Rina Steenkamp - Privacy and technology
[Outdoing Huxley - forging a high level of data protection for Europe in the brave new digital world | Measuring and predicting anonymity | Digital freedoms in international law - practical steps to protect human rights online | Measuring the cost of cybercrime | Working document [...] with the elements and principles to be found in Processor Binding Corporate Rules | Internet security without law - how service providers create order online | Downtime statistics of current cloud solutions | [O]n the Commission Recommendation on preparations for the roll-out of smart metering systems | Smart metering implementation programme - [...] security risk assessments and audits | From real-time intercepts to stored records - why encryption drives the government to seek access to the cloud | Icebergs in the clouds - the other risks of cloud computing | Opinion 4/2012 on cookie consent exemption | 2012 Trust, security and passwords survey | A view of traffic management and other practices resulting in restrictions to the open Internet in Europe | Proposal for a regulation [...] on electronic identification and trust services for electronic transactions in the internal market | Draft Anonymisation code of practice | Gagged, sealed and delivered - reforming ECPA'ss secret docket | When the government comes knocking, who has your back? | Cookies under control | Guidance on the rules of cookies and similar technologies | Breakthrough silicon scanning discovers backdoor in military chip (DRAFT of 05 March 2012) | McAfee threats report - First quarter 2012 | The impact of cybercrime on business | 2012 Disaster preparedness survey - global findings | A dual consent approach for x-payments]
A speech by Viviane Reding.
From the speech:
"Our current data protection rules already contain solid data protection principles. But they were drawn up in 1990 and adopted in 1995, when only 1% of the EU population was using the Internet. In 1995 a 28.8 Kilobytes per second modem cost more than 500 euros, Amazon and eBay were still being launched and the founder of Facebook was only 11 years old! It would still be 3 years before the arrival of Google and other household names. [...] Today, I would like to contribute to your debate by explaining why I think Europe needs to guarantee a high standard of data protection. For the citizens of Europe, of course. But also for citizens beyond Europe's borders. A high level of data protection will turn the European Union into an international standard setter that will improve internet governance worldwide. The digital Single Market will also benefit. Only a high level of data protection will generate trust between citizens and private enterprises. However, we must be very careful how we develop these rules. We must act with the right firmness of touch, tailoring the rules we introduce to the needs of Europe in the 21st century. We cannot introduce rules that place an excessive burden on business. Nor should our concern with privacy blind us to the need to respect other rights."
Viviane Reding: Outdoing Huxley - forging a high level of data protection for Europe in the brave new digital world (PDF)
[Open link in this window | Open link in new window]
Kim Cameron's IdentityBlog: Viviane Reding's speech to the Digital Enlightenment Forum
[Open link in this window | Open link in new window]
PhD thesis by Matthijs R. Koot.
From the Introduction:
"Motivated by the desire to establish a better understanding of privacy, and thereby take away some of the fear, uncertainty and doubt surrounding privacy problems, the objective of this thesis is to study techniques for measuring and predicting privacy. Ideally, we want to develop mathematical tools useful for privacy risk assessment at both the personal level and the population level."
Matthijs R. Koot: Measuring and predicting anonymity (PDF)
[Open link in this window | Open link in new window]
Matthijs R. Koot's notebook
[Open link in this window | Open link in new window]
Computable: 'Anonieme gegevens verraden identiteit nog steeds'
[Open link in this window | Open link in new window]
A report by Ian Brown and Douwe Korff.
Executive summary:
"With around 2.3 billion users, the Internet has become part of the daily lives of a significant percentage of the global population, including for political debate and activism. While states are responsible for protecting human rights online under international law, companies responsible for Internet infrastructure, products and services can play an important supporting role. Companies also have a legal and corporate social responsibility to support legitimate law enforcement agency actions to reduce online criminal activity such as fraud, child exploitation and terrorism. They sometimes face ethical and moral dilemmas when such actions may facilitate violations of human rights. In this report we suggest practical measures that governments, corporations and other stakeholders can take to protect freedom of expression, privacy, and related rights in globally networked digital technologies. These are built on a detailed analysis of international law, three workshops in London, Washington DC and Delhi, and extensive interviews with government, civil society and corporate actors."
Ian Brown and Douwe Korff: Digital freedoms in international law - practical steps to protect human rights online (PDF)
[Open link in this window | Open link in new window]
Global Networking Initiative: New report outlines recommendations for governments, companies and others on how to protect free expression and privacy rights online
[Open link in this window | Open link in new window]
B2fxxx: GNI digital freedoms report
[Open link in this window | Open link in new window]
A paper by Ross Anderson, Chris Barton, Rainer Böhme, Richard Clayton, Michel J.G. van Eeten, Michael Levi, Tyler Moore and Stefan Savage.
From the Abstract:
"In this paper we present what we believe to be the first systematic study of the costs of cybercrime. It was prepared in response to a request from the UK Ministry of Defence following scepticism that previous studies had hyped the problem. For each of the main categories of cybercrime we set out what is and is not known of the direct costs, indirect costs and defence costs { both to the UK and to the world as a whole. We distinguish carefully between traditional crimes that are now 'cyber' because they are conducted online (such as tax and welfare fraud); transitional crimes whose modus operandi has changed substantially as a result of the move online (such as credit card fraud); new crimes that owe their existence to the Internet; and what we might call platform crimes such as the provision of botnets which facilitate other crimes rather than being used to extract money from victims directly."
Ross Anderson, Chris Barton, Rainer Böhme, Richard Clayton, Michel J.G. van Eeten, Michael Levi, Tyler Moore and Stefan Savage: Measuring the cost of cybercrime (PDF)
[Open link in this window | Open link in new window]
Light Blue Touchpaper: Debunking cybercrime myths
[Open link in this window | Open link in new window]
A document by the Article 29 Data Protection Working Party.
From the Introduction:
"The Article 29 Working Party already developed some tools to facilitate the use of Binding Corporate Rules (BCR) for Controllers ('BCR for your own data'), intended to regulate the transfers of personal data that are originally processed by the company as Controller (such as data relating to its customers, its employees, etc.). In this paper, the Article 29 Working Party intends to develop a toolbox, describing the conditions to be met, to facilitate the use of Binding Corporate Rules (BCR) for Processors ('BCR for third party data'). BCR for Processors aim to frame international transfers of personal data that are originally processed by the company as Data Processor according to the external instructions of a Data Controllers (such as outsourcing activities)."
Article 29 Data Protection Working Party: Working document [...] with the elements and principles to be found in Processor Binding Corporate Rules (PDF)
[Open link in this window | Open link in new window]
InsidePrivacy: Article 29 Working Party publishes guidance on Binding Corporate Rules for processors
[Open link in this window | Open link in new window]
Out-law.com: Processors liable for some sub-processor data rule breaches, say watchdogs
[Open link in this window | Open link in new window]
PrivacyLives: European data protection authorities adopt document on Binding Corporate Rules for processors
[Open link in this window | Open link in new window]
A working paper by Eli Dourado.
From the Abstract:
"In this paper, I document the informal institutions that enforce network security norms on the Internet. I discuss the enforcement mechanisms and monitoring tools that ISPs have at their disposal, as well as the fact that ISPs have borne significant costs to reduce malware, despite their lack of formal legal liability. I argue that these informal institutions perform much better than a regime of formal indirect liability. The paper concludes by discussing how the fact that legal polycentricity is more widespread than is often recognized should affect law and economics scholarship."
Eli Dourado: Internet security without law - how service providers create order online (PDF)
[Open link in this window | Open link in new window]
Mercatus: Internet security without law - how service providers create online order
[Open link in this window | Open link in new window]
TLF: Internet security without law
[Open link in this window | Open link in new window]
A paper by Maurice Gagnaire, Felipe Diaz, Camille Coti, Christophe Cérin, Kazuhiko Shiozaki, Yingjie Xu, Pierre Delort, Jean-Paul Smets, Jonathan Le Lous, Stephen Lubiarz and Pierrick Leclerc.
The Introduction to the paper:
"In recent years, cloud computing has received considerable attention from global businesses and government agencies in economies. Regarding the potential and impact of cloud computing in the world, providing reliable services to meet the requirements of mission critical systems becomes more and more important. Meanwhile, the lack of reliablity of cloud services is not commonly known by industry. In order to monitor and analyze cloud computing resiliency, IWGCR presents its first short report aggregates information from press releases and provides a brief summary of availablity of major cloud providers."
Maurice Gagnaire, Felipe Diaz, Camille Coti, Christophe Cérin, Kazuhiko Shiozaki, Yingjie Xu, Pierre Delort, Jean-Paul Smets, Jonathan Le Lous, Stephen Lubiarz and Pierrick Leclerc: Downtime statistics of current cloud solutions (PDF)
[Open link in this window | Open link in new window]
AG: Clouddiensten te vaak uit de lucht voor kritische applicaties
[Open link in this window | Open link in new window]
An opinion by the European Data Protection Supervisor.
From 2.2 Data protection concerns:
"The Europe-wide rollout of 'smart metering systems' enables massive collection of personal information from European households, thus far unprecedented in the energy sector. The potential intrusiveness of collection is increased by the fact that data are collected, which may infer information about domestic activities: data may track what members of a household do within the privacy of their own homes. [...] unless adequate safeguards are established to ensure that only authorized third parties may access and process data for clearly specified purposes and in compliance with applicable data protection law, deployment of smart metering may lead to tracking the everyday lives of people in their own homes and building detailed profiles of all individuals based on their domestic activities. With the sheer amount of information that is being amassed by these smart meters, ubiquitous availability of data from other sources, and advances in data mining technology, the potential for extensive data mining is very significant. Patterns can be tracked at the level of individual households but also for many households, taken together, aggregated, and sorted by area, demographics, and so on. Profiles can thus be developed, and then applied back to individual households and individual members of those households."
European Data Protection Supervisor: [O]n the Commission Recommendation on preparations for the roll-out of smart metering systems (PDF)
[Open link in this window | Open link in new window]
Security.nl: EU-privacywaakhond vreest gevolgen slimme meters
[Open link in this window | Open link in new window]
A consultation document by the [UK] Department of Energy and Climate Change.
From the Summary:
"In April 2012, the Government explained that it was minded to place a specific obligation on suppliers in relation to the security of their end-to-end smart metering systems, through a new licence condition. [...] This condition would require suppliers to be responsible for the end-to-end security of their smart metering systems. In fulfilling this obligation, the Government stated that suppliers might also be required to conduct a risk assessment of their end-to-end systems and to have an annual security risk audit conducted by suitably qualified, independent, external specialists."
[UK] Department of Energy and Climate Change: Smart metering implementation programme - [...] security risk assessments and audits (PDF)
[Open link in this window | Open link in new window]
Out-law.com: DECC proposes building data security requirements into smart metering licence conditions
[Open link in this window | Open link in new window]
A paper by Peter P. Swire.
From the Abstract:
"This paper explains how changing technology, especially the rising adoption of encryption, is shifting law enforcement and national security lawful access to far greater emphasis on stored records, notably records stored in the cloud. [...] Part 1 of the paper describes the changing technology of wiretaps and government access. Part 2 documents the growing adoption of strong encryption in a wide and growing range of settings of interest to government agencies. Part 3 explains how these technological trends create a major shift from real-time intercepts to stored records, especially in the cloud."
Peter P. Swire: From real-time intercepts to stored records - why encryption drives the government to seek access to the cloud (SSRN)
[Open link in this window | Open link in new window]
Schneier on Security: Changing surveillance techniques for changed communications technologies
[Open link in this window | Open link in new window]
A paper by Bryan Ford.
Abstract:
"Cloud computing is appealing from management and efficiency perspectives, but brings risks both known and unknown. Well-known and hotly-debated information security risks, due to software vulnerabilities, insider attacks, and side-channels for example, may be only the 'tip of the iceberg.' As diverse, independently developed cloud services share ever more fluidly and aggressively multiplexed hardware resource pools, unpredictable interactions between load-balancing and other reactive mechanisms could lead to dynamic instabilities or 'meltdowns.' Non-transparent layering structures, where alternative cloud services may appear independent but share deep, hidden resource dependencies, may create unexpected and potentially catastrophic failure correlations, reminiscent of financial industry crashes. Finally, cloud computing exacerbates alreadydifficult digital preservation challenges, because only the provider of a cloud-based application or service can archive a 'live,' functional copy of a cloud artifact and its data for long-term cultural preservation. This paper explores these largely unrecognized risks, making the case that we should study them before our socioeconomic fabric becomes inextricably dependent on a convenient but potentially unstable computing model."
Bryan Ford: Icebergs in the clouds - the other risks of cloud computing (PDF)
[Open link in this window | Open link in new window]
WebWereld: 'Cloudcrash dreigt door onderlinge afhankelijkheid'
[Open link in this window | Open link in new window]
An opinion by the Article 29 Data Protection Working Party.
From 1 Introduction:
"Article 5.3 of Directive 2009/136/EC, amending Directive 2002/58/EC has reinforced the protection of users of electronic communication networks and services by requiring informed consent before information is stored or accessed in the user's (or subscriber's) terminal device. [...] Article 5.3 allows cookies to be exempted from the requirement of informed consent, if they satisfy one of the following criteria:
CRITERION A: the cookie is used 'for the sole purpose of carrying out the transmission of a communication over an electronic communications network'.
CRITERION B: the cookie is 'strictly necessary in order for the provider of an information society service explicitly requested by the subscriber or user to provide the service.'
While the requirements for informed consent were already examined in detail by the Working Party in two Opinions, this document is designed to analyze the exemptions to this principle, in the context of cookies and related technologies.
Article 29 Data Protection Working Party: Opinion 4/2012 on cookie consent exemption (PDF)
[Open link in this window | Open link in new window]
FPF: Cookie consent exemption - Article 29 WP opinion
[Open link in this window | Open link in new window]
A survey by Cyber-Ark.
From the Executive Summary:
"Cyber-Ark's 2012 Trust, Security & Passwords survey is the sixth in a series of annual surveys focused on identifying key security trends amongst IT workers. The survey assesses the extent to which privileged accounts and passwords are being protected in organizations today, and also provides insight into the core threats that exist and the measures being taken to defend systems. The survey report is the result of interviews with 820 IT managers and C-level professionals across North America and EMEA, primarily from enterprise companies."
Cyber-Ark: 2012 Trust, security and passwords survey (PDF)
[Open link in this window | Open link in new window]
Security.nl: Helft IT-managers steelt bedrijfsgegevens bij ontslag
[Open link in this window | Open link in new window]
Findings from BEREC's and the European Commission's joint investigation, by BEREC.
From '1.2 An investigation with a large scope':
"The objective of this wide-ranging European-level inquiry, jointly undertaken by BEREC and the Commission, is to get a view of traffic management and potential restrictions to access, content or applications, in particular to gain some insights into their variety and relative importance. Indeed, they are done for a variety of purposes, and at the same time take different forms, e.g. remain purely contractual or are technically enforced. [...] This 'results snapshot' will attempt to represent this variety, for instance by summarising the results on 'differentiation practices' (i.e. deviations from the 'best effort' approach), which are the most relevant with respect to the net neutrality debate."
BEREC: A view of traffic management and other practices resulting in restrictions to the open Internet in Europe (PDF)
[Open link in this window | Open link in new window]
Out-law.com: European Commission to propose net neutrality measures
[Open link in this window | Open link in new window]
La Quadrature du Net: EU telecom regulators' wake up call on net neutrality
[Open link in this window | Open link in new window]
A draft by the European Commission.
From the press release:
"The European Commission has proposed new rules to enable cross-border and secure electronic transactions in Europe. The proposed Regulation will ensure people and businesses can use their own national electronic identification schemes (e-IDs) to access public services in other EU countries where e-IDs are available. It also creates an internal market for e-Signatures and related online trust services across borders, by ensuring these services will work across borders and have the same legal status as traditional paper based processes."
European Commission: Proposal for a regulation [...] on electronic identification and trust services for electronic transactions in the internal market (PDF linked on this page)
[Open link in this window | Open link in new window]
Europa Press Releases: Digital Agenda - new Regulation to enable cross-border electronic signatures and to get more value out of electronic identification in Digital Single Market
[Open link in this window | Open link in new window]
Europa Press Releases: Electronic identification, signatures and trust services - Questions & Answers
[Open link in this window | Open link in new window]
Out-law.com: Government would be liable for faults with individuals' data under new cross-border electronic identification proposals
[Open link in this window | Open link in new window]
WebWereld: Europa verscherpt toezicht op digitale ID's
[Open link in this window | Open link in new window]
A document by the UK ICO.
From 1. About this code:
"This code explains the implications of anonymising personal data, and of disclosing data which has been anonymised, in terms of the requirements of the Data Protection Act 1998 (DPA). It provides good practice advice that will be relevant to all organisations that need to convert personal data into a form in which the individuals to whom it relates are no longer identifiable – anonymised data. It also contains a number of examples that illustrate some of the techniques that can be used to anonymise personal data."
ICO: Draft Anonymisation code of practice (PDF)
[Open link in this window | Open link in new window]
FPF: UK ICO releases draft anonymisation code of practice
[Open link in this window | Open link in new window]
A paper by Stephen W. Smith.
From the Abstract:
"Federal magistrate judges preside over the most secret docket in America. Exact figures are not known, but available data indicates that these judges issued over 30,000 electronic surveillance orders in 2006, more than the entire output of the FISA court over its entire history. These electronic surveillance orders, authorized by the Electronic Communications Privacy Act of 1986 (ECPA), grant law enforcement access to the electronic lives of our citizens -- who we call, where we go, when we text, what websites we visit, what emails we send. Unlike most court orders, electronic surveillance orders are permanently hidden from public view by various ECPA provisions, including sealed court files, gag orders, and delayed-notice. It's as though these orders were written in invisible ink -- legible to the phone companies and electronic service providers who execute them, yet imperceptible to targeted individuals, the general public, and even other arms of government, including Congress and appellate courts."
Stephen W. Smith: Gagged, sealed and delivered - reforming ECPA's secret docket (SSRN)
[Open link in this window | Open link in new window]
Wired Threat Level: 30,000 secret surveillance orders approved each year, judge estimates
[Open link in this window | Open link in new window]
An evaluation by EFF.
From the Executive Summary:
"When you use the Internet, you entrust your online conversations, thoughts, experiences, locations, photos, and more to companies like Google, AT&T and Facebook. But what happens when the government demands that these companies to hand over your private information? Will the company stand with you? Will it tell you that the government is looking for your data so that you can take steps to protect yourself? The Electronic Frontier Foundation examined the policies of 18 major Internet companies — including email providers, ISPs, cloud storage providers, and social networking sites — to assess whether they publicly commit to standing with users when the government seeks access to user data."
EFF: When the government comes knocking, who has your back?
[Open link in this window | Open link in new window]
EFF: When the government comes knocking, who has your back? (press release)
[Open link in this window | Open link in new window]
Ars Technica: EFF asks which tech companies "have your back"
[Open link in this window | Open link in new window]
WebWereld: 'Apple en Microsoft beschermen privacy het minst'
[Open link in this window | Open link in new window]
A white paper by SOLV.
From 'Dutch Data Protection Act':
"However, the adopted Dutch Bill goes considerably further and introduces an additional legal regime for the use of cookies. Any cookie used to collect, combine or analyze information of the user with regard to his online surfing behaviour, is presumed to involve personal data. As a consequence, the Dutch Data Protection Act is applicable to many different cookies, entailing an even stricter legal regime to the use of cookies. This part of the legislation will enter into force in January 2013."
SOLV: Cookies under control (PDF)
[Open link in this window | Open link in new window]
WebWereld: Nederland overvallen door 'snelle' invoer cookiewet
[Open link in this window | Open link in new window]
SOLV: Nieuwe cookiewet vandaag in werking - do's en don'ts in white paper
[Open link in this window | Open link in new window]
Guidelines by the UK ICO.
From the introduction:
"The Privacy and Electronic Communications (EC Directive) Regulations 2003 (the Regulations) cover the use of cookies and similar technologies for storing information, and accessing information stored, on a user’s equipment such as their computer or mobile. [...] This guidance will explain how the rules apply for those operating websites and using cookies."
ICO: Guidance on the rules of cookies and similar technologies (PDF)
[Open link in this window | Open link in new window]
ICO: New EU cookie law (e-Privacy Directive)
[Open link in this window | Open link in new window]
Data Privacy Monitor: UK Privacy Office commences enforcement of cookie rules
[Open link in this window | Open link in new window]
HL: Amended UK cookie regulation grace period expires; implied consent can be valid
[Open link in this window | Open link in new window]
InsidePrivacy: UK ICO publishes further cookie guidance accepting implied consent
[Open link in this window | Open link in new window]
ZDNet: UK 'cookie law' takes effect - what you need to know
[Open link in this window | Open link in new window]
A paper by Sergei Skorobogatov and Christopher Woods.
From the abstract:
"The backdoor was found to exist on the silicon itself, it was not present in any firmware loaded onto the chip. Using Pipeline Emission Analysis (PEA), a technique pioneered by our sponsor, we were able to extract the secret key to activate the backdoor. This way an attacker can disable all the security on the chip, reprogram crypto and access keys, modify low-level silicon features, access unencrypted configuration bitstream or permanently damage the device. Clearly this means the device is wide open to intellectual property theft, fraud, re-programming as well as reverse engineering of the design which allows the introduction of a new backdoor or Trojan. Most concerning, it is not possible to patch the backdoor in chips already deployed, meaning those using this family of chips have to accept the fact it can be easily compromised or it will have to be physically replaced after a redesign of the silicon itself."
Sergei Skorobogatov and Christopher Woods: Breakthrough silicon scanning discovers backdoor in military chip (DRAFT of 05 March 2012) (PDF)
[Open link in this window | Open link in new window]
The Guardian: Cyber-attack concerns raised over Boeing 787 chip's 'back door'
[Open link in this window | Open link in new window]
Schneier on Security: Backdoor found (maybe) in Chinese-made military silicon chips
[Open link in this window | Open link in new window]
A report by McAfee Labs.
From the introduction:
"Although we observed declines in the numbers of many areas of malware and threats at the end of 2011, this quarter is almost its polar opposite. PC malware had its busiest quarter in recent history, and mobile malware also increased at a huge rate. We saw growth in established rootkits as well as the emergence of several new families. Many of the familiar malware we analyze and combat rebounded this quarter, but none more so than passwordstealing Trojans. In this edition of the Threats Report we introduce our tracking of new threats such as the ZeroAccess rootkit and signed malware. We also have prepared our most detailed breakout to date of network attacks."
McAfee Labs: McAfee threats report - First quarter 2012 (PDF)
[Open link in this window | Open link in new window]
Computable: Nederland heeft meeste kwaadaardige websites
[Open link in this window | Open link in new window]
A report by Ponemon Institute LLC.
From the Executive Summary:
"The purpose of the study is to better understand the likelihood, frequency and magnitude targeted threats have on organizations across all company sizes and industries, and to understand how IT practitioners are addressing the risk for future remediation and precautions. In this study we surveyed 2,618 highly experienced business leaders and IT security practitioners located in the United States, United Kingdom, Germany, Hong Kong and Brazil. Respondents were asked to focus on five of the most prevalent types of attacks: botnets, Advanced Persistent Threats (APTs), denial of service (DoS) attacks, viruses, worms and trojans and social engineering attacks to evaluate what impact they have on businesses, including their level of risk, motivations, types of information compromised and cost."
Ponemon Institute LLC: The impact of cybercrime on business (PDF)
[Open link in this window | Open link in new window]
AG: Cyberaanval zelden ideëel gemotiveerd
[Open link in this window | Open link in new window]
A report by Symantec.
From 'Symantec recommendations':
"Given that many SMBs are facing extreme competitive pressures and have limited day-today resources, creating a disaster preparedness plan might not be at the top of the priority list. But it should be. Events over the past year or so have shown the kind of impact natural disasters can have on business continuity."
Symantec: 2012 Disaster preparedness survey - global findings (PDF)
[Open link in this window | Open link in new window]
View from the Bunker: Preparing for the unexpected
[Open link in this window | Open link in new window]
A paper by Ron J. Berndsen and Daaf van Oudheusden.
Abstract:
"In this paper we develop an approach for x-payments. An x-payment is a payment between a remote debtor and creditor established by using any channel (hence the x) to move funds between the debtor account and the creditor account. We address two related issues: one on the debtor side and the other on the creditor side. Firstly, the issue of access to bank accounts of debtors where the problem is who may have access to such accounts and under which conditions. Secondly, the issue of time-critical payment guarantees to creditors (merchants) which is the area where nowadays most of the innovations in retail payments take place. The dual consent approach reconciles both issues by allowing various degrees of access to bank accounts by third parties and a varying quality of the payment guarantee to the merchant based on the degree of assurance from the debtor’s bank for an appropriate fee. It is proposed in this paper to use the dual consent approach to regulate the class of x-payments in the retail payment sphere."
Ron J. Berndsen and Daaf van Oudheusden: A dual consent approach for x-payments (PDF)
[Open link in this window | Open link in new window]
DNBulletin: Pleidooi voor veiliger betalen op internet
[Open link in this window | Open link in new window]
Security.nl: DNB pleit voor veiliger betalen op internet
[Open link in this window | Open link in new window]