Rina Steenkamp - Privacy and technology
[Empirical analysis of data breach litigation | Privacy protection for social networking platforms | Social authentication - harder than it looks | Commission proposes a comprehensive reform of the data protection rules | [SABAM] v Netlog NV | Follow-up report to the 2010 EDPS video-surveillance guidelines | Mapping of the process to commodify personal identifiable information in social media - Mappping and in-depth analysis of corporate profiling techniques | Does it help or hinder? Promotion of innovation on the internet and citizens' right to privacy | Guidelines on security and privacy in public cloud computing | Economics of security - facing the challenges | Using browser properties for fingerprinting purposes | Security threat report 2012 | Ron was wrong, Whit is right | Conundrum]
A paper by Sacha Romanosky, David A. Hoffman and Allessandro Acquisti.
Abstract:
"In recent years, a large number of data breaches have resulted in lawsuits in which individuals seek redress for alleged harm resulting from an organization losing or compromising their personal information. Currently, however, very little is known about those lawsuits. Which types of breaches are litigated, which are not? Which lawsuits settle, or are dismissed? Using a unique database of manually-collected lawsuits from PACER, we analyze the court dockets of over 230 federal data breach lawsuits from 2000 to 2010. We use binary outcome regressions to investigate two research questions: Which data breaches are being litigated in federal court? Which data breach lawsuits are settling? Our results suggest that the odds of a firm being sued in federal court are 3.5 times greater when individuals suffer financial harm, but over 6 times lower when the firm provides free credit monitoring following the breach. We also find that defendants settle 30% more often when plaintiffs allege financial loss from a data breach, or when faced with a certified class action suit. While the compromise of financial information appears to lead to more federal litigation, it does not seem to increase a plaintiff's chance of a settlement. Instead, compromise of medical information is more strongly correlated with settlement. "
Sacha Romanosky, David A. Hoffman and Allessandro Acquisti: Empirical analysis of data breach litigation (SSRN)
[Open link in this window | Open link in new window]
Concurring Opinions: Dockets and data breach litigation
[Open link in this window | Open link in new window]
A paper by Adrienne Felt and David Evans.
Abstract:
"Social networking platforms integrate third-party content into social networking sites and give third-party developers access to user data. These open interfaces enable popular site enhancements but pose serious privacy risks by exposing user data to third-party developers. We address the privacy risks associated with social networking APIs by presenting a privacy-by-proxy design for a privacy-preserving API. Our design is motivated by an analysis of the data needs and uses of Facebook applications. We studied 150 popular Facebook applications and found that nearly all applications could maintain their functionality using a limited interface that only provides access to an anonymized social graph and placeholders for user data. Since the platform host can control the third party applications' output, privacy-by-proxy can be accomplished by using new tags and data transformations without major changes to either the platform architecture or applications."
Adrienne Felt and David Evans: Privacy protection for social networking platforms (PDF)
[Open link in this window | Open link in new window]
Light Blue Touchpaper: Cloudy with a chance of privacy
[Open link in this window | Open link in new window]
A paper by Hyoungshick Kim, John Tang, and Ross Anderson.
Abstract:
"A number of web servicefirms have started to authenticate users via their social knowledge, such as whether they can identify friends from photos. We investigate attacks on such schemes. First, attackers often know a lot about their targets; most people seek to keep sensitive information private from others in their social circle. Against close enemies, social authentication is much less effective. We formally quantify the potential risk of these threats. Second, when photos are used, there is a growing vulnerability to face-recognition algorithms, which are improving all the time. Network analysis can identify hard challenge questions, or tell a social network operator which users could safely use social authentication; but it could make a big difference if photos weren't shared with friends of friends by default. This poses a dilemma for operators: will they tighten their privacy default settings, or will the improvement in security cost too much revenue?"
Hyoungshick Kim, John Tang, and Ross Anderson: Social authentication - harder than it looks (PDF)
[Open link in this window | Open link in new window]
Light Blue Touchpaper: Social authentication - harder than it looks!
[Open link in this window | Open link in new window]
Legislative proposals by the EC.
From the main page:
"The European Commission has today proposed a comprehensive reform of the EU's 1995 data protection rules to strengthen online privacy rights and boost Europe's digital economy. Technological progress and globalisation have profoundly changed the way our data is collected, accessed and used. In addition, the 27 EU Member States have implemented the 1995 rules differently, resulting in divergences in enforcement. A single law will do away with the current fragmentation and costly administrative burdens, leading to savings for businesses of around EUR 2.3 billion a year. The initiative will help reinforce consumer confidence in online services, providing a much needed boost to growth, jobs and innovation in Europe."
EC: Commission proposes a comprehensive reform of the data protection rules
[Open link in this window | Open link in new window]
ComputerWorld: Firms will struggle to report data breaches within 24 hours, industry warns
[Open link in this window | Open link in new window]
HL: European Commission releases official draft of groundbreaking data protection regulation
[Open link in this window | Open link in new window]
Inside Privacy: European Commission proposes comprehensive data protection reform
[Open link in this window | Open link in new window]
Privacy & Security Source: European Commission releases much anticipated data protection regulation - questions remain about what will finally be implemented
[Open link in this window | Open link in new window]
Techdirt: Why can't Europe just forget the ridiculous idea of a 'right to be forgotten'
[Open link in this window | Open link in new window]
Time Techland: What Europe's 'right to be forgotten' has in common with SOPA
[Open link in this window | Open link in new window]
Jurel: De nieuwe privacyverordening
[Open link in this window | Open link in new window]
Security.nl: Waakhonden positief over Europese privacyregels
[Open link in this window | Open link in new window]
Security.nl: "Datalekken onmogelijk binnen 24 uur te melden"
[Open link in this window | Open link in new window]
Tweakers.net: Europa presenteert strengere privacyregels
[Open link in this window | Open link in new window]
WebWereld: Kritiek op 'verwaterd' EC-voorstel databescherming
[Open link in this window | Open link in new window]
WebWereld: Amerikanen hekelen Europese online privacyregels
[Open link in this window | Open link in new window]
A judgment by the European Court of Justice.
From the judgement:
"38. In the light of the foregoing, it must be held that the injunction imposed on the hosting service provider requiring it to install the contested filtering system would oblige it to actively monitor almost all the data relating to all of its service users in order to prevent any future infringement of intellectual-property rights. It follows that that injunction would require the hosting service provider to carry out general monitoring, something which is prohibited by Article 15(1) of Directive 2000/31 (see, by analogy, Scarlet Extended, paragraph 40).
45. In the main proceedings, the injunction requiring the installation of the contested filtering system involves monitoring all or most of the information stored by the hosting service provider concerned, in the interests of those rightholders. Moreover, that monitoring has no limitation in time, is directed at all future infringements and is intended to protect not only existing works, but also works that have not yet been created at the time when the system is introduced.
46. Accordingly, such an injunction would result in a serious infringement of the freedom of the hosting service provider to conduct its business since it would require that hosting service provider to install a complicated, costly, permanent computer system at its own expense, which would also be contrary to the conditions laid down in Article 3(1) of Directive 2004/48, which requires that measures to ensure the respect of intellectual-property rights should not be unnecessarily complicated or costly (see, by analogy, Scarlet Extended, paragraph 48).
47. In those circumstances, it must be held that the injunction to install the contested filtering system is to be regarded as not respecting the requirement that a fair balance be struck between, on the one hand, the protection of the intellectual-property right enjoyed by copyright holders, and, on the other hand, that of the freedom to conduct business enjoyed by operators such as hosting service providers (see, by analogy, Scarlet Extended, paragraph 49).
48. Moreover, the effects of that injunction would not be limited to the hosting service provider, as the contested filtering system may also infringe the fundamental rights of that hosting service provider’s service users, namely their right to protection of their personal data and their freedom to receive or impart information, which are rights safeguarded by Articles 8 and 11 of the Charter respectively.
49. Indeed, the injunction requiring installation of the contested filtering system would involve the identification, systematic analysis and processing of information connected with the profiles created on the social network by its users. The information connected with those profiles is protected personal data because, in principle, it allows those users to be identified (see, by analogy, Scarlet Extended, paragraph 51).
50. Moreover, that injunction could potentially undermine freedom of information, since that system might not distinguish adequately between unlawful content and lawful content, with the result that its introduction could lead to the blocking of lawful communications. Indeed, it is not contested that the reply to the question whether a transmission is lawful also depends on the application of statutory exceptions to copyright which vary from one Member State to another. In addition, in some Member States certain works fall within the public domain or may be posted online free of charge by the authors concerned (see, by analogy, Scarlet Extended, paragraph 52)."
European Court of Justice: [SABAM] v Netlog NV
[Open link in this window | Open link in new window]
EDRi: SABAM vs Netlog - another important ruling for fundamental rights
[Open link in this window | Open link in new window]
La Quadrature du Net: Online copyright - European Court of Justice rules out private and automatic censorship
[Open link in this window | Open link in new window]
BoF: EU Hof - permanent controleren internetters verboden
[Open link in this window | Open link in new window]
Tweakers.net: Hof van Justitie EU - geen piraterijfilter voor sociale netwerken
[Open link in this window | Open link in new window]
A report by the EDPS.
From the Executive Summary:
"In March 2010, the European Data Protection Supervisor (EDPS) issued Video-Surveillance Guidelines [...]. This public Report is a systematic and comparative analysis of the status reports received from a total of 42 European Union institutions and bodies [...]. Next to highlighting best practices this report underlines shortcomings in those bodies lagging behind in their efforts to ensure compliance with the Guidelines. It furthermore clarifies certain aspects of the Guidelines, where questions were raised by bodies in preparing their video-surveillance policy or a need for clarification became apparent through the analysis of the state-ofplay reports."
EDPS: Follow-up report to the 2010 EDPS video-surveillance guidelines (PDF)
[Open link in this window | Open link in new window]
PrivacyNieuws: EDPS - gebrek aan naleving Richtlijnen van het videotoezicht door verscheidene EU-instellingen
[Open link in this window | Open link in new window]
A report by Rob Heyman, Jo Pierson and Ike Picone (IBBT-SMIT).
From the Abstract:
"Social media and its main revenue model, advertising, have brought privacy issues along. This deliverable maps the process wherein Personal Identifiable Information (PII) is gathered and commodified as a sellable service."
Rob Heyman, Jo Pierson and Ike Picone (IBBT-SMIT): Mapping of the process to commodify personal identifiable information in social media - Mappping and in-depth analysis of corporate profiling techniques (PDF)
[Open link in this window | Open link in new window]
EMSOC: Belangrijkste conclusies van het rapport 'Persoonsgegevens op sociale media'
[Open link in this window | Open link in new window]
EditiePajot: LinkedIn en Facebook plakken reclame aan onze persoonlijke berichten
[Open link in this window | Open link in new window]
PrivacyNieuws: Belangrijkste conclusies van het raport 'Persoonsgegevens op sociale media'
[Open link in this window | Open link in new window]
A study published by the European Parliament.
Abstract:
"This study investigates the interplay between Internet innovation and privacy. We propose working definitions of innovation and privacy and review the literature about their interaction. We interpret the possible tensions and problems in terms of market and system failures and analyse the relevant legal and policy aspects in relation to examples of privacy invasion and/or protection by innovating companies. Using a four issue framework we analyse relevant case studies such as cloud computing and online behavioural advertising. Following a gap analysis according to our model of failure, we present a series of recommendations aimed at different stakeholders. The study was based on desk research, key informant interviews, case studies and an interactive expert consultation held in Brussels in June 2011."
European Parliament: Does it help or hinder? Promotion of innovation on the internet and citizens' right to privacy (PDF)
[Open link in this window | Open link in new window]
TNO: Privacy onder druk - de waarde van persoonsgegevens
[Open link in this window | Open link in new window]
PrivacyNieuws: TNO; Privacy onder druk, de waarde van persoonsgegevens
[Open link in this window | Open link in new window]
WebWereld: 'Internetinnovatie is slecht voor de privacy'
[Open link in this window | Open link in new window]
Guidelines by NIST.
Abstract:
"Cloud computing can and does mean different things to different people. The common characteristics most share are on-demand scalability of highly available and reliable pooled computing resources, secure access to metered services from nearly anywhere, and dislocation of data and services from inside to outside the organization. While aspects of these characteristics have been realized to a certain extent, cloud computing remains a work in progress. This publication provides an overview of the security and privacy challenges pertinent to public cloud computing and points out considerations organizations should take when outsourcing data, applications, and infrastructure to a public cloud environment."
NIST: Guidelines on security and privacy in public cloud computing
[Open link in this window | Open link in new window]
NIST: NIST issues cloud computing guidelines for managing security and privacy
[Open link in this window | Open link in new window]
Inside Privacy: NIST issues guidelines on public cloud security, privacy
[Open link in this window | Open link in new window]
A multidisciplinary assessment by ENISA.
From the Executive summary:
"[...] ENISA has analysed economic drivers and barriers in a number of areas (including policy, research, technology and business) and has identified potential areas of improvement to boost security and resilience in public systems and networks and consequently in relevant products and services by taking into account the economic dimension. This effort contributes to the identification of topics in the area of Economics of Security in line with the efforts to boost Europe’s economic performance and introduce measures to reinforce the benefits of the single market, as announced in the Digital Agenda for Europe."
ENISA: Economics of security - facing the challenges (PDF)
[Open link in this window | Open link in new window]
Economics of security - work and achieved results
[Open link in this window | Open link in new window]
ENISA: New report published on "economics of security"
[Open link in this window | Open link in new window]
A paper by Ralph Broenink.
From the Abstract:
"It is widely known that cookies can be used to track users. However, even privacy-aware users are trackable by the properties the browser sends with every request. Based on information like the browser vendor, plugin versions and the installed fonts, a fingerprint may be created that uniquely identi es a browser."
Ralph Broenink: Using browser properties for fingerprinting purposes (PDF)
[Open link in this window | Open link in new window]
Computable: 'Nieuwe cookiewet is eenvoudig te omzeilen'
[Open link in this window | Open link in new window]
Computable: 'KPN koppelt ID aan internetverkeer'
[Open link in this window | Open link in new window]
A report by Sophos.
From the Foreword:
"Over the past year we in the IT security industry have seen a growing awareness of the work we do. In 2011, a number of highly visible cyberattacks made news headlines around the world, but the underlying problem affects us all. It seems that the cybercriminals are getting bolder in their attacks as the availability of commercial tools makes mass generation of new malicious code campaigns and exploits easier. The net result has been significant growth in volume of malware and infections."
Sophos: Security threat report 2012
[Open link in this window | Open link in new window]
Naked Security: Sophos security threat report 2012 - seeing through the hype
[Open link in this window | Open link in new window]
A paper by Arjen K. Lenstra, James P. Huges, Maxime Augier, Joppe W. Bos, Thorsten Kleinjung and Christope Wachter.
Abstract:
"We performed a sanity check of public keys collected on the web. Our main goal was to test the validity of the assumption that different random choices are made each time keys are generated. We found that the vast majority of public keys work as intended. A more disconcerting finding is that two out of every one thousand RSA moduli that we collected offer no security. Our conclusion is that the validity of the assumption is questionable and that generating keys in the real world for 'multiple-secrets' cryptosystems such as RSA is significantly riskier than for 'single-secret' ones such as ElGamal or (EC)DSA which are based on Diffie-Hellman."
Arjen K. Lenstra, James P. Huges, Maxime Augier, Joppe W. Bos, Thorsten Kleinjung and Christope Wachter: Ron was wrong, Whit is right (PDF)
[Open link in this window | Open link in new window]
DarkReading: Public key used to secure HTTPS fails 'sanity check'
[Open link in this window | Open link in new window]
EFF: Researchers use EFF's SSL Observatory to discover widespread cryptographic vulnerabilities
[Open link in this window | Open link in new window]
NYT: Flaw found in an online encryption method
[Open link in this window | Open link in new window]
Privacy Lives: New York Times - Flaw found in an online encryption method
[Open link in this window | Open link in new window]
AG: Nederlander ontdekt fout in RSA-encryptie
[Open link in this window | Open link in new window]
Security.nl: Nederlander vindt lek in RSA-algoritme
[Open link in this window | Open link in new window]
Tweakers.net: Nederlandse wiskundige - 2 op 1000 rsa-keys zijn onveilig
[Open link in this window | Open link in new window]
An article by Derek E. Bambauer.
From the Abstract:
"Cybersecurity is a conundrum. Despite a decade of sustained attention from scholars, legislators, military officials, popular media, and successive presidential administrations, little if any progress has been made in augmenting Internet security. Current scholarship on cybersecurity is bound to ill-fitting doctrinal models. It addresses cybersecurity based upon identification of actors and intent, arguing that inherent defects in the Internet’s architecture must be remedied to enable attribution. These proposals, if adopted, would badly damage the Internet’s generative capacity for innovation."
Derek E. Bambauer: Conundrum (SSRN)
[Open link in this window | Open link in new window]
Concurring Opinions: Goldilocks and cybersecurity
[Open link in this window | Open link in new window]
Concurring Opinions: Cybersecurity puzzles
[Open link in this window | Open link in new window]