Rina Steenkamp - Privacy and technology
[2012 data breach investigations report | Search engine use 2012 | The Symantec smartphone honey stick project | Cloud computing use cases white paper | Opinion of the European Data Protection Supervisor on the data protection reform package | Comparative table - Commission for a General Data Protection Regulation - 1995 Data Protection Directive | Identity theft red flags rules | Consumer Sentinel Network data book for January - December 2011 | Study on monetising privacy - An economic model for pricing personal information | The human factor in data protection | Privacy design guidelines for mobile application development | 2011 Mobile threats report | Verizon 2011 investigative response (IR) caseload review | Imperva's hacker intelligence summary report - The anatomy of an Anonymous attack | The fight against cybercrime - Cooperation between CERTs and law enforcement agencies in the fight against cybercrime | [Letter to Google, Inc.] | Consumer data privacy in a networked world - A framework for protecting privacy and promoting innovation in the global digital economy | Case of Romet v. the Netherlands | Mobile apps for kids - current privacy disclosures are disappointing | Computer security incident handling guide (draft) | Common sense guide to prevention and detection of insider threats]
A report by Verizon.
From the executive summary:
"This unrest that so typified 2011 was not, however, constrained to the physical world. The online world was rife with the clashing of ideals, taking the form of activism, protests, retaliation, and pranks. While these activities encompassed more than data breaches (e.g., 25oS attacks), the theft of corporate and personal information was certainly a core tactic. This re-imagined and re-invigorated specter of 'hacktivism' rose to haunt organizations around the world. Many, troubled by the shadowy nature of its origins and proclivity to embarrass victims, found this trend more frightening than other threats, whether real or imagined. Doubly concerning for many organizations and executives was that target selection by these groups didn’t follow the logical lines of who has money and/or valuable information. Enemies are even scarier when you can’t predict their behavior. It wasn’t all protest and lulz, however. Mainline cybercriminals continued to automate and streamline their method du jour of high-volume, low-risk attacks against weaker targets. Much less frequent, but arguably more damaging, were continued attacks targeting trade secrets, classified information, and other intellectual property. We certainly encountered many faces, varied tactics, and diverse motives in the past year, and in many ways, the 2012 Data Breach Investigations Report (DBIR) is a recounting of the many facets of corporate data theft."
Verizon: 2012 data breach investigations report (PDF)
[Open link in this window | Open link in new window]
Verizon: Data breach investigations report
[Open link in this window | Open link in new window]
Wired Threat Level: Report - Hacktivists out-stole cybercriminals in 2011
[Open link in this window | Open link in new window]
A report by Pew Internet.
From the summary of findings:
"65% say... It’s a BAD thing if a search engine collected information about [their] searches and then used it to rank [their] future search results, because it may limit the information [they] get online and what search results [they] see [...] 73% say they would... NOT BE OKAY with a search engine keeping track of [their] searches and using that information to personalize [their] future search results because [they] feel it is an invasion of privacy [...] 68% say... [they're] NOT OKAY with targeted advertising because [they] don’t like having [their] online behavior tracked and analyzed"
Pew Internet: Search engine use 2012 (page links to PDF)
[Open link in this window | Open link in new window]
MediaPost: Most web users dislike behavioral targeting, personalized search
[Open link in this window | Open link in new window]
Epic.org: Pew study - search engine users anxious about collection of personal information
[Open link in this window | Open link in new window]
A report by Symantec.
From the executive summary:
"The Symantec Smartphone Honey Stick Project is an experiment involving 50 'lost' smartphones. Before the smartphones were intentionally lost, a collection of simulated corporate and personal data was placed on them, along with the capability to remotely monitor what happened to them once they were found. Chief among the findings is that there is a very high likelihood attempts to access both sensitive personal- and business-related information will be made if a lost and unprotected smartphone is found by a stranger. Secondarily, the owner of a lost smartphone should not assume the finder of their device will attempt to make contact with them. Even when contact is made, the owner of the device should not assume their personal- or business-related information has not been violated."
Symantec: The Symantec smartphone honey stick project (PDF)
[Open link in this window | Open link in new window]
Symantec: Introducing the Symantec smartphone honey stick project
[Open link in this window | Open link in new window]
Security.nl: Privégegevens verloren smartphones massaal bekeken
[Open link in this window | Open link in new window]
A white paper produced by the Cloud Computing Use Case Discussion Group.
From 1. Introduction:
"The goal of this white paper is to highlight the capabilities and requirements that need to be standardized in a cloud environment to ensure interoperability, ease of integration and portability. It must be possible to implement all of the use cases described in this paper without using closed, proprietary technologies. Cloud computing must evolve as an open environment, minimizing vendor lock-in and increasing customer choice."
Cloud Computing Use Case Discussion Group: Cloud computing use cases white paper (PDF)
[Open link in this window | Open link in new window]
Open cloud manifesto
[Open link in this window | Open link in new window]
ComputerWorld: 'Cloudstandaarden flink onder de maat'
[Open link in this window | Open link in new window]
An opinion of the EDPS.
From chapter IV - conclusions and recommendations:
"The main weakness of the package as a whole is that it does not remedy the lack of comprehensiveness of the EU data protection rules. It leaves many EU data protection instruments unaffected such as the data protection rules for the EU institutions and bodies, but also all specific instruments adopted in the area of police and judicial cooperation in criminal matters such as the Prüm Decision and the rules on Europol and Eurojust. Furthermore, the proposed instruments taken together do not fully address factual situations which fall under both policy areas, such as the use of PNR or telecommunication data for law enforcement purposes."
EDPS: Opinion of the European Data Protection Supervisor on the data protection reform package (PDF)
[Open link in this window | Open link in new window]
Out-law.com: Pan-European data protection policy still 'far from comprehensive', regulator warns
[Open link in this window | Open link in new window]
A document by the Council of the European Union.
From the front page:
"[...] a comparative table prepared by the Commission Services in which the first 21 articles of the Commission proposal for a General Data Protection Regulation are put next to the 1995 Data Protection Directive."
Council of the European Union: Comparative table - Commission for a General Data Protection Regulation - 1995 Data Protection Directive (PDF, hosted on Statewatch.org)
[Open link in this window | Open link in new window]
Jeroen Terstegge @PrivaSense
[Open link in this window | Open link in new window]
A proposal by the CFTC and SEC.
From the summary:
"First, the proposed rules and guidelines would require financial institutions and creditors to develop and implement a written identity theft prevention program that is designed to detect, prevent, and mitigate identity theft in connection with certain existing accounts or the opening of new accounts. The Commissions also are proposing guidelines to assist entities in the formulation and maintenance of a program that would satisfy the requirements of the proposed rules. Second, the proposed rules would establish special requirements for any credit and debit card issuers that are subject to the Commissions’ jurisdiction, to assess the validity of notifications of changes of address under certain circumstances."
CFTC and SEC: Identity theft red flags rules (PDF)
[Open link in this window | Open link in new window]
Data Privacy Monitor: SEC and CFTC propose identity theft prevention rules
[Open link in this window | Open link in new window]
A publication by the FTC.
From the Introduction:
"The Consumer Sentinel Network (CSN) is a secure online database of millions of consumer complaints available only to law enforcement. [...] Between January and December 2011, the CSN received more than 1.8 million consumer complaints, which the FTC has sorted into 30 complaint categories. [...] The 2011 Consumer Sentinel Network Data Book is based on unverified complaints reported by consumers. The data is not based on a consumer survey."
FTC: Consumer Sentinel Network data book for January - December 2011 (PDF)
[Open link in this window | Open link in new window]
Data Privacy Monitor: FTC report shows rise in identity theft complaints
[Open link in this window | Open link in new window]
A publication by ENISA.
From the executive summary:
"Do some customers of online services pay for privacy? Do some individuals value their privacy enough to pay a mark-up to an online service provider who protects their information better? How is this related to personalisation of services? The main goal of this report is to enable a better understanding of the interaction of personalisation, privacy concerns and competition between online service providers."
ENISA: Study on monetising privacy - An economic model for pricing personal information (PDF linked from page)
[Open link in this window | Open link in new window]
Light Blue Touchpaper: Privacy economics - evidence from the field
[Open link in this window | Open link in new window]
A report by Ponemon Institute LLC.
From Part 1. Introduction:
"According to 78 percent of respondents, their organizations have experienced a data breach as a result of negligent or malicious employees or other insiders. Employees losing laptops or other mobile devices, mishandling of data at rest and in motion and malicious employees or other insiders are the root causes of many of these data breaches in organizations. To manage the human factor risk, organizations are turning to such enabling technologies as access governance, endpoint security management, SIEM and security intelligence among others. Unfortunately, it seems that even when employees make unintentional mistakes most of these breaches are only discovered accidentally. Rarely do employees self-report the incident. While technologies are important in data protection, so is it critical for organizations to reduce the risk of employee negligence or maliciousness through policies, training, monitoring and enforcement."
Ponemon Institute LLC: The human factor in data protection (PDF)
[Open link in this window | Open link in new window]
Security.nl: "Personeel schuldig aan meeste datalekken"
[Open link in this window | Open link in new window]
Guidelines by GSMA.
From the Introduction:
"The GSMA recently published a set of universal mobile privacy principles that describe the way in which mobile consumers' privacy could be respected and protected. These guidelines seek to articulate those principles in functional terms for mobile application design."
GSMA: Privacy design guidelines for mobile application development (PDF linked from page)
[Open link in this window | Open link in new window]
Naked Security: New privacy guidelines for mobile app developers
[Open link in this window | Open link in new window]
A report by Juniper Networks.
From the Executive Summary:
"The sheer volume of mobile devices in use today has given rise to a staggering range of possibilities for users to interact with and manage their work and personal data while mobile. However, those same opportunities also open the door to hackers. In 2011, Juniper Networks observed industrious hackers moving malware from proof of concept to profitability. Whether the motivation is notoriety, corporate espionage or financial gain, today’s hackers are more sophisticated and chasing higher rewards in their attacks. This means sensitive information from businesses, governments, service providers and users is at greater risk."
Juniper Networks: 2011 Mobile threats report (PDF)
[Open link in this window | Open link in new window]
Juniper Networks: Juniper mobile security report 2011 – unprecedented mobile threat growth
[Open link in this window | Open link in new window]
Schneier on Security: Mobile malware is increasing
[Open link in this window | Open link in new window]
A report by Verizon.
From the Executive Summary:
"2011 was an interesting year in cybercrime. From mini-breaches to mega-breaches, and from “hacktivism” to espionage to money-driven crime syndicates, there was plenty going on to keep Infosec professionals awake at night. As is typical when so much is happening in our world, there was also a high noise-to-signal ratio. Thus, we thought a few snapshots from the Verizon caseload might prove helpful to organizations waiting for the Data Breach Investigations Report (DBIR) to hit the shelves. We want to be clear that this paper is not the DBIR. Readers can expect that in the not-too-distant future. Neither is it an exhaustive or all-inclusive collection of our findings, but rather a glimpse at some of the main data points of interest."
Verizon: Verizon 2011 investigative response (IR) caseload review (PDF)
[Open link in this window | Open link in new window]
Security.nl: Meeste bedrijven gehackt via onveilige wachtwoorden
[Open link in this window | Open link in new window]
A report by Imperva.
From the Executive Summary:
"During 2011, Imperva witnessed an assault by the hacktivist group ‘Anonymous’ that lasted 25 days. Our observations give insightful information on Anonymous, including a detailed analysis of hacking methods, as well as an examination of how social media provides a communications platform for recruitment and attack coordination."
Imperva: Imperva's hacker intelligence summary report - The anatomy of an Anonymous attack (PDF)
[Open link in this window | Open link in new window]
InformationWeek: Anonymous leaves clues in failed Vatican attack
[Open link in this window | Open link in new window]
DarkReading: Report offers insight into Anonymous' M.O.
[Open link in this window | Open link in new window]
A first deliverable of practices by ENISA.
From the Executive Summary:
"To act against cybercrime, collaboration between many actors and communities is required. In this collaboration the Computer Emergency Response Teams (CERTs) and Law Enforcement Agencies (LEAs), are paramount and indispensable players. At present CERT and LEA communities work mainly on their own in the fight against cybercrime. This report is a first attempt by ENISA to stimulate the discussion on this topic and to enhance the collaboration between these two communities to deal with this phenomenon more efficiently and effectively."
ENISA: The fight against cybercrime - Cooperation between CERTs and law enforcement agencies in the fight against cybercrime (PDF file linked from page)
[Open link in this window | Open link in new window]
ENISA: New report on the fight against cybercrime launched
[Open link in this window | Open link in new window]
An open letter by the National Association of Attorneys General.
From the letter:
"Google's new privacy policy is troubling for a number of reasons. On a fundamental level, the policy appears to invade consumer privacy by automatically sharing personal information consumers input into one Google product with all Google products. Consumers have diverse interests and concerns, and may want the information in their Web History to be kept separate from the information they exchange via Gmail. Likewise, consumers may be comfortable with Google knowing their Search queries but not with it knowing their whereabouts, yet the new privacy policy appears to give them no choice in the matter, further invading their privacy. It rings hollow to call their ability to exit the Google products ecosystem a 'choice' in an Internet economy where the clear majority of all Internet users use – and frequently rely on – at least one Google product on a regular basis."
National Association of Attorneys General: [Letter to Google, Inc.] (PDF)
[Open link in this window | Open link in new window]
Kim Cameron: Attorneys General swarm Google
[Open link in this window | Open link in new window]
A publication by the White House.
From the Foreword:
"The consumer data privacy framework in the United States is, in fact, strong. This framework rests on fundamental privacy values, flexible and adaptable common law protections and consumer protection statutes, Federal Trade Commission (FTC) enforcement, and policy development that involves a broad array of stakeholders. This framework has encouraged not only social and economic innovations based on the Internet but also vibrant discussions of how to protect privacy in a networked society involving civil society, industry, academia, and the government. The current framework, however, lacks two elements: a clear statement of basic privacy principles that apply to the commercial world, and a sustained commitment of all stakeholders to address consumer data privacy issues as they arise from advances in technologies and business models. "
The White House: Consumer data privacy in a networked world - A framework for protecting privacy and promoting innovation in the global digital economy (PDF)
[Open link in this window | Open link in new window]
Data Privacy Monitor: White House releases online "privacy bill of rights"
[Open link in this window | Open link in new window]
Future of Privacy: White House announces new privacy framework including consumer privacy bill of rights
[Open link in this window | Open link in new window]
HL: White House announces new privacy framework including consumer privacy bill of rights
[Open link in this window | Open link in new window]
Inside Privacy: White House releases "Consumer privacy bill of rights"
[Open link in this window | Open link in new window]
TLF: White House ignores real bill of rights in call for privacy regulation of internet businesses
[Open link in this window | Open link in new window]
TLF: Some thoughts on the Obama admin's privacy plan
[Open link in this window | Open link in new window]
A judgement by the European Court of Human Rights.
Paragraphs 42-43:
"42. The Court does not consider it necessary to delve into the question, debated between the parties, whether the applicant took sufficient action in respect of the false registrations of vehicles in his name. It observes that on 3 November 1995 the applicant reported his driving license stolen. It considers that from that day onward the domestic authorities were no longer entitled to be unaware that whoever might have the applicant's driving license in his or her possession was someone other than the applicant.
43. Yet the applicant's driving license was invalidated only on 14 March 1997, when the applicant obtained a replacement. After that date, apparently, no further vehicles were unlawfully registered in the applicant's name. Plainly, therefore, swift administrative action to deprive a driving license of its usefulness as an identity document was possible and practicable. The Government have not satisfied the Court that such action could not have been taken immediately after the applicant reported that he had lost possession and control of the document."
European Court of Human Rights: Case of Romet v. the Netherlands
[Open link in this window | Open link in new window]
Publiekrecht en politiek: EHRM neemt het op voor bijstandtrekker met 1737 auto's
[Open link in this window | Open link in new window]
A report by the FTC.
From the Overview:
"While staff encountered a diverse pool of apps for kids created by hundreds of different developers, staff found little, if any, information in the app marketplaces about the data collection and sharing practices of these apps. Staff found almost no relevant language regarding app data collection or sharing on the Apple app promotion pages, and minimal information (beyond the general 'permission' statements required on the Android operating system9) on just three of the Android promotion pages. In most instances, staff was unable to determine from the promotion pages whether the apps collected any data at all, let alone the type of data collected, the purpose of the collection, and who collected or obtained access to the data."
FTC: Mobile apps for kids - current privacy disclosures are disappointing (PDF)
[Open link in this window | Open link in new window]
Data Protector: Children's privacy – being disappointed with the FTC
[Open link in this window | Open link in new window]
HL: FTC criticizes privacy disclosures for children's apps
[Open link in this window | Open link in new window]
MediaPost: FTC – Apps for kids fall short on privacy
[Open link in this window | Open link in new window]
Privacy & Security Source: FTC disappointed with privacy on kids' mobile apps
[Open link in this window | Open link in new window]
TLF: The FTC, mobile apps, kids' privacy, prices and competition
[Open link in this window | Open link in new window]
Security.nl: Privacywaakhond luidt noodklok over kinder-apps
[Open link in this window | Open link in new window]
Recommendations of NIST.
From the Executive Summary:
"Because performing incident response effectively is a complex undertaking, establishing a successful incident response capability requires substantial planning and resources. Continually monitoring threats through intrusion detection and prevention systems (IDPSs) and other mechanisms is essential. Establishing clear procedures for prioritizing the handling of incidents is critical, as is implementing effective methods of collecting, analyzing, and reporting data. It is also vital to build relationships and establish suitable means of communication with other internal groups (e.g., human resources, legal) and with external groups (e.g., other incident response teams, law enforcement). This publication seeks to help both established and newly formed incident response teams."
NIST: Computer security incident handling guide (draft) (PDF)
[Open link in this window | Open link in new window]
Privacy & Security Source: NIST issues draft computer security breach incident handling guide
[Open link in this window | Open link in new window]
A guide by the Carnegie Mellon Software Engineering Institute.
From 'Are insiders really a threat?':
"The threat of attack from insiders is real and substantial. The 2007 E-Crime Watch Survey […] found that in cases where respondents could identify the perpetrator of an electronic crime, 31% were committed by insiders. In addition, 49% of respondents experienced at least one malicious, deliberate insider incident in the previous year. The impact from insider attacks can be devastating. One employee working for a manufacturer stole blueprints containing trade secrets worth $100 million, and sold them to a Taiwanese competitor in hopes of obtaining a new job with them."
Carnegie Mellon Software Engineering Institute: Common sense guide to prevention and detection of insider threats (PDF)
[Open link in this window | Open link in new window]
Carnegie Mellon Software Engineering Institute: The CERT insider threat center
[Open link in this window | Open link in new window]
The Smart Grid Security Blog: Hayden goes inside on grid security for internal threats
[Open link in this window | Open link in new window]