hosted in several countries. The server contained logs and databases of the criminal’s activities, including a record of earnings from late September of 2010 up to June 28th of this year. The maximum earnings in a single day were US$450, with an average of US$170 a day. Overall, the scheme grossed approximately US$46,000."
Symantec: W32.Xpaj.B - Making easy money from complex code (PDF)
[Open link in this window | Open link in new window]
Security.nl: Botnet kaapt 87 miljoen zoekopdrachten
[Open link in this window | Open link in new window]
A report by Sean Flynn, Bijan Madhani and Michael Vasquez.
From the introduction and executive summary:
"The conclusions of this report are necessarily tentative. The report analyzes potential impacts of various ACTA provisions on access to medicines, primarily in the sense of raising intellectual property standards and enforcement measures on medicines in ways that could raise barriers to generic entry into developing country markets. A full assessment of ACTA's actual impact on access to medicines depends on a multitude of interpretive choices by countries and the ACTA Committee in implementing the agreement, and thus will vary from country to country. On the whole, what appears clear is that, through a highly secretive process, ACTA negotiators created an agreement that shifts international 'hard law' rules and 'soft law' encouragements toward the interests of intellectual property rights holders. It makes enforcement of intellectual property rights in courts, at borders, by the government and by private parties easier, less costly, and more 'deterrent' in the level of penalties. In doing so, it increases the risks and consequences of wrongful searches, seizures, lawsuits and other enforcement actions against legitimate suppliers of generic medicines."
Sean Flynn, Bijan Madhani and Michael Vasquez: ACTA and access to medicines
[Open link in this window | Open link in new window]
Techdirt: Report commissioned by EU Parliament members shows ACTA will increase health risks worldwide
[Open link in this window | Open link in new window]
More at... [11/09/04 (NL/01)]
More at... [11/09/04 (NL/02)]
More at... [11/09/04 (NL/03)]
More at... [11/09/04 (NL/04)]