Rina Steenkamp - Privacy and technology
[A global reality - governmental access to data in the cloud | Governance of enterprise security - CyLab 2012 report | Accepting mobile payments with a smartphone or tablet | A contextual approach to privacy online | 2011 Data breach notifications report | Knowing more about privacy makes users share less with Facebook and Google | National cyber security strategies - Setting the course for national efforts to strengthen security in cyberspace | Email privacy tester | Privacy simplified | Internet security threat report, 2011 trends, volume 17 | SSL pulse - Survey of the SSL implementation of the most popular web sites | Mobile payments - consumer benefits and new privacy concerns | The future of money - smartphone swiping in the mobile age | Twenty-third annual report of the Data Protection Commissioner 2011]
A whitepaper by Winston Maxwell and Christopher Wolf.
From the introduction:
"This White Paper examines the extent to which access to data in the Cloud by governments in various jurisdictions is possible, regardless of where a Cloud provider is located. 'Governmental access,' as that term is used here, includes access by all types of law enforcement authorities and other governmental agencies, recognizing that the rules may be different for law enforcement and national security access. Governments need some degree of access to data for criminal (including cybercrime) investigations and for purposes of national security. But privacy and confidentiality also are important issues. This paper does not enter into the ongoing debate about the potential for excessive government access to data and insufficient procedural protections. Rather, this White Paper undertakes to compare the nature and extent of governmental access to data in the Cloud in many jurisdictions around the world."
Winston Maxwell and Christopher Wolf: A global reality - governmental access to data in the cloud (PDF)
[Open link in this window | Open link in new window]
HL: Hogan Lovells white paper on governmental access to data in the cloud debunks faulty assumption that US access is unique
[Open link in this window | Open link in new window]
A report by Jody R. Westby.
From the executive summary:
"[...] the survey revealed that boards are not actively addressing cyber risk management. While placing high importance on risk management generally, there is still a gap in understanding the linkage between information technology (IT) risks and enterprise risk management. Although there have been some measurable improvements [...] boards still are not undertaking key oversight activities related to cyber risks, such as reviewing budgets, security program assessments, and top-level policies; assigning roles and responsibilities for privacy and security; and receiving regular reports on breaches and IT risks. Involvement in these areas would help them manage reputational and financial risks associated with the theft of confidential and proprietary data and security breaches of personal information."
Jody R. Westby: Governance of enterprise security - CyLab 2012 report (PDF)
[Open link in this window | Open link in new window]
Computable: 'Topmanager ziet risico's van ICT niet'
[Open link in this window | Open link in new window]
A publication by the PCI Security Standards Council.
From the introductory text:
"This At a Glance provides an example of a [Point-to-Point-Encryption (P2PE)] solution that leverages a mobile device's display and communication functions to secure mobile payments. Central to the example is the use of an approved hardware accessory in conjunction with a validated P2PE solution. Combining a validated P2PE solution with mobile devices such as phones or tablets helps to maintain data security throughout the payment lifecycle."
PCI Security Standards Council: Accepting mobile payments with a smartphone or tablet (PDF)
[Open link in this window | Open link in new window]
Inside Privacy: PCI Council issues guidance for mobile payment acceptance
[Open link in this window | Open link in new window]
A paper by Helen Nissenbaum.
Abstract:
"Recent media revelations have demonstrated the extent of third-party tracking and monitoring online, much of it spurred by data aggregation, profiling, and selective targeting. How to protect privacy online is a frequent question in public discourse and has reignited the interest of government actors. In the United States, notice-and-consent remains the fallback approach in online privacy policies, despite its weaknesses. This essay presents an alternative approach, rooted in the theory of contextual integrity. Proposals to improve and fortify notice-and-consent, such as clearer privacy policies and fairer information practices, will not overcome a fundamental flaw in the model, namely, its assumption that individuals can understand all facts relevant to true choice at the moment of pair-wise contracting between individuals and data gatherers. Instead, we must articulate a backdrop of context-specific substantive norms that constrain what information websites can collect, with whom they can share it, and under what conditions it can be shared. In developing this approach, the paper warns that the current bias in conceiving of the Net as a predominantly commercial enterprise seriously limits the privacy agenda."
Helen Nissenbaum: A contextual approach to privacy online (PDF)
[Open link in this window | Open link in new window]
The Atlantic: The philosopher whose fingerprints are all over the FTC's new approach to privacy
[Open link in this window | Open link in new window]
Atlantic - Philosopher whose fingerprints are all over the FTC's new appoach to privacy
[Open link in this window | Open link in new window]
A report by the [Massachusetts] Office of Consumer Affairs and Business Regulation.
From 'Trends and patterns':
"If all portable devices were encrypted from 2007 to 2011, the number of residents whose personal information was compromised would be remarkably lower by 47 percent or 1,490,308 people. If all portable devices were encrypted from March 1, 2010 the number of compromised residents would have decreased by 29 percent or 909,992 people. It is clear that encryption of personal information on portable devices is still evolving and that more emphasis needs to be placed on accomplishing compliance with this feature of the law. It is also clear that compliance with the encryption requirement is a powerful tool to safeguard the personal information of millions of residents."
[Massachusetts] Office of Consumer Affairs and Business Regulation: 2011 Data breach notifications report (PDF)
[Open link in this window | Open link in new window]
[Massachusetts] Office of Consumer Affairs and Business Regulation: Encryption a key component of information security
[Open link in this window | Open link in new window]
Privacy Lives: Massachusetts Consumer Affairs Office - Encryption a key component of information security
[Open link in this window | Open link in new window]
A consumer research survey by Siegel+Gale.
From 'What we found':
"After reading the policies and answering comprehension questions, 36% of Facebook users and 37% of Google users surveyed will change their behavior. Of the options presented in the survey, most Facebook users plan to change their privacy settings and be more careful posting information in the future. Google users indicated they’d take a number of actions, including changing privacy settings and clearing search history. Fifty percent will use Google less, while only 35% will use Facebook less. Google users may be more apt to reduce their use, since there are viable alternatives to many Google services (e.g., Bing, Worio and MapQuest). Facebook users don’t have the same luxury. Today, no alternative social network of similar scale exists."
Siegel+Gale: Knowing more about privacy makes users share less with Facebook and Google (PDF)
[Open link in this window | Open link in new window]
Siegel+Gale: A SimplicityLab Consumer Research Survey - Knowing more about privacy makes users share less with Facebook and Google
[Open link in this window | Open link in new window]
AG: Gebruikers snappen niets van privacyregels Google en Facebook
[Open link in this window | Open link in new window]
A report by ENISA.
From the introduction:
"Cyber security is increasingly regarded as a horizontal and strategic national issue affecting all levels of society. A national cyber security strategy (NCSS) is a tool to improve the security and resilience of national infrastructures and services. It is a high-level, top-down approach to cyber security that establishes a range of national objectives and priorities that should be achieved in a specific timeframe. As such it provides a strategic framework for a nation’s approach to cyber security. To assist the EU Member States in the important task of developing and maintaining a successful national cyber security strategy, ENISA is developing a Good Practice Guide. The guide will present good practices and recommendations on how to develop, implement and maintain a cyber security strategy. This paper presents some of the preliminary findings from the project that is developing the guide. It includes a short analysis of the current status of cyber security strategies within the European Union (EU) and elsewhere; it identifies common themes and differences, and concludes with a series of observations and recommendations."
ENISA: National cyber security strategies - Setting the course for national efforts to strengthen security in cyberspace (PDF linked from page)
[Open link in this window | Open link in new window]
ENISA: New paper on cyber security strategies
[Open link in this window | Open link in new window]
A tool by Mike Cardwell.
From the 'about' page:
"Some email clients perform operations when reading an email which give away information about the reader, to the sender of the message. If you enter your email address [...], this application will send you a specially crafted email which uses a variety of techniques, to attempt to send information back to this server when read. It will then display the results for you. [...] If merely reading the message without selecting to load remote images triggers any of the tests, then either your email client has a 'privacy bug,' or it is not configured for optimal privacy."
Mike Cardwell: Email privacy tester
[Open link in this window | Open link in new window]
Mike Cardwell: New version of the email privacy tester
[Open link in this window | Open link in new window]
Security.nl: Email privacy tester test veiligheid e-mailclients
[Open link in this window | Open link in new window]
A project by Paulina Haduong, Anthony Tordillos and Machiste Quintana (Yale University).
From 'Our mission':
"Not everyone can read legalese. Websites ought to have clearer, more transparent, and simpler privacy policies. One important step in this direction is a simple way of summarizing a privacy policy’s features, to make it easy to see how a website will use and protect user data. Inspired by Creative Commons and the Mozilla Privacy Icon Project, we have designed a set of icons, as well as simple descriptions, to describe common features of privacy policies. Additionally, we have built a generator to make it easy for websites to add these icons to their own sites. To further encourage awareness, we have reviewed several popular websites’ privacy policies, so that users can see for themselves how they fare."
Paulina Haduong, Anthony Tordillos and Machiste Quintana (Yale University): Privacy simplified
[Open link in this window | Open link in new window]
MozillaWiki: Privacy icons
[Open link in this window | Open link in new window]
WebWereld: Pictogrammen maken privacyvoorwaarden duidelijk
[Open link in this window | Open link in new window]
A report by Symantec.
From the executive summary:
"Symantec blocked more than 5.5 billion malicious attacks in 2011; an increase of more than 81% from the previous year. This increase was in large part a result of a surge in polymorphic malware attacks, particularly from those found in Web attack kits and socially engineered attacks using email-borne malware. Targeted attacks exploiting zero-day vulnerabilities were potentially the most insidious of these attacks. With a targeted attack, it is almost impossible to know when you are being targeted, as by their very nature they are designed to slip under the radar and evade detection. Unlike these chronic problems, targeted attacks, politically-motivated hacktivist attacks, data breaches and attacks on Certificate Authorities made the headlines in 2011."
Symantec: Internet security threat report, 2011 trends, volume 17 (PDF linked from page)
[Open link in this window | Open link in new window]
AG: Sterke groei aantal aanvallen op internet
[Open link in this window | Open link in new window]
Security.nl: Symantec lanceert keurmerk voor veilige websites
[Open link in this window | Open link in new window]
Security.nl: Weblogs gevaarlijker dan pornosites
[Open link in this window | Open link in new window]
A project by the Trustworthy Internet Movement.
From the page:
"SSL Pulse is a continuous and global dashboard for monitoring the quality of SSL support across the top one million web sites. SSL Pulse is powered by the assessment technology of SSL Labs, which is focused on auditing the SSL ecosystem, raising awareness, and providing tools and documentation to web site owners so they can improve their SSL implementations."
Trustworthy Internet Movement: SSL pulse - Survey of the SSL implementation of the most popular web sites
[Open link in this window | Open link in new window]
BBC News: Insecure websites to be named and shamed after checks
[Open link in this window | Open link in new window]
Ms. Smith: Sick SSl ecosystem - 90% of HTTPS sites insecure, 75% vulnerable to BEAST attack
[Open link in this window | Open link in new window]
A paper by Chris Jay Hoofnagle, Jennifer M. Urban and Su Li.
From the abstract:
"Payment systems that allow people to pay using their mobile phones are promised to reduce transaction fees, increase convenience, and enhance payment security. New mobile payment systems also are likely to make it easier for businesses to identify consumers, to collect more information about consumers, and to share more information about consumers' purchases among more businesses. While many studies have reported security concerns as a barrier to adoption of mobile payment technologies, the privacy implications of these technologies have been under examined. To better understand Americans' attitudes towards privacy in new transaction systems, we commissioned a nationwide, telephonic (wireline and wireless) survey of 1,200 households, focusing upon the ways that mobile payment systems are likely to share information about consumers' purchases."
Chris Jay Hoofnagle, Jennifer M. Urban and Su Li: Mobile payments - consumer benefits and new privacy concerns (SSRN)
[Open link in this window | Open link in new window]
Privacy Lives: Berkely report - mobile payments - consumer benefits & new privacy concerns
[Open link in this window | Open link in new window]
Research by Pew Internet.
From the overview:
"[...] The Pew Internet Project and Elon University’s Imagining the Internet Center invited experts and other Internet stakeholders to offer their predictions on the future of mobile payments, and what people’s “wallets” might look like in 2020. Overall, a majority of these respondents supported the scenario that by 2020 most people will have embraced and fully adopted the use of smart-device swiping for purchases they make, nearly eliminating the need for cash or credit cards. These experts feel that the explosive growth in the use of smartphones and other mobile devices, combined with the convenience, security, and other affordances of mobile payments systems, makes these systems an obvious choice to replace established modes of payment in day-to-day commerce."
Pew Internet: The future of money - smartphone swiping in the mobile age (PDF)
[Open link in this window | Open link in new window]
Pew Internet: The future of money in a mobile age
[Open link in this window | Open link in new window]
Security.nl: "Einde pinpas en contant geld in 2020"
[Open link in this window | Open link in new window]
OMS [Irish] Data Protection Commissioner.
From 'Data breach notifications':
"During 2011 my Office received 1167 data security breach notifications from 186 different organisations. This is a 300% increase in the numbers reported on in 2010 when we received 410 notifications. In 2009, before the introduction of the Code of Practice, the number of breach reports received by my Office was 119. As I stated in my Annual Report in 2010, I do not see this as an actual increase in the number of breaches occurring, rather a raised awareness of the need to notify my Office of a data security breach. [...] 75% of reported breaches related to errors in postal mailing [...]. In most cases, the breaches involved either multiple letters in the same envelope or a page relating to another individual incorrectly attached to a letter. These data security breaches are usually explained by human error. This shows that a large number of data security breaches could be prevented by simply taking a moment to examine documents prior to posting."
[Irish] Data Protection Commissioner: Twenty-third annual report of the Data Protection Commissioner 2011 (PDF)
[Open link in this window | Open link in new window]
Privacy Lives: Irish Data Protection Commissioner received record number of complaints in 2011
[Open link in this window | Open link in new window]