Rina Steenkamp - Privacy and technology
[Proposed new EU General Data Protection Regulation - Article-by-article analysis paper | The European data protection reform in the light of cloud computing | Critical cloud computing - a [critical information infrastructure protection (CIIP)] perspective on cloud computing services | An executive's guide to data breach trends in 2012 | [Fifth interim report on a national study of credit report accuracy] | EU Cybersecurity plan to protect open internet and online freedom and opportunity | Improving critical infrastructure cybersecurity | The proposed General Data Protection Regulation - The consistency mechanism explained | Corporate tax 2.0 - Why France and the world need a new tax system for the digital age | PCI DSS Cloud computing guidelines | Data protection - The super-brief guide to the proposed Regulation | Working document 01/2013 - Input on the proposed implementing acts | How will surveillance and privacy technologies impact on the psychological notions of identity? | Security engineering - A guide to building dependable distributed systems | How certification systems fail - lessons from the Ware Report | Choosing a hosting provider - 10 questions to ask your provider | Mobile privacy disclosures - building trust through transparency | Privacy by design and third party access to customer energy usage data | Identity assurance - enabling trusted transactions | Privacy Amendment (Enhancing Privacy Protection) Bill 2012 | Corruption, proportionality and the prosecution of Aaron Swartz | The draft EU General Data Protection Regulation - costs and paradoxes of explicit consent | Social Media - Consumer compliance risk management guidance | Cloud computing security considerations]
A paper by the Information Commissioner's Office (ICO).
From 'About this document':
"This document supplements the initial analysis paper on the European Commission's legislative proposals that we published in February 2012. We have had no reason to deviate from the general lines we set out then – which we think are still basically right - but we are in a better position now to set out in more detail our views of the substantive provisions of the proposed Regulation. In particular, we have drawn on expertise from across the ICO to develop a much clearer understanding of the practical implications of the European Commission's proposals as they stand. This paper contains comprehensive and detailed analysis of most of the Articles of the Regulation. Where we do not comment on a particular Article, this means we are content or have not formulated a view yet. This paper necessarily focuses on areas of uncertainty or issues that we have reservations about."
Information Commissioner's Office (ICO): Proposed new EU General Data Protection Regulation - Article-by-article analysis paper (PDF)
[Open link in this window | Open link in new window]
See also:
Master thesis by B.J.A. Schellekens.
From the Introduction:
"To revise the data protection regime in light of new technological developments, the European Commission proposed a reform of the data protection legislation. It proposed, among others, a General Data Protection Regulation which should 'update and modernize' the current rules. According to the legislator, the proposed Regulation is technology neutral and ready for the challenges of cloud computing. Furthermore, the new framework is announced as 'A strong, clear and uniform legal framework at EU level will help to unleash the potential of the Digital Single Market and foster economic growth, innovation (...)' and will besides its primary objective to protect the rights of individuals also 'facilitate the free flow of data within the Union and the transfer to third countries and international organizations. This thesis will discuss if the aforementioned objectives are realized by the proposed Framework, thereby focusing on cloud computing. In analyzing and discussing the present as well as proposed framework, this thesis uses an approach that includes free flow of data, innovation, economic growth and the digital single market as essential factors in realizing and maximizing the benefits of using and sharing data by means of cloud computing. In other words, the emphasis is not so much on risks for data subject, but potential for technological innovation in the European Union. Can indeed the European data protection legislation 'unleash' the potential of cloud computing in Europe as set out as an objective on the Digital Agenda of the Commission?"
B.J.A. Schellekens: The European data protection reform in the light of cloud computing (PDF)
[Open link in this window | Open link in new window]
See also:
A report by ENISA.
From the Executive Summary:
"In this report we look cloud computing from a CIIP perspective and we look at a number of scenarios and threats relevant from a CIIP perspective, based on a survey of public sources on uptake of cloud computing and large cyber attacks and disruptions of cloud computing services."
ENISA: Critical cloud computing - a [critical information infrastructure protection (CIIP)] perspective on cloud computing services (PDF linked from this page)
[Open link in this window | Open link in new window]
See also:
A report sponsored by Risk Based Security and the Open Security Foundation.
From the Executive Summary:
"As we had predicted throughout the year, 2012 broke the previous record in terms of number of reported data loss incidents. With 2,644 incidents recorded through mid-January 2013, 2012 more than doubled the previous highest year on record (2011). On a positive note, however, although the number of reported incidents increased, the number of records exposed decreased. Over 267 million records were exposed in the 2,644 incidents, significantly less than the 412 million records exposed in 2011."
Risk Based Security and the Open Security Foundation: An executive's guide to data breach trends in 2012 (PDF)
[Open link in this window | Open link in new window]
See also:
A report by the Federal Trade Commission (FTC).
From the Executive Summary:
"Overall, we find that 26% of the 1,001 participants in the study identified at least one potentially material error on at least one of their three credit reports. Although 206 consumers (21% of the participants) had a modification to a least one of their credit reports after the dispute process, only 129 consumers (13% of participants) experienced a change in their credit score as a result of these modifications. Each affected participant may have as many as three score changes. Of the 129 consumers with any score change, the maximum changes in score for over half of the consumers were less than 20 points. For 5.2% of the consumers, the resulting increase in score was such that their credit risk tier decreased and thus the consumer may be more likely to be offered a lower auto loan interest rate."
Federal Trade Commission (FTC): [Fifth interim report on a national study of credit report accuracy] (PDF linked from this page)
[Open link in this window | Open link in new window]
See also:
A policy document by the European Commission.
From 'EU Cybersecurity plan to protect open internet and online freedom and opportunity':
"The European Commission, together with the High Representative of the Union for Foreign Affairs and Security Policy, has published a cybersecurity strategy alongside a Commission proposed directive on network and information security (NIS). The cybersecurity strategy – "An Open, Safe and Secure Cyberspace" - represents the EU's comprehensive vision on how best to prevent and respond to cyber disruptions and attacks. This is to further European values of freedom and democracy and ensure the digital economy can safely grow. Specific actions are aimed at enhancing cyber resilience of information systems, reducing cybercrime and strengthening EU international cyber-security policy and cyber defence. [...] The proposed NIS Directive is a key component of the overall strategy and would require all Member States, key internet enablers and critical infrastructure operators such as e-commerce platforms and social networks and operators in energy, transport, banking and healthcare services to ensure a secure and trustworthy digital environment throughout the EU. The proposed Directive lays down measures including: (a) Member State must adopt a NIS strategy and designate a national NIS competent authority with adequate financial and human resources to prevent, handle and respond to NIS risks and incidents; (b) Creating a cooperation mechanism among Member States and the Commission to share early warnings on risks and incidents through a secure infrastructure, cooperate and organise regular peer reviews; (c) Operators of critical infrastructures in some sectors (financial services, transport, energy, health), enablers of information society services (notably: app stores e-commerce platforms, Internet payment, cloud computing, search engines, social networks) and public administrations must adopt risk management practices and report major security incidents on their core services."
European Commission: EU Cybersecurity plan to protect open internet and online freedom and opportunity
[Open link in this window | Open link in new window]
See also:
Executive order by President Barack Obama.
Section 1 of the Executive Order:
"Repeated cyber intrusions into critical infrastructure demonstrate the need for improved cybersecurity. The cyber threat to critical infrastructure continues to grow and represents one of the most serious national security challenges we must confront. The national and economic security of the United States depends on the reliable functioning of the Nation's critical infrastructure in the face of such threats. It is the policy of the United States to enhance the security and resilience of the Nation's critical infrastructure and to maintain a cyber environment that encourages efficiency, innovation, and economic prosperity while promoting safety, security, business confidentiality, privacy, and civil liberties. We can achieve these goals through a partnership with the owners and operators of critical infrastructure to improve cybersecurity information sharing and collaboratively develop and implement risk-based standards."
President Barack Obama: Improving critical infrastructure cybersecurity (PDF, hosted on Wired.com)
[Open link in this window | Open link in new window]
See also:
An explanatory note by the European Commission.
From the introduction:
"The main innovations of the proposed General Data Protection Regulation relate to the institutional system it creates rather than to the substance of data protection law. The consistency mechanism is at the heart of this system."
European Commission: The proposed General Data Protection Regulation - The consistency mechanism explained
[Open link in this window | Open link in new window]
See also:
An article by Nicolas Colin.
From the article:
"Last July, the French Government asked Pierre Collin, a member of the French Conseil d’Etat, and myself to draft a report on the taxation of the digital economy. As an independent task force, our role was to recommend changes to national and international tax rules to take better account of value creation by digital firms. The report was published a few days ago, in the context of fiscal austerity and attacks on companies that avoid paying their fair share of tax. Since then, some of our recommendations, including the idea of an “Internet tax” based on data collection, have stirred a controversy both in France and abroad. This article explains how we came up with our conclusion and why we urgently need to reform our tax system so that it finally fits the way value is created in the digital economy."
Nicolas Colin: Corporate tax 2.0 - Why France and the world need a new tax system for the digital age (Forbes)
[Open link in this window | Open link in new window]
See also:
Guidelines by the Payment Card Industry (PCI) Security Standards Council.
From '1. Executive Summary':
"Cloud computing is a form of distributed computing that is yet to be standardized. There are a number of factors to be considered when migrating to cloud services, and organizations need to clearly understand their needs before they can determine if and how they will be met by a particular solution or provider. As cloud computing is still an evolving technology, evaluations of risks and benefits may change as the technology becomes more established and its implications become better understood. Cloud security is a shared responsibility between the cloud service provider (CSP) and its clients. If payment card data is stored, processed or transmitted in a cloud environment, [Payment Card Industry (PCI) Data Security Standards (DSS)] will apply to that environment, and will typically involve validation of both the CSP's infrastructure and the client's usage of that environment. The allocation of responsibility between client and provider for managing security controls does not exempt a client from the responsibly of ensuring that their cardholder data is properly secured according to applicable PCI DSS requirements. [...] This document provides guidance on the use of cloud technologies and considerations for maintaining PCI DSS controls in cloud environments. This guidance builds on that provided in the PCI DSS Virtualization Guidelines and is intended for organizations using, or thinking of using, providing, or assessing cloud technologies as part of a cardholder data environment (CDE)."
Payment Card Industry (PCI) Security Standards Council: PCI DSS Cloud computing guidelines (PDF)
[Open link in this window | Open link in new window]
See also:
A booklet by EDRi.
From the web page:
"The processing and re-use of citizens’ data has become increasingly important from an economic perspective. It has lead to pressure to weaken this fundamental right and also to change the legislative framework to make legal protections less predictable. In 2012, the EU Commission proposed to amend the legal protection of private data and to update its legislative frameworks. [...] In order to become familiar with some of the more pivotal issues surrounding the current data protection dialogue, please see below our super-brief guide to the Regulation (or download as pdf)."
EDRi: Data protection - The super-brief guide to the proposed Regulation (full text available on this page, can also be downloaded as PDF)
[Open link in this window | Open link in new window]
See also:
A working document by the Article 19 Data Protection Working Party (WP29).
From 'Input on the proposed implementing acts':
"On 5 October 2012, the Working Party adopted Opinion 8/2012 providing further input on the data protection reform discussions. One of the issues discussed was whether all provisions allowing the Commission to adopt delegated and implementing acts were actually justified and needed. In the Annex to Opinion 8/2012, the Working Party presented an Article-by-Article analysis of all provisions on possible delegated acts. The provisions on implementing acts were left aside for the time being. The current additional input focuses on these implementing acts."
Article 19 Data Protection Working Party (WP29): Working document 01/2013 - Input on the proposed implementing acts (PDF)
[Open link in this window | Open link in new window]
See also:
A paper by Ian Brown.
From '1. The likely direction of surveillance and privacy technologies':
"There are two key trends in the development of surveillance and privacy technologies over the next decade:
1. Surveillance will increasingly be deployed for pre-emptive purposes by governments and companies. This is driven by an increase in computing capacity, miniaturisation of devices and improvements in performance, together with increased public use of digital media.
2. Without a stronger impetus from regulators, the limited economic viability of privacy-protective technologies to date and reliance on ineffective privacy solutions means that privacy protection is lagging behind the development of surveillance technologies."
Ian Brown: How will surveillance and privacy technologies impact on the psychological notions of identity? (PDF)
[Open link in this window | Open link in new window]
See also:
Second edition of a book by Ross Anderson.
From the preface to the second edition:
"The largest changes, however, may be those driven by the tragic events of September 2001 and by our reaction to them. These have altered perceptions and priorities in many ways, and changed the shape of the security industry. Terrorism is not just about risk, but about the perception of risk, and about the manipulation of perception. This adds psychology and politics to the mix. Security engineers also have a duty to contribute to the political debate. Where inappropriate reactions to terrorist crimes have led tomajorwaste of resources and unforced policy errors, we have to keep on educating people to ask a few simple questions: what are we seeking to prevent, and will the proposed mechanisms actually work?"
Ross Anderson: Security engineering - A guide to building dependable distributed systems (PDF versions of all chapters linked from this page)
[Open link in this window | Open link in new window]
See also:
An article by Steven J. Murdoch, Mike Bond and Ross Anderson.
From '1 Introduction':
"The heritage of most security certification standards in the banking industry can be traced back to a 1970 report by a task force operating under the auspices of the US Department of Defense. Since then, standards have changed, both in their approach and scope, but what lessons can we learn from the original work? The report, 'Security Controls for Computer Systems' (commonly known as the Ware Report, after the chair of the task force – Willis H. Ware), focussed on the problem of protecting classified information in multi-access, resource-sharing, computer systems which were at the time being increasingly used by both the government and defense contractors. The report included not only recommendations for what security functionality such systems should have in order to safely process classified information, but also proposed certification procedures for verifying whether a system meets these criteria. These certification procedures formed the basis for the Trusted Computer System Evaluation Criteria (TCSEC). [...] Complying with these standards is onerous, and the process of certification is both expensive and time consuming, yet security vulnerabilities are regularly discovered in all these systems, some of which are easy to exploit. How were these flaws missed? Was it a failure of the evaluation or a failure in the evaluation scheme? We can answer some of these questions by looking back at the report which originated TCSEC and its descendants."
Steven J. Murdoch, Mike Bond and Ross Anderson: How certification systems fail - lessons from the Ware Report (PDF)
[Open link in this window | Open link in new window]
See also:
A whitepaper by Sophos.
From 'Intro':
"Research from SophosLabs shows that 80% of websites where malicious content is detected are actually innocent sites that have been compromised by cybercriminals. Any site can be a target for this type of attack, from the largest global corporation to a local community volunteer organization. The security of your website is something you cannot afford to ignore if your online reputation and the safety of your customers and visitors matters to you. One of the key choices when creating an online presence for your organization is choosing a hosting provider. [...] Here are 10 questions you should be asking your hosting provider about features and services that will help to keep your site secure, covering general security practices, application security and operation of the site itself."
Sophos: Choosing a hosting provider - 10 questions to ask your provider (PDF linked from this page)
[Open link in this window | Open link in new window]
See also:
A report by the FTC.
From 'Mobile privacy disclosures - building trust through transparency':
"Based on more than a decade of work on mobile privacy issues and recent data obtained through panel discussions and comments, the Commission offers this staff report providing recommendations for best practices on mobile privacy disclosures. First, the report reviews the benefits and privacy risks of mobile technologies. Second, it discusses the FTC's efforts to address mobile privacy, as well as its research on disclosure issues generally. It then summarizes general themes raised by panel participants. Finally, it sets forth recommendations for best practices to key commercial players involved in the mobile arena – platforms, app developers, third parties such as ad networks and analytics companies, and trade associations. The recommendations are intended to promote more effective privacy disclosures."
FTC: Mobile privacy disclosures - building trust through transparency (PDF linked from this page)
[Open link in this window | Open link in new window]
See also:
A report by Sonia Livingstone, Leslie Haddon, Anke Görzig and Kjartan Ólafsson.
From the Executive Summary:
"The EU Kids Online network has conducted a unique, detailed, face-to-face survey in homes with 9-16 year old internet users from 25 countries; 25,142 children and their parents were interviewed during 2010. The purpose was to provide a rigorous evidence base to support stakeholders in their efforts to maximise online opportunities while minimising the risk of harm associated with internet use."
Sonia Livingstone, Leslie Haddon, Anke Görzig and Kjartan Ólafsson: EU kids online (PDF linked from this page)
[Open link in this window | Open link in new window]
A white paper by Ann Cavoukian, Ph.D., and Jules Polonetsky.
From the Introduction:
"This paper is not meant to apply to a particular jurisdiction, nor is it meant to be prescriptive. In this paper the [Information and Privacy Commissioner of Ontario] and the Future of Privacy Forum (FPF) explore at a high level the issue of third party access to [customer energy usage data (CEUD)], the benefits of such access, as well as the potential privacy risks. [Privacy by design] will be described and examples of proactive approaches to privacy already underway, in the context of third party access to CEUD, will be detailed."
Ann Cavoukian, Ph.D., and Jules Polonetsky: Privacy by design and third party access to customer energy usage data (PDF)
[Open link in this window | Open link in new window]
See also:
Good practice guidance by the UK Cabinet Office.
From 'Background':
"The Identity Assurance Programme is a core element of the 'digital by default' policy pursued by the Government Digital Service within the Cabinet Office. The Programme is facilitating the development of identity assurance schemes in the UK, by which citizens, business and devices will be able to assert identity safely and securely online in order to better access and transact with public services."
Cabinet Office: Identity assurance - enabling trusted transactions (PDF documents linked from this page)
[Open link in this window | Open link in new window]
See also:
Bill presented to the Governor-General for assent by the Parliament of Australia.
From the Summary:
"In response to the Australian Law Reform Commission's report in relation to Australian privacy law and practice, the bill amends the Privacy Act 1988 to: replace the current privacy principles for the public and private sectors with a single set of privacy principles (the Australian Privacy Principles (APPs)); implement a comprehensive credit reporting system which includes five kinds of personal information; provide for codes of practice under the APPs and a credit reporting code, including powers for the Privacy Commissioner to develop and register codes that are binding on specified agencies and organisations; and clarify the functions and powers of the Information Commissioner and increase the commissioner's ability to resolve complaints, recognise and encourage the use of external dispute resolutions services, conduct investigations and promote compliance with privacy obligations."
Parliament of Australia: Privacy Amendment (Enhancing Privacy Protection) Bill 2012 (PDF and Word documents linked from this page)
[Open link in this window | Open link in new window]
See also:
A blog post, with links to several other blog posts that are worth reading, by Ray Corrigan.
From a linked and quoted blog post by James Broyle:
"I return to the Martin Luther King or Rosa Parks examples. (Or if you prefer, the anti-abortion activist who trespasses on Planned Parenthood in order to spray paint his slogan.) Legislatures had enacted segregation laws. If Dr. King trespasses and violates state rules mandating segregation, and announces that he considers these laws wrong and that he will encourage others to do the same in the future, do we really believe that the prosecutor should ramp up the penalty until it would amount to special deterrence? What would that take? Death? Life imprisonment? Is that then 'not disproportionate'? I would have thought that one of the reasons we treat the protester who acts out of conviction (even conviction we disagree with) more leniently, is that we recognize that this is not mere profit seeking, not mere personal interest, and that in the past, such protesters have eventually changed our minds about the rightness of the actions the law prohibits."
Ray Corrigan: Corruption, proportionality and the prosecution of Aaron Swartz
[Open link in this window | Open link in new window]
See also:
A white paper by Omer Tene and Christopher Wolf.
The 'Conclusion' of the white paper:
"The Future of Privacy Forum supports measures to provide individuals with greater transparency, choice and control over their personal data. However, by restricting organizations’ ability to rely on implied consent without at the same time simplifying the 'legitimate interest' test, the GDPR elevates form over substance. Much like the amended cookie provisions in the e-Privacy Directive, this will result in formalistic compliance without delivering individuals meaningful transparency and control. Consent should not be treated as a one-size-fits-all model; it should be tailored to the context of a relationship or transaction and tied to the sensitivity of the data as well as the societal value of its use. In light of the restrictive approach to consent and unpredictable nature of 'legitimate interests', a new legal basis should be added to the GDPR to authorize the processing of pseudonymized data without consent."
Other white papers that can be accessed from the same page: 'Overextended - Jurisdiction and applicable law under the EU General Data Protection Regulation' and 'The definition of personal data - seeing the complete spectrum'.
Omer Tene and Christopher Wolf: The draft EU General Data Protection Regulation - costs and paradoxes of explicit consent (SCRIBD linked from this page)
[Open link in this window | Open link in new window]
See also:
Proposed guidance by the Federal Financial Institutions Examination Council (FFIEC).
Paragraph 'II. Principal Elements of Proposed Guidance':
"The use of social media by a financial institution to attract and interact with customers can impact a financial institution's risk profile. The increased risks can include the risk of harm to consumers, compliance and legal risk, operational risk, and reputation risk. Increased risk can arise from a variety of directions, including poor due diligence, oversight, or control on the part of the financial institution. The proposed guidance is meant to help financial institutions identify potential risk areas to appropriately address, as well as to ensure institutions are aware of their responsibilities to oversee and control these risks within their overall risk management program."
Federal Financial Institutions Examination Council (FFIEC): Social Media - Consumer compliance risk management guidance
[Open link in this window | Open link in new window]
See also:
A paper by Roger Halbheer and Doug Cavit.
From the Introduction:
"This paper provides a high-level discussion of the fundamental challenges and benefits of cloud computing security, and raises some of the questions that cloud service providers and organisations using cloud services need to consider when evaluating a new move, or expansion of existing services, to the cloud."
Roger Halbheer and Doug Cavit: Cloud computing security considerations (DOCX)
[Open link in this window | Open link in new window]
See also: