Rina Steenkamp - Privacy and technology
[Annual incident reports 2011 - Analysis of the Article 13a reports of 2011 | Consumerization of IT - top risks and opportunities | Report on the data protection guidance we gave schools in 2012 | Microsoft security intelligence report | 2012 Norton cybercrime report | Deanonymizing mobility traces - using social networks as a side-channel | Opinion 08/2012 providing further input on the data protection reform discussions | Why the right to data portability likely reduces consumer welfare - antitrust and privacy critique | Privacy and progress in whole genome sequencing | Mobile device location data - Additional federal actions could help protect consumer privacy | Before we knew it - An empirical study of zero-day attacks in the real world | Towards a trusted and sustainable European federated eID system | Internet as data source - Feasibility study on statistical methods on internet as a source of data gathering | IBM X-Force 2012 mid-year trend and risk report | PlaceRaider - Virtual theft in physical spaces with smartphones | Unleashing the potential of cloud computing in Europe | Guidance on the use of cloud computing | The right to be forgotten across the pond | The state of risk-based security management]
A report by ENISA.
From the Executive Summary:
"For the first time in the EU, in spring 2012 national reports about security incidents were reported to ENISA and the European commission, under Article 13a of the Framework Directive (2009/140/EC) which is a new article in the EU legal framework for electronic communications. In this document we analyse the 51 incident reports of severe outages of electronic communication networks or services."
ENISA: Annual incident reports 2011 - Analysis of the Article 13a reports of 2011 (PDF linked from this page)
[Open link in this window | Open link in new window]
WebWereld: Storm vaker oorzaak netwerkuitval dan hacker (2012/10/11)
[Open link in this window | Open link in new window]
Security.nl: Meeste cyber-incidenten EU door defecte hardware (2012/10/12)
[Open link in this window | Open link in new window]
A report by ENISA.
From '1. Executive Summary':
"This report [...] delivers the results of a risk and opportunity assessment in the area of 'Consumerization of IT' (COIT), that is, the recent trend where user-owned consumer oriented hard- and software spreads in business environments (see also definition in section Terminology below). COIT is considered as a term embracing the recent trend known as Bring-Your-Own-Device (BYOD)."
ENISA: Consumerization of IT - top risks and opportunities (PDF linked from this page)
[Open link in this window | Open link in new window]
ENISA: Workplace IT - ENISA sees opportunities and risks in "bring your own device" trend (2012/10/08)
[Open link in this window | Open link in new window]
Security.nl: Europa ziet risico's Bring Your Own Device (2012/10/14)
[Open link in this window | Open link in new window]
A report by the ICO.
From '1. Background':
"During the first six months of 2012, the ICO helped schools in several local authority areas to comply with data protection rules by providing a specific report for each area recommending good practice. To learn about their current data protection practice and awareness, the ICO asked all schools in the areas that took part to fill out a data protection self-assessment questionnaire. [...] Over 400 schools in nine local authority areas returned completed questionnaires [...]. This report draws together our findings."
ICO: Report on the data protection guidance we gave schools in 2012 (PDF)
[Open link in this window | Open link in new window]
Data Protector: DP standards in schools (2012/09/27)
[Open link in this window | Open link in new window]
A report by Microsoft.
From the main page:
"The Microsoft Security Intelligence Report (SIR) analyzes the threat landscape of exploits, vulnerabilities, and malware using data from Internet services and over 600 million computers worldwide."
Microsoft: Microsoft security intelligence report (PDF files linked from this page)
[Open link in this window | Open link in new window]
Security.nl: Microsoft - illegale software grootste dreiging 2012 (2012/10/09)
[Open link in this window | Open link in new window]
A report published by Symantec.
'Key themes':
"The scale of consumer cybercrime: one-and-a-half million victims daily; the global price tag of consumer cybercrime: US $110 billion annually; changing face of cybercrime: cybercrime goes social and mobile; security IQ - mixed report card for consumers: consumers wise up to traditional threats, but many still unaware as to how cybercrime is rapidly evolving; strong passwords are key: email a potential gateway for cybercriminals."
Symantec: 2012 Norton cybercrime report (PDF)
[Open link in this window | Open link in new window]
Symantec: 2012 Norton study - consumer cybercrime estimated at $110 billion annually (2012/09/05)
[Open link in this window | Open link in new window]
Security.nl: Symantec - cybercrime kost consument 90 miljard euro (2012/09/05)
[Open link in this window | Open link in new window]
A paper by Mudhakar Srivatsa and Mike Hicks.
From the Abstract:
"Location-based services, which employ data from smartphones, vehicles, etc., are growing in popularity. To reduce the threat that shared location data poses to a user’s privacy, some services anonymize or obfuscate this data. In this paper, we show these methods can be effectively defeated: a set of location traces can be deanonymized given an easily obtained social network graph. The key idea of our approach is that a user may be identified by those she meets: a contact graph identifying meetings between anonymized users in a set of traces can be structurally correlated with a social network graph, thereby identifying anonymized users."
Mudhakar Srivatsa and Mike Hicks: Deanonymizing mobility traces - using social networks as a side-channel (PDF)
[Open link in this window | Open link in new window]
Jeremiah Grossman: Introducing the "I know..." series (WhiteHat Security Blog) (2012/10/10)
[Open link in this window | Open link in new window]
NetworkWorld Ms. Smith: Deanonymizing you - I know who you are after 1 click online or a mobile call (2012/10/17)
[Open link in this window | Open link in new window]
A publication by the Article 29 Data Protection Working Party.
From 'Further input by Article 29 Working Party':
"With a view to the on-going discussions in both the European Parliament and the Council, the Working Party has decided to adopt this opinion providing further guidance, notably on certain key data protection concepts and by analysing the need for and the effect of the proposed delegated acts and where necessary suggesting more suitable alternatives."
Article 29 Data Protection Working Party: Opinion 08/2012 providing further input on the data protection reform discussions (PDF)
[Open link in this window | Open link in new window]
HL: Article 29 Working Party issues second opinion on proposed EU Regulation (2012/10/11)
[Open link in this window | Open link in new window]
Out-law.com: Cookie identifiers and IP addresses that single out individuals should be classed as 'personal data,' says EU privacy watchdog (2012/10/15)
[Open link in this window | Open link in new window]
A paper by Peter P. Swire and Yianni Lagos.
From the Abstract:
"In its draft Data Protection Regulation, the European Union has announced a major new economic and human right – the right to data portability ('RDP'). The basic idea of the RDP is that an individual would be able to transfer his or her material from one information service to another, without hindrance. For instance, consumers would have a legal right to get an immediate and full download of their data held by a social network such as Facebook, a cloud provider, or a smartphone app. Although the idea of data portability is appealing, the RDP as defined in Article 18 of the draft Regulation is unprecedented and problematic. [...] In conclusion, the novel RDP is justified by the supposed benefits to consumers. As drafted, however, the RDP likely reduces consumer welfare, as articulated after long experience in competition law. It also creates risks to privacy that are not addressed in the current text. The RDP deserves far more scrutiny before becoming a mandate that applies globally to software and online services."
Peter P. Swire and Yianni Lagos: Why the right to data portability likely reduces consumer welfare - antitrust and privacy critique (SSRN)
[Open link in this window | Open link in new window]
FPF: What's wrong with the proposed EU right of data portability? (2012/10/17)
[Open link in this window | Open link in new window]
A report by the Presidential Commission for the Study of Bioethical Issues.
From the Letter of Transmittal to the President:
"Whole genome sequencing promises to provide the means to better understand health and disease processes and to tailor personalized therapies that could bring about cures and otherwise enhance quality of life for individuals and society broadly. As the cost to sequence an entire human genome continues to fall, the potential exists for rapid advances in wellness and health care resulting from this new technology. Essential to achieving those advances is the need to share, compare, and pool data. However, as the ease with which the acquisition and sharing of whole genome sequencing information increases, so do questions and concerns about privacy and security. The Commission offers 12 recommendations to improve current practices and to help ensure privacy and security as the field of genomics advances."
Presidential Commission for the Study of Bioethical Issues: Privacy and progress in whole genome sequencing (PDF linked from this page)
[Open link in this window | Open link in new window]
PrivacyLives: Presidential Commission for the Study of Bioethical Issues - Privacy and progress in whole genome sequencing (2012/10/12)
[Open link in this window | Open link in new window]
Epic.org: Presidential commission urges privacy protections for DNA data (2012/10/15)
[Open link in this window | Open link in new window]
Schneier on Security: Genetic privacy (2012/10/17)
[Open link in this window | Open link in new window]
A report by the U.S. Government Accountability Office.
From 'What GAO found':
"Industry associations and privacy advocates have developed recommended practices for companies to protect consumers' privacy while using mobile location data, but companies have not consistently implemented such practices. Recommended practices include clearly disclosing to consumers that a company is collecting location data and how it will use them, as well as identifying third parties that companies share location data with and the reasons for doing so. Companies GAO examined disclosed in their privacy policies that the companies were collecting consumers' location data, but did not clearly state how the companies were using these data or what third parties they may share them with. For example, some companies' policies stated they collected location data and listed uses for personal information, but did not state clearly whether companies considered location to be personal information. Furthermore, although policies stated that companies shared location data with third parties, they were sometimes vague about which types of companies these were and why they were sharing the data. Lacking clear information, consumers faced with making a decision about whether to allow companies to collect, use, and share data on their location would be unable to effectively judge whether the uses of their location data might violate their privacy."
U.S. Government Accountability Office: Mobile device location data - Additional federal actions could help protect consumer privacy (PDF linked from this page)
[Open link in this window | Open link in new window]
MediaPost: GAO - Consumers lack info about location tracking (2012/10/12)
[Open link in this window | Open link in new window]
A paper by Leyla Bilge and Tudor Dumitras.
From the Abstract:
"In this paper, we describe a method for automatically identifying zero-day attacks from field-gathered data that records when benign and malicious binaries are downloaded on 11 million real hosts around the world. Searching this data set for malicious files that exploit known vulnerabilities indicates which files appeared on the Internet before the corresponding vulnerabilities were disclosed. We identify 18 vulnerabilities exploited before disclosure, of which 11 were not previously known to have been employed in zero-day attacks. We also find that a typical zero-day attack lasts 312 days on average and that, after vulnerabilities are disclosed publicly, the volume of attacks exploiting them increases by up to 5 orders of magnitude."
Leyla Bilge and Tudor Dumitras: Before we knew it - An empirical study of zero-day attacks in the real world (PDF)
[Open link in this window | Open link in new window]
Schneier on Security: Studying zero-day attacks (2012/10/16)
[Open link in this window | Open link in new window]
Security.nl: Hackers misbruiken zero-day gemiddeld 10 maanden (2012/10/17)
[Open link in this window | Open link in new window]
WebWereld: Kritieke zero-day gaten doen jarenlang dienst (2012/10/18)
[Open link in this window | Open link in new window]
A report for the European Commission, by Cristof Fleurus, Sebastiaan van der Peijl, Erik Van Zuuren, Patrick Wauters and Diane Whitehouse.
From the Introduction:
"The focus of this study is to look into the existing efforts at European level in establishing this enabling environment and looking beyond these achievements at what key elements should be put in place in order to move towards a trusted and sustainable cross-border eID solution at the European level. The aim is to take a pragmatic approach and provide insights into the elements that should be taken into account when setting up a running solution for cross-border interoperability for eIDs at the European level."
Cristof Fleurus, Sebastiaan van der Peijl, Erik Van Zuuren, Patrick Wauters and Diane Whitehouse: Towards a trusted and sustainable European federated eID system (PDF)
[Open link in this window | Open link in new window]
Europe's Newsroom: Towards a trusted and sustainable European federated eID system (SMART 2010-0068) - final report (2012/09/19)
[Open link in this window | Open link in new window]
Out-law.com: Electronic identification schemes should be governed by common data security requirements, EU privacy body says (2012/10/03)
[Open link in this window | Open link in new window]
A study carried out for the European Commission, by Reg Brennenraedts and Robbin te Velde.
From the Management Summary:
"Citizens and enterprises increasingly leave behind 'digital footprints'. By 'mining' these footprints it is, at least theoretically, possible to describe a wide range of socio-economic phenomena in near real-time. In this research project we thus use the Internet As a Data source (IaD) to complement or substitute traditional statistical sources. To conceptualise the automatic collection of data on the internet, we have drafted a model that literally follows the way bits flow between a particular user and a particular piece of online content."
Reg Brennenraedts and Robbin te Velde: Internet as data source - Feasibility study on statistical methods on internet as a source of data gathering (PDF)
[Open link in this window | Open link in new window]
European Commission: Feasibility study on statistical methods on internet as a source of data gathering (SMART 2010/030) (2012/10/05)
[Open link in this window | Open link in new window]
A publication by IBM.
From Section I - Threats:
"As a security research organization, IBM X-Force has traditionally viewed security breaches with a technical focus. However, we have modified our view of attacks and breaches over time to encompass a greater business context. The overall breach trend continues into 2012, as several major high profile businesses have had to deal with the fallout of leaked passwords and other personal data. The healthcare industry in particular seems to be hit hard. While security products and technology could have mitigated many of these unfortunate events, we are seeing more than ever how systems interconnectedness, poor policy enforcement, and human error, is far more influential than any single security vulnerability."
IBM: IBM X-Force 2012 mid-year trend and risk report (PDF)
[Open link in this window | Open link in new window]
Security.nl: Helft gevaarlijke links op porno- en goksites (2012/09/20)
[Open link in this window | Open link in new window]
A paper by Robert Templeman, Zahid Rahman, David Crandall and Apu Kapadia.
Abstract:
"As smartphones become more pervasive, they are increasingly targeted by malware. At the same time, each new generation of smartphone features increasingly powerful onboard sensor suites. A new strain of 'sensor malware' has been developing that leverages these sensors to steal information from the physical environment | e.g., researchers have recently demonstrated how malware can 'listen' for spoken credit card numbers through the microphone, or 'feel' keystroke vibrations using the accelerometer. Yet the possibilities of what malware can 'see' through a camera have been understudied. This paper introduces a novel 'visual malware' called PlaceRaider, which allows remote attackers to engage in remote reconnaissance and what we call 'virtual theft.' Through completely opportunistic use of the phone's camera and other sensors, PlaceRaider constructs rich, three dimensional models of indoor environments. Remote burglars can thus 'download' the physical space, study the environment carefully, and steal virtual objects from the environment (such as nancial documents, information on computer monitors, and personally identifiable information). Through two human subject studies we demonstrate the effectiveness of using mobile devices as powerful surveillance and virtual theft platforms, and we suggest several possible defenses against visual malware."
Robert Templeman, Zahid Rahman, David Crandall and Apu Kapadia: PlaceRaider - Virtual theft in physical spaces with smartphones (PDF)
[Open link in this window | Open link in new window]
Techdirt: Creepy smartphone malware re-creates your home for stalkers (2012/10/05)
[Open link in this window | Open link in new window]
A policy document by the European Commission.
From the Introduction:
"The Commission [...] aims at enabling and facilitating faster adoption of cloud computing throughout all sectors of the economy which can cut ICT costs, and when combined with new digital business practices, can boost productivity, growth and jobs. On the basis of an analysis of the overall policy, regulatory and technology landscapes and a wide consultation of stakeholders, undertaken to identify what needs to be done to achieve that goal, this document sets out the most important and urgent additional actions. It delivers one of the main actions foreseen in the Communication on e-Commerce and online services; it represents a political commitment of the Commission and serves as a call on all stakeholders to participate in the implementation of these actions, which could mean an additional EUR 45 billion of direct spend on Cloud Computing in the EU in 2020 as well as an overall cumulative impact on GDP of EUR 957 billion, and 3.8 million jobs, by 2020."
European Commission: Unleashing the potential of cloud computing in Europe (PDF)
[Open link in this window | Open link in new window]
SOLV: EU streeft naar vrij verkeer van clouddiensten (2012/09/26)
[Open link in this window | Open link in new window]
Neelie Kroes: A European strategy for cloud computing (2012/09/27)
[Open link in this window | Open link in new window]
SOLV: Kroes presenteert EU cloud strategie (2012/09/27)
[Open link in this window | Open link in new window]
WebWereld: Kroes - Europa moet cloudrevolutie leiden (2012/09/27)
[Open link in dit venster | Open link in nieuw venster]
Computable: Neelie Kroes formuleert Europese cloudstrategie (2012/09/28)
[Open link in this window | Open link in new window]
Out-law.com: Clouds over the EU and time to talk IT (2012/10/04)
[Open link in this window | Open link in new window]
Guidelines on data protection in the cloud by the ICO.
From the Overview:
"By processing data in the cloud an organisation may encounter risks to data protection that they were previously unaware of. It is important that data controllers take time to understand the data protection risks that cloud computing presents. This guidance offers a set of questions and approaches an organisation should consider, in conjunction with a prospective cloud provider, in order to ensure that the processing of personal data done in the cloud complies with the DPA."
ICO: Guidance on the use of cloud computing (PDF)
[Open link in this window | Open link in new window]
ICO: Cloud on the horizon for data-handling outsourcing (2012/09/27)
[Open link in this window | Open link in new window]
A paper by Meg Leta Ambrose and Jef Ausloos.
From the Abstract:
"The European Commission's proposal for a new Data Protection Directive released earlier this year has caused quite a bit of criticism, support, and skepticism around the world. The so-called 'right to be forgotten' has received impassioned responses, particularly from U.S. media. Taking a closer look at this right uncovers a rich social and legal history, a significant divide on a data subject's claim to his or her information once proffered, and the possible meaning and scope of the proposed right."
Meg Leta Ambrose and Jef Ausloos: The right to be forgotten across the pond (SSRN)
[Open link in this window | Open link in new window]
HL: Right to be forgotten and data security featured in research conference on communication, information and internet policy (2012/09/27)
[Open link in this window | Open link in new window]
A report by Ponemon Institute.
From the Executive Summary of the report on the US:
"To determine the current state of [risk-based security management], Ponemon Institute surveyed 631 individuals from organizations of different sizes and types in the United States (US). Individuals studied average 10 years of experience and have some level of involvement in security risk management activities at their organization. It also surveyed individuals with similar backgrounds from a similar variety of organizations in the United Kingdom (UK), Germany (DE) and the Netherlands (NE). This allows a comparison between the state of RBSM in the US and other countries. In total, the study surveyed 2,145 individuals. All individuals claim that their organization has some level of commitment to RBSM."
Ponemon Institute: The state of risk-based security management (PDF linked from this page)
[Open link in this window | Open link in new window]
Inside Privacy: Surveys reveal surprisingly common data security shortcomings (2012/09/27)
[Open link in this window | Open link in new window]