Rina Steenkamp - Privacy and technology
[Anonymisation - managing data protection risk | Appropriate security measures for smart grids | Cybersecurity - The corporate counsel's agenda | Smartphone security checker | Kapersky security bulletin 2012 - The overall statistics for 2012 | Determined adversaries and targeted attacks - The threat from sophisticated, well-resourced attackers | Everything you need to know about the Data Protection Regulation | It's not how much data you have, but how you use it - assessing privacy in the context of consumer data integration | Mobile apps for kids - disclosures still not making the grade | A loophole in data processing - Why the 'legitimate interests' test fails to protect the interests of users and the Regulation needs to be amended | National cyber security framework manual | An inquiry into the culture, practices and ethics of the press | Mobile privacy - Is there an app for that? On smart mobile devices, apps and data protection | Methodology for privacy risk management / Measures for the privacy risk treatment | Security threat report 2013 - New platforms and changing threats | A case study of Eurograbber - How 36 million euros was stolen via malware | Global Internet user survey 2012 | The dangers of surveillance | The hackback debate | Guidance regarding methods for de-identification of protected health information in accordance with theHealth Insurance Portability and Accountability Act (HIPAA) privacy rule | Proactive detection of security incidents - Honeypots | Annual report 2012]
A code of practice by the ICO.
From the Information Commissioner's foreword:
"The current Data Protection Directive, dating from 1995, says that the principles of data protection shall not apply to data rendered anonymous in such a way that the data subject is no longer identifiable. It also says that a code of practice can provide guidance as to the ways in which data may be rendered anonymous and retained in a form in which identification of the data subject is no longer possible. Yet, as far as I am aware, this is the first code of practice on anonymisation to be published by any European data protection authority."
ICO: Anonymisation - managing data protection risk (PDF)
[Open link in this window | Open link in new window]
See also:
Guidelines by ENISA.
From 'Preface':
"The European Network and Information Security Agency (ENISA) has decided to further investigate the challenges of ensuring an adequate smart grid protection in Europe, in order to help smart grid providers to improve the security and the resilience of their infrastructures and services. Defining a common approach to addressing smart grid cyber security measures will help achieve this. This technical document provides guidance to smart grid stakeholders by providing a set of minimum security measures which might help in improving the minimum level of their cyber security services."
ENISA: Appropriate security measures for smart grids (PDF linked from this page)
[Open link in this window | Open link in new window]
See also:
An article by Harriet Pearson.
From the Introduction:
"[Issues related to cybersecurity] have taken on new importance for senior corporate leaders. For example, a recent survey of 1,957 general counsel and 11,340 corporate directors indicated that cybersecurity and data protection for the first time rank as topofmind concerns, edging out perennial priorities like operational risk and Foreign Corrupt Practices Act compliance. But now that the issues are on boards' radar screens, how should limited corporate resources best be directed so that key business assets are protected and legal and other risks are minimized? Unsurprisingly given the emerging nature of the challenge, the answer to how businesses - and their counsel - should address cybersecurity-related risk is evolving."
Harriet Pearson: Cybersecurity - The corporate counsel's agenda (PDF)
[Open link in this window | Open link in new window]
See also:
A tool by the Federal Communications Commission (FCC).
From the 'More about the Smartphone Security Checker' page:
"To assist the more than 120 million American smartphone owners, today the FCC launched the Smartphone Security Checker, an online tool to arm consumers with security steps customized by mobile operating system. The tool is the result of a public-private partnership between government experts, smartphone developers, and private IT and security companies. Partners include DHS, NCSA, FTC, CTIA, Lookout, BlackBerry, Chertoff Group, Sophos, McAfee, Symantec, and others."
Federal Communications Commission (FCC): Smartphone security checker
[Open link in this window | Open link in new window]
See also:
A security bulletin by Kapersky.
From 'Conclusion':
"Unfortunately, despite the achievements in combating cybercrime, the proportion of users attacked online continued to grow in 2012, reaching 34%. Not a single European country made it into the low risk group where less than 20% of users were attacked while online."
Kapersky: Kapersky security bulletin 2012 - The overall statistics for 2012
[Open link in this window | Open link in new window]
See also:
A Microsoft paper by Mark Oram et al..
From the Introduction:
"Rather than the traditional focus on preventing compromise, an effective risk management strategy assumes that Determined Adversaries may successfully breach any outer defenses. The implementation of the risk management strategy therefore balances investment in prevention, detection, containment and recovery. Microsoft has a unique perspective on Targeted Attacks, as both a potential target of attacks and a service and solution provider to potential victims. This paper shares Microsoft's insights into the threat that Determined Adversaries and Targeted Attacks pose, identifies challenges for organizations seeking to combat this threat category and provides a context for other papers that will directly address each of those."
Mark Oram et al.: Determined adversaries and targeted attacks - The threat from sophisticated, well-resourced attackers (DOCX)
[Open link in this window | Open link in new window]
See also:
A website by EDRi.
From the front page:
"This is a platform set up by EDRi.org for an easy navigation through the different articles and topics of the Data Protection Regulation proposed by the European Commission on 25 January 2012 [...]."
EDRi: Everything you need to know about the Data Protection Regulation
[Open link in this window | Open link in new window]
See also:
A paper by Jules Polonetsky and Omer Tene.
The introduction to the paper:
"This paper addresses how policymakers should think about privacy in a world where leading technology companies are increasingly providing integrated products and services across the breadth of our digital lives, using personal data for multiple purposes. We explain that consumers are unlikely to object where the use of personal data is contextually consistent or where other circumstances warrant data use for an integrated user experience. Indeed, many benefits flow from integrated services, favoring a reasoned consideration of the issue. We describe the circumstances in which new uses of data should be considered favorably, as well as those where a change in context will require action ranging from consumer communication to express consent."
Jules Polonetsky and Omer Tene: It's not how much data you have, but how you use it - assessing privacy in the context of consumer data integration (Scribd)
[Open link in this window | Open link in new window]
See also:
A staff report by the FTC.
From the Introduction:
"In February 2012, Federal Trade Commission (FTC) staff issued a report on a survey of mobile 'apps' offered for children in Apple's App Store and Google's Android Market, the two largest U.S. app stores. The report, 'Mobile Apps for Kids: Current Privacy Disclosures are Disappointing', found that little or no information was available to parents about the privacy practices and interactive features of the mobile apps surveyed prior to download. [...] The report stated that FTC staff would conduct a follow-up survey in six months to evaluate whether and how industry had addressed the concerns raised. FTC staff conducted its follow-up survey during the summer of 2012. Like the first survey, the new survey examined the disclosures that apps provided about their privacy practices and interactive features, such as links to social media. However, the new survey went a step further by testing the apps' practices and comparing them to the disclosures made. Specifically, the new survey examined whether the apps included interactive features or shared kids' information with third parties without disclosing these facts to parents. The answer: Yes, many apps included interactive features or shared kids' information with third parties without disclosing these practices to parents."
FTC: Mobile apps for kids - disclosures still not making the grade (PDF)
[Open link in this window | Open link in new window]
See also:
A report by Bits of Freedom.
From '01. Introduction':
"Companies and governments may base the collection and subsequent processing of personal data on six legal grounds. One of these grounds is referred to as the 'legitimate interest'-ground. [...] Our research shows powerful data controllers disregarding their users' interests and storing too much data. Bits of Freedom therefore proposes to amend the ground to improve online users' trust in data processing. These amendments are part of our work on the reform of the data protection framework ('the draft Regulation'), which started in January 2012 and is currently being debated in the European Parliament."
Bits of Freedom: A loophole in data processing - Why the 'legitimate interests' test fails to protect the interests of users and the Regulation needs to be amended (PDF)
[Open link in this window | Open link in new window]
See also:
A publication by NATO, edited by Alexander Klimburg.
From the Executive Summary:
"[...] the 'National Cyber Security Framework Manual' does not strive to provide a single universally applicable checklist of things to consider when drafting a national cyber security strategy. Rather, it provides detailed background information and theoretical frameworks to help the reader understand the different facets of national cyber security, according to different levels of public policy formulation. The four levels of government – political, strategic, operational and tactical (technical) – each have their own perspectives on national cyber security, and each is addressed in individual sections."
Alexander Klimburg: National cyber security framework manual (PDF linked from this page)
[Open link in this window | Open link in new window]
See also:
Report by Lord Justice Leveson.
From the Executive Summary:
"1. For the seventh time in less than 70 years, a report has been commissioned by the Government which has dealt with concerns about the press. It was sparked by public revulsion about a single action – the hacking of the mobile phone of a murdered teenager. From that beginning, the scope of the Inquiry was expanded to cover the culture, practices and ethics of the press in its relations with the public, with the police, with politicians and, as to the police and politicians, the conduct of each. It carries with it authority provided personally by the Prime Minister. It requires me to consider the extent to which there was a failure to act on previous warnings as to the conduct of the press, the way in which the press has been regulated (if it has) and, in any event, how regulation should work in the future.[...] 102. One of the areas that I am required to consider is 'the extent to which the current policy and regulatory framework has failed, including in relation to data protection'. This is because of the light that Operation Motorman can shine on the culture, practices and ethics of the press. It is also because the response of the Office of the Information Commissioner (ICO), and its role and functions in relation to the press more generally, is relevant to the adequacy of the regulatory framework."
Lord Justice Leveson: An inquiry into the culture, practices and ethics of the press (4 volumes linked from this page, PDF available for each volume)
[Open link in this window | Open link in new window]
See also:
Master's thesis by Emre Yildirim.
From the Introduction:
"Mobile privacy has been described as terra incognita. The source of the privacy concerns is twofold; firstly because apps can access a lot of personal data available on smart mobile devices, secondly because the processing of personal data by apps is not always transparent to users. The goal of this thesis is to research to what extent third-party apps for smart mobile devices have to comply with relevant EU legislation concerning the processing of personal data."
Emre Yildirim: Mobile privacy - Is there an app for that? On smart mobile devices, apps and data protection (PDF)
[Open link in this window | Open link in new window]
See also:
Two data protection compliance guides by CNIL.
From the accompanying news article:
"The two new guides propose a way to build a comprehensive analysis to handle complex personal data processing operations. These documents are primarily intended for use by controllers, data protection officers (DPO) and chief information security officers (CISO). They assist them in creating a rational understanding of the risks arising from the processing of personal data and to choose necessary and sufficient organizational and technical measures to protect privacy."
CNIL: Methodology for privacy risk management / Measures for the privacy risk treatment (PDF versions of both documents linked from this page)
[Open link in this window | Open link in new window]
See also:
A report by Sophos.
From the Foreword:
"BYOD is a rapidly evolving trend, and many of our customers and users actively embrace this trend. Employees are looking to use their smartphone, tablet, or next generation notebook to connect to corporate networks. That means IT departments are being asked to secure sensitive data on devices they have very little control over. BYOD can be a win-win for users and employers, but the security challenges are real while boundaries between business and private use are blurring. It raises questions on who owns, manages and secures devices and the data on them. [...] IT security is evolving from a device-centric to a user-centric view, and the security requirements are many. A modern security strategy must focus on all the key components—enforcement of use policies, data encryption, secure access to corporate networks, productivity and content filtering, vulnerability and patch management, and of course threat and malware protection."
Sophos: Security threat report 2013 - New platforms and changing threats (PDF linked from this page)
[Open link in this window | Open link in new window]
See also:
A case study by Eran Kalige and Darell Burkey.
From the Executive Summary:
"This is a case study about a sophisticated, multi-dimensional and targeted attack that stole an estimated 36+ million Euros from more than 30,000 bank customers from multiple banks across Europe. The attacks began in Italy, and soon after, tens of thousands of infected online bank customers were detected in Germany, Spain and Holland. Entirely transparent, the online banking customers had no idea they were infected with Trojans, that their online banking sessions were being compromised or that funds were being stolen directly out of their accounts."
Eran Kalige and Darell Burkey: A case study of Eurograbber - How 36 million euros was stolen via malware (PDF linked from this page)
[Open link in this window | Open link in new window]
See also:
A survey by the Internet Society.
From 'Background':
"The Global Internet User Survey (GIUS) is a globally-scoped survey programme developed by the Internet Society to provide reliable information relevant to issues important to the Internet’s future. [...] In 2012 the GIUS interviewed more than 10,000 Internet users in 20 countries."
Internet Society: Global Internet user survey 2012
[Open link in this window | Open link in new window]
See also:
A paper by Neil M. Richards.
From the introduction:
"[...] we lack an understanding of why (and when) government surveillance is harmful. Existing attempts to define the dangers of surveillance are often unconvincing, and they have generally failed to speak in terms that are likely to influence the law. In this essay, I try to explain the harms of government surveillance. Drawing on law, history, literature, and the work of scholars in the emerging interdisciplinary field of 'surveillance studies,' I offer an account of what those harms are and why they matter. I will move beyond the vagueness of current theories of surveillance to articulate a more coherent understanding and a more workable approach."
Neil M. Richards: The dangers of surveillance (PDF)
[Open link in this window | Open link in new window]
See also:
A debate with contributions by various authors on the Steptoe Cyberblog.
From the introduction to the post:
"Can the victims of hacking take more action to protect themselves? Can they hack back and mete out their own justice? The Computer Fraud and Abuse Act (CFAA) has traditionally been seen as making most forms of counterhacking unlawful. But some lawyers have recently questioned this view. Some of the most interesting exchanges on the legality of hacking back have occurred as dueling posts on the Volokh Conspiracy. In the interest of making the exchanges conveniently available, they are collected here a single document."
Steptoe Cyberblog: The hackback debate
[Open link in this window | Open link in new window]
See also:
Guidelines by the Office for Civil Rights (OCR).
From '1.3. De-identification and its Rationale':
"The increasing adoption of health information technologies in the United States accelerates their potential to facilitate beneficial studies that combine large, complex data sets from multiple sources. The process of de-identification, by which identifiers are removed from the health information, mitigates privacy risks to individuals and thereby supports the secondary use of data for comparative effectiveness studies, policy assessment, life sciences research, and other endeavors. [...] [T]he Privacy Rule provides two de-identification methods: 1) a formal determination by a qualified expert; or 2) the removal of specified individual identifiers as well as absence of actual knowledge by the covered entity that the remaining information could be used alone or in combination with other information to identify the individual. Both methods, even when properly applied, yield de-identified data that retains some risk of identification. Although the risk is very small, it is not zero, and there is a possibility that de-identified data could be linked back to the identity of the patient to which it corresponds."
Office for Civil Rights (OCR): Guidance regarding methods for de-identification of protected health information in accordance with theHealth Insurance Portability and Accountability Act (HIPAA) privacy rule (PDF)
[Open link in this window | Open link in new window]
See also:
A study by ENISA.
From '1 Executive Summary':
"Among the findings of [an earlier] study was the fact that while honeypots are recognised by CERTs as useful tools that can be utilised to detect and study attacks, their usage in the CERT community was not as wide as could be expected, which implies that barriers exist to their deployment. The core of the document is an investigation of existing honeypot and related technologies, with a focus on open-source solutions, also because not many commercial solutions are available and testing would involves extra costs. Basic honeypot concepts and deployment strategies are covered, to help CERTs gain a better understanding of the critical issues related to deployment. The intention of the study is to focus on the practicality of a solution, not necessarily its research or academic value."
ENISA: Proactive detection of security incidents - Honeypots (PDF linked from this page)
[Open link in this window | Open link in new window]
See also:
A report by the Privacy Commissioner [of New Zealand].
From '2: Introduction':
"The Accident Compensation Corporation (ACC) data breach in March 2012, involving more than 6,500 clients, may prove a sort of watershed for the public sector. The effect has been to identify weaknesses at a systemic and governance level and there are salutary lessons to be learned. [...] The inquiry highlighted that data management needs to be thought of as an integral part of serving the public, and as a wider 'risk management' strategy. It is evident that the way personal information is handled can affect an organisation from top to bottom, and that is particularly so if its core business is holding and processing personal information. The competitive driver in the private sector gives businesses a reality check: breaches of privacy lead to loss of customers. So there are some immediate – financial – incentives to get things right. The same driver does not exist in the public sector. Of course, the damage to public trust from privacy breaches is self-evident, and everyone is aware that public trust is essential for government agencies to be able to work effectively and efficiently. But 'trust' and 'efficiency' are relatively fuzzy concepts, that can be overlooked (albeit at the agency's peril) in the wider scheme of everyday government work."
Privacy Commissioner [of New Zealand]: Annual report 2012 (PDF)
[Open link in this window | Open link in new window]
See also: