Rina Steenkamp - Privacy and technology
[Unique in the crowd - The privacy bounds of human mobility | Discrimination in online ad delivery | Additional EDPS comments on the data protection reform package | The functions, powers and resources of the Information Commissioner | Assessment notices under de Data Protection Act 1998 - Extension of the Information Commissioner's powers | The Tallinn manual on the international law applicable to cyber warfare | Bound to fail - Why cyber security risk cannot simply be 'managed' away | Bound to fail - Why cyber security risk cannot simply be 'managed' away | Opinion 02/2013 on apps on smart devices | Using smartphones as a proxy for forensic evidence contained in cloud storage services | Silent listeners - The evolution of privacy and disclosure on Facebook | Everything we know about what data brokers know about you | Google, Facebook, Amazon, eBay - Is the internet driving competition or market monopolization? | Technology and the sovereignty of the individual | [Serious and Organised Crime Threat Assessment (SOCTA)] 2013 - Public version | Internet bad neighborhoods | Hacking appliances - Ironic exploits in security products | How bad is it? - A branching activity model to estimate the impact of information security breaches | The implausibility of secrecy | The web won't be safe or secure until we break it | Private traits and attributes are predictable from digital records of human behavior | Data protection in Europe | Paper, plastic... or mobile? An FTC workshop on mobile payments | Cyber-attacks - a new edge for old weapons | Stuxnet 0.5 - The missing link | Bring your own device (BYOD) | 2012 Data mining report to Congress | Quantifying the invisible audience in social networks | What privacy is for | Reforming the data protection package | Big data and analytics - seeking foundations for effective privacy guidance | Consumer Sentinel Network data book for January - December 2012 | Cybersecurity of smart grids | Opinion on [whether a hyperlink to content can be considered a communication to the public] | International compendium of data privacy laws | [Summary of the feedback on cybersecurity legislation from 'Fortune 500' companies] | Ransomware - next-generation fake antivirus | 2013 State of the endpoint | 2013 Cisco annual security report | Global audit committee survey | The UK cyber security strategy - Landscape review]
A paper by Yves-Alexandre de Montjoye, César A. Hidalgo, Michel Verleysen and Vincent D. Blondel.
The introduction to the study:
"We study fifteen months of human mobility data for one and a half million individuals and find that human mobility traces are highly unique. In fact, in a dataset where the location of an individual is specified hourly, and with a spatial resolution equal to that given by the carrier's antennas, four spatio-temporal points are enough to uniquely identify 95% of the individuals. We coarsen the data spatially and temporally to find a formula for the uniqueness of human mobility traces given their resolution and the available outside information. This formula shows that the uniqueness of mobility traces decays approximately as the 1/10 power of their resolution. Hence, even coarse datasets provide little anonymity. These findings represent fundamental constraints to an individual's privacy and have important implications for the design of frameworks and institutions dedicated to protect the privacy of individuals."
Full text:
See also:
A paper by Latanya Sweeney.
Abstract:
"A Google search for a person's name, such as 'Trevon Jones', may yield a personalized ad for public records about Trevon that may be neutral, such as 'Looking for Trevon Jones? …', or may be suggestive of an arrest record, such as 'Trevon Jones, Arrested?...'. This writing investigates the delivery of these kinds of ads by Google AdSense using a sample of racially associated names and finds statistically significant discrimination in ad delivery based on searches of 2184 racially associated personal names across two websites. First names, previously identified by others as being assigned at birth to more black or white babies, are found predictive of race (88% black, 96% white), and those assigned primarily to black babies, such as DeShawn, Darnell and Jermaine, generated ads suggestive of an arrest in 81 to 86 percent of name searches on one website and 92 to 95 percent on the other, while those assigned at birth primarily to whites, such as Geoffrey, Jill and Emma, generated more neutral copy: the word "arrest" appeared in 23 to 29 percent of name searches on one site and 0 to 60 percent on the other. On the more ad trafficked website, a black-identifying name was 25% more likely to get an ad suggestive of an arrest record. A few names did not follow these patterns: Dustin, a name predominantly given to white babies, generated an ad suggestive of arrest 81 and 100 percent of the time. All ads return results for actual individuals and ads appear regardless of whether the name has an arrest record in the company's database. Notwithstanding these findings, the company maintains Google received the same ad text for groups of last names (not first names), raising questions as to whether Google's advertising technology exposes racial bias in society and how ad and search technology can develop to assure racial fairness."
Full text (SSRN):
See also:
A publication by the European Data Protection Supervisor (EDPS).
From 'I. Anonymisation and pseudonymisation':
"Many amendments have been proposed to define anonymisation and pseudonymisation, and to provide for special rules regarding data treated in this way. While carefully considered measures may create incentives to increase the use of these techniques with the aim of improving data protection, too broad exemptions could lead to eroding the long-established concept of personal data as defined in Directive 95/46/EC. In the EDPS' view, it should be ensured that amendments regarding the definition of anonymous data and pseudonymous data are fully consistent with the definition of personal data and that they do not lead to unduly removing certain categories of data from the scope of the Regulation, in particular in cases where it is not clear whether the data have indeed been fully anonymised. In such cases, the data should remain within the scope of the Regulation."
Full text (PDF):
See also:
A report by the House of Commons Justice Committee.
From the Summary:
"Last year in our report on referral fees and the theft of personal data we considered the adequacy of the Information Commissioner's powers to enforce data protection legislation. We return to this issue in this Report, taking account of developments over the intervening period. We reiterate our recommendation that the Government commence legislative provisions which would enable courts to impose custodial sentences for offences involving the unlawful obtaining or disclosure of personal data."
Full text (PDF):
See also:
A consultation paper by the UK Ministry of Justice.
From the Introduction:
"The [National Health Service (NHS)] is one of the largest data controllers in the UK, processing a huge amount of sensitive personal data on a daily basis. It is therefore important for confidence in the NHS that the public feel reassured that their personal data is being handled in compliance with the Data Protection Act and personal data losses and other breaches that can result in considerable harm and distress are avoided. The Information Commissioner has requested that the Secretary of State use the Order-making power under section 41A (2)(b) DPA to extend the powers of the Information Commissioner to carry out compulsory assessments of NHS bodies' compliance with the data protection principles under the DPA."
Full text (PDF):
See also:
A report written at the invitation of the NATO Cooperative Cyber Defence Centre of Excellence.
From the accompanying web page:
"The Tallinn Manual on the International Law Applicable to Cyber Warfare, written at the invitation of the Centre by an independent 'International Group of Experts', is the result of a three-year effort to examine how extant international law norms apply to this 'new' form of warfare. The Tallinn Manual pays particular attention to the jus ad bellum, the international law governing the resort to force by States as an instrument of their national policy, and the jus in bello, the international law regulating the conduct of armed conflict (also labelled the law of war, the law of armed conflict, or international humanitarian law). Related bodies of international law, such as the law of State responsibility and the law of the sea, are dealt within the context of these topics."
Full text (ISSUU linked from this page):
See also:
A paper by Ralph Langner and Perry Pederson.
From 'Executive Summary':
"Rather than a much-needed initiative to break the legislative deadlock on the subject in Congress, President Obama's new executive order for improving critical infrastructure cyber security is a recipe for continued failure. In essence, the executive order puts the emphasis on establishing a framework for risk management and relies on voluntary participation of the private sector that owns and operates the majority of U.S. critical infrastructure. Both approaches have been attempted for more than a decade without measurable success. A fundamental reason for this failure is the reliance on the concept of risk management, which frames the whole problem in business logic. Business logic ultimately gives the private sector every reason to argue the always hypothetical risk away, rather than solving the factual problem of insanely vulnerable cyber systems that control the nation's most critical installations."
Full text (PDF):
See also:
An opinion by WP29.
From 'Summary':
"App developers unaware of the data protection requirements may create significant risks to the private life and reputation of users of smart devices. The key data protection risks to end users are the lack of transparency and awareness of the types of processing an app may undertake combined with a lack of meaningful consent from end users before that processing takes place. Poor security measures, an apparent trend towards data maximisation and the elasticity of purposes for which personal data are being collected further contribute to the data protection risks found within the current app environment."
Full text (PDF):
See also:
A paper by George Grispos, William Bradley Glisson and Tim Storer.
From '5. Future work and conclusions':
"The results from this research have shown that smartphone devices which access cloud storage services can potentially contain a proxy view of the data stored in a cloud storage service. The recovery of data from these devices can in some scenarios provide access to further data stored in a cloud storage account. From the client perspective, it can potentially provide a partial view of the data without access to the data provider. The recovery of this evidence is dependent on two factors. First, the cloud storage application has been used to view the files in the cloud. Second, the user has not attempted to clear the cache of recently viewed files."
Full text (PDF):
See also:
A paper by Fred Stutzman, Ralph Gross and Alessandro Acquisti.
From the Abstract:
"Over the past decade, social network sites have experienced dramatic growth in popularity, reaching most demographics and providing new opportunities for interaction and socialization. Through this growth, users have been challenged to manage novel privacy concerns and balance nuanced trade-offs between disclosing and withholding personal information. To date, however, no study has documented how privacy and disclosure evolved on social network sites over an extended period of time. In this manuscript we use profile data from a longitudinal panel of 5,076 Facebook users to understand how their privacy and disclosure behavior changed between 2005 - the early days of the network - and 2011."
Full text (PDF):
See also:
An article by ProPublica.
From the article:
"Data companies are scooping up enormous amounts of information about almost every American. They sell information about whether you're pregnant or divorced or trying to lose weight, about how rich you are and what kinds of cars you have. Regulators and some in Congress have been taking a closer look at these so-called data brokers — and are beginning to push the companies to give consumers more information and control over what happens to their data. But many people still don't even know that data brokers exist. Here's a look at what we know about the consumer data industry."
Full text:
See also:
A paper by Justus Haucap and Ulrich Heimeshoff.
Abstract:
"This paper discusses the general characteristics of online markets from a competition theory perspective and the implications for competition policy. Three important Internet markets are analyzed in more detail: search engines, online auction platforms, and social networks. Given the high level of market concentration and the development of competition over time, we use our theoretical insights to examine whether leading Internet platforms have non-temporary market power. Based on this analysis we answer the question whether any specific market regulation beyond general competition law rules is warranted in these three online markets."
Full text (PDF):
See also:
A speech by Robert M. McDowell.
From the speech:
"Freedom is on the rise unlike any other time in world history. In the early 1970s, the world had fewer than 40 electoral democracies. Today, there are 116, with perhaps more on the way soon. That’s phenomenal growth. And the proliferation of communications technologies is not following the spread of liberty, it is pushing it. Communications technologies are now the tip of the spear in the fight for freedom across the globe. We all have seen the same basic scenario play out repeatedly in just a few short years. For example:
In Indonesia, President Suharto was ousted by a student movement that 'had no identifiable leader and no apparent structure.' Yet the student movement succeeded because the students “were able to organize over the internet” by using social media.
Mobile devices were also credited with the success of the famous 'Orange Revolution' that took place in the Ukraine in 2004. Kiev's college students used their mobile phones to organize their protests, dubbed 'smart mobbing,' in Independence Square.
During the 2005 Saudi Arabian 'Jeddah' election cycle, women were allowed to run for office for the first time in that country. It was mobile phones that enabled them to campaign without violating traditional social restrictions that limit women’s access to audiences.
Mobile phones helped get the word out that polling places were safe to reluctant potential voters fearing election violence during the historic Iraqi elections of 2005. A larger than anticipated turn-out resulted."
Full text (PDF):
See also:
A report by Europol.
From '2.8 The internet and e-commerce':
"The internet offers multiple opportunities for organised crime. It facilitates the search for and accessing of information, the targeting of victims, the concealing of criminal activities, the arrangement of logistics, recruitment, distribution, the laundering of criminal proceeds and creates previously unknown criminal markets. The ongoing global development of internet infrastructures and their widespread use for legitimate activities has become a major factor in the proliferation of serious and organised crime."
Full text (PDF):
See also:
Dissertation by Giovane César Moreira Moura.
From the Abstract:
"A significant part of current Internet attacks originates from hosts that are distributed all over the Internet. However, there is evidence that most of these hosts are, in fact, concentrated in certain parts of the Internet. This behavior resembles the crime distribution in the real world: it occurs in most places, but it tends to be concentrated in certain areas. In the real world, high crime areas are usually labeled as 'bad neighborhoods'. The goal of this dissertation is to investigate Bad Neighborhoods on the Internet. The idea behind the Internet Bad Neighborhood concept is that the probability of a host in behaving badly increases if its neighboring hosts (i.e., hosts within the same subnetwork) also behave badly. This idea, in turn, can be exploited to improve current Internet security solutions, since it provides an indirect approach to predict new sources of attacks (neighboring hosts of malicious ones)."
Full text (PDF linked from this page):
See also:
A publication by Ben Williams.
From '6 Conclusion':
"The most surprising finding was that various IT Security Vendors do not appear to follow Secure Development Lifecycles to minimize the likelihood of these common classes of issues appearing in their products. Also, based on our discussions, a small number of vendors seemed unable to understand the significance of some issues, or to produce fixes in a reasonable timeframe. There was a large disparity with some vendors fixing all issues within 3 months, and other vendors not addressing very similar issues after nearly a year."
Full text (PDF):
See also:
A paper by Russell Cameron Thomas, Marcin Antkiewicz, Patrick Florer, Suzanne Widup and Matthew Woodyard.
Abstract:
"This paper proposes an analysis framework and model for estimating the impact of information security breach episodes. Previous methods either lack empirical grounding or are not sufficiently rigorous, general or flexible. There has also been no consistent model that serves theoretical and empirical research, and also professional practice. The proposed framework adopts an ex ante decision frame consistent with rational economic decision-making, and measures breach consequences via the anticipated costs of recovery and restoration by all affected stakeholders. The proposed branching activity model is an event tree whose structure and branching conditions can be estimated using probabilistic inference from evidence – 'Indicators of Impact.' This approach can facilitate reliable model estimation when evidence is imperfect, incomplete, ambiguous, or contradictory. The proposed method should be especially useful for modeling consequences that extend beyond the breached organization, including cascading consequences in critical infrastructures. Monte Carlo methods can be used to estimate the distribution aggregate measures of impact such as total cost. Non-economic aggregate measures of impact can also be estimated. The feasibility of the proposed framework and model is demonstrated through case studies of several publicly disclosed breach episodes."
Full text (SSRN):
See also:
A paper by Mark Fenster.
From the Abstract:
"This article argues that information control is an implausible goal. It critiques some of the foundational assumptions of constitutional and statutory laws that seek to regulate information flows, in the process countering and complicating the extensive literature on secrecy, transparency, and leaks that rest on those assumptions. By focusing on the functional issues relating to government information and broadening its study beyond the much-examined phenomenon of leaks, the article catalogs and then illustrates in a series of case studies the formal and informal means by which information flows out of the state. These informal means play an especially important role in limiting both the ability of state actors to keep secrets and the extent to which formal legal doctrines can control the flow of government information. The same bureaucracy and legal regime that keep open government laws from creating a transparent state also keep the executive branch from creating a perfect informational dam. The article draws several implications from this descriptive, functional argument for legal reform and for the study of administrative and constitutional law."
Full text (SSRN):
See also:
An article by Jeremiah Grossman.
From the article:
"The Internet was designed to deliver information, but few people envisioned the vast amounts of information that would be involved or the personal nature of that information. Similarly, few could have foreseen the potential flaws in the design of the Internet—more specifically, Web browsers—that would expose this personal information, compromising the data of individuals and companies. If people knew just how much of their personal information they unwittingly make available to each and every Web site they visit—even sites they've never been to before—they would be disturbed."
Jeremiah Grossman: The web won't be safe or secure until we break it
[Open link in this window | Open link in new window]
See also:
An article by Michal Kosinski, David Stillwell, and Thore Graepel.
From the Abstract:
"We show that easily accessible digital records of behavior, Facebook Likes, can be used to automatically and accurately predict a range of highly sensitive personal attributes including: sexual orientation, ethnicity, religious and political views, personality traits, intelligence, happiness, use of addictive substances, parental separation, age, and gender. The analysis presented is based on a dataset of over 58,000 volunteers who provided their Facebook Likes, detailed demographic profiles, and the results of several psychometric tests."
Michal Kosinski, David Stillwell, and Thore Graepel: Private traits and attributes are predictable from digital records of human behavior (PDF linked from this page)
[Open link in this window | Open link in new window]
See also:
More than 70 leading European academics are taking a position, at DataprotectionEU.eu.
From the page:
"The automatic processing of personal data is growing at an incredible pace and is starting to become an integral part of economic, administrative and social processes in Europe and throughout the world. On the Web in particular, users have learned to pay for a nominally free service by providing personal data for marketing purposes. Against this background, the overhaul of data protection regulation is now being discussed across Europe. A year ago, the European Commission presented a new draft of a European Data Protection Regulation. The European Parliament and the European Council are now preparing their views on this new regulation. At the same time, huge lobby groups are trying to massively influence the regulatory bodies. To contribute a more objective perspective to this heated debate, we would like to bring forward some professional arguments. We want to reply to some arguments that aim to weaken data protection in Europe."
DataprotectionEU.eu: Data protection in Europe
[Open link in this window | Open link in new window]
See also:
A staff report by the FTC.
From 'Privacy':
"[T]he use of mobile payments raises significant privacy concerns, due to both the high number of companies involved in the mobile payments ecosystem and the large amount of data being collected. In addition to the banks, merchants, and payment card networks present in traditional payment systems, mobile payments often involve new actors such as operating system manufacturers, hardware manufacturers, mobile phone carriers, application developers, and coupon and loyalty program administrators. When a consumer makes a mobile payment, any or all of these parties may have access to more detailed data about a consumer and the consumer's purchasing habits as compared to data collected when making a traditional payment."
FTC: Paper, plastic... or mobile? An FTC workshop on mobile payments (PDF)
[Open link in this window | Open link in new window]
See also:
A Flash Note by ENISA.
From the document:
"The EU's cyber security agency ENISA has analysed recent major cyber-attacks and is calling for Europe's businesses and government organisations to take urgent action to combat emerging attack trends. These are characterised by old attack methods, being given a new edge because they are being used in a smarter, more targeted way."
ENISA: Cyber-attacks - a new edge for old weapons (PDF)
[Open link in this window | Open link in new window]
See also:
A paper by Geoff McDonald, Liam O Murchu, Stephen Doherty and Eric Chien.
From 'Overview':
"In 2010, Symantec reported on a new and highly sophisticated worm called Stuxnet. This worm became known as the first computer software threat that was used as a cyber-weapon. The worm was specifically designed to take control over industrial plant machinery and making them operate outside of their safe or normal performance envelope, causing damage in the process. This was a first in the history of malware. Clues in the code pointed to other versions of the worm which could potentially perform different actions leaving an open question about Stuxnet and how it came to be. The wait for the missing link is now over. Symantec have now discovered an older version of Stuxnet that can answer the questions about the evolution of Stuxnet."
Geoff McDonald, Liam O Murchu, Stephen Doherty and Eric Chien: Stuxnet 0.5 - The missing link (PDF)
[Open link in this window | Open link in new window]
See also:
Guidance from the ICO.
The 'Summary':
"BYOD raises a number of data protection concerns due to the fact that the device is owned by the user rather than the data controller. However, it is crucial that as data controller you ensure that all processing for personal data which is under your control remains in compliance with the DPA. Particularly in the event of a security breach, you must be able to demonstrate that you have secured, controlled or deleted all personal data on a particular device."
ICO: Bring your own device (BYOD) (PDF)
[Open link in this window | Open link in new window]
See also:
A report by the Department of Homeland Security (DHS) Privacy Office.
From the Foreword:
"The Federal Agency Data Mining Reporting Act of 2007 [...] requires DHS to report annually to Congress on DHS activities that meet the Act's definition of data mining. For each identified activity, the Act requires DHS to provide the following: (1) a thorough description of the activity; (2) the technology and methodology used; (3) the sources of data used; (4) an analysis of the activity’s efficacy; (5) the legal authorities supporting the activity; and (6) an analysis of the activity's impact on privacy and the protections in place to protect privacy."
Department of Homeland Security (DHS) Privacy Office: 2012 Data mining report to Congress (PDF)
[Open link in this window | Open link in new window]
See also:
A paper by Michael S. Bernstein, Eytan Bakshy, Moira Burke and Brian Karrer.
From the Abstract:
"When you share content in an online social network, who is listening? Users have scarce information about who actually sees their content, making their audience seem invisible and difficult to estimate. However, understanding this invisible audience can impact both science and design, since perceived audiences influence content production and self-presentation online. In this paper, we combine survey and large-scale log data to examine how well users' perceptions of their audience match their actual audience on Facebook. We find that social media users consistently underestimate their audience size for their posts, guessing that their audience is just 27% of its true size."
Michael S. Bernstein, Eytan Bakshy, Moira Burke and Brian Karrer: Quantifying the invisible audience in social networks (PDF)
[Open link in this window | Open link in new window]
See also:
A paper by Julie E. Cohen.
From the Abstract:
"[...] privacy is anything but old-fashioned, and trading it away creates two kinds of large systemic risk. First, privacy is an indispensable structural feature of liberal democratic political systems. Freedom from surveillance, whether public or private, is foundational to the capacity for critical self-reflection and informed citizenship. A society that permits the unchecked ascendancy of surveillance infrastructures cannot hope to remain a liberal democracy. Under such conditions, liberal democracy as a form of government is replaced, gradually but surely, by a form of government that I will call modulated democracy because it relies on a form of surveillance that operates by modulation: a set of processes in which the quality and content of surveillant attention is continually modified according to the subject's own behavior, sometimes in response to inputs from the subject but according to logics that ultimately are outside the subject's control. Second, privacy is also foundational to the capacity for innovation, and so the perception of privacy as anti-innovation is a non sequitur. A society that values innovation ignores privacy at its peril, for privacy also shelters the processes of play and experimentation from which innovation emerges. Efforts to repackage pervasive surveillance as innovation — under the moniker 'Big Data' — are better understood as efforts to enshrine the methods and values of the modulated society at the heart of our system of knowledge production. In short, privacy incursions harm individuals, but not only individuals. Privacy incursions in the name of progress, innovation, and ordered liberty jeopardize the continuing vitality of the political and intellectual culture that we say we value."
Julie E. Cohen: What privacy is for (SSRN)
[Open link in this window | Open link in new window]
See also:
A document requested by the European Parliament's Committee on Internal Market and Consumer Protection, by Xawery Konarski, Damian Karwala, Prof. Dr. Hans Schulte-Nölke and Shaun Charlton.
Abstract:
"This study aims to provide background information and advice on priority measures and actions to be undertaken in the reform of the data protection package. The study is based upon four aspects: mapping new technologies and services; analysing the internal market dimension; strengthening the rights of the consumer; and international data transfers."
Xawery Konarski, Damian Karwala, Prof. Dr. Hans Schulte-Nölke and Shaun Charlton: Reforming the data protection package (PDF)
[Open link in this window | Open link in new window]
See also:
A discussion document by Hunton & Williams Centre For Information Policy Leadership.
From the Introduction:
"Although many applications do not involve personal information, in some cases the power of analytics, rich data stores and the insights they can yield raise risks to privacy. In some instances, data used in analytics is personally identifiable. In others, application of analytics to anonymous or non-personally identifiable data can reveal the identity of an individual or insights about him or her. Analytic models and algorithms and the data to which they are applied may vary in quality and integrity. While the outcomes of analytic processes can raise privacy concerns even when algorithms and data are appropriate for their intended use, algorithms and data whose quality is suspect can yield faulty results that may seriously compromise privacy or individual rights. Analytics may be applied to data that has been precluded by law from processing for certain purposes or to arrive at certain prohibited decisions. Big data and analytics support automated processes that may arrive at decisions about an individual, raising important questions about self-determination, personal autonomy and fairness. They may also yield predictions about individuals that may be perceived as invasive or as precluding his or her choices. While long-established principles of fair information practices provide guidance, analytics, processing technology and big data challenge the way we apply them. Policymakers, users of data and data protection authorities must, therefore, consider carefully how the principles are honestly and effectively applied to analytics."
Hunton & Williams Centre For Information Policy Leadership: Big data and analytics - seeking foundations for effective privacy guidance (PDF)
[Open link in this window | Open link in new window]
See also:
A publication by the Federal Trade Commission.
From the Executive Summary:
"The [Consumer Sentinel Network (CSN) received over 2 million complaints during calendar year 2012: 52% fraud complaints; 18% identity theft complaints; and 30% other types of complaints. Identity Theft was the number one complaint category in the CSN for calendar year 2012 with 18% of the overall complaints [...]."
Federal Trade Commission: Consumer Sentinel Network data book for January - December 2012 (PDF)
[Open link in this window | Open link in new window]
See also:
Outcomes of the Expert Group on the Security and Resilience of Communications Networks and Information Systems for Smart Grids.
From 'Recommendations on Countermeasures' in the summary report:
"Self-assessment methodology for Smart Grid cyber security: Cyber security is – for a few electrical grid domains - a completely new and often not sufficiently covered topic in EU. Other electrical grid domains have paid attention and are more developed. A well-defined selfassessment guide for the ICT security experts in SCADA and Smart Grid enables each Smart Grid stakeholder to identify potential risk and to assess vulnerabilities. The results can be used as health check to define countermeasures and to reapprove security specifications. Also in long term it would be desirable that the stakeholder would agree on minimum standards.
Promote application and adaption to Smart Grid of well-established ICT Security good practices: Information security and ICT-security is a well elaborated field in research and in practical solutions. This is especially true for corporate information systems. For Industrial Automation and Control Systems (IACS) there are the real time and 24/7 operation requirements, which need extra measures. Until recently IACS were not internetworked with the Internet and interconnected widely. For maintenance, efficiency, and monitoring purposes, IACS are connected to the corporate networks which often have several interconnections – either open declared or hidden – to public networks."
Expert Group on the Security and Resilience of Communications Networks and Information Systems for Smart Grids: Cybersecurity of smart grids (PDF documents linked from this page)
[Open link in this window | Open link in new window]
Opinion on the reference to the CJEU in case C-466/12 Svensson, by the European Copyright Society (ECS).
From the Opinion:
"2. The ECS wishes to take the opportunity to put on record its views of the issues before the Court in Case C-466/12, Svensson. The importance of this particular reference should be evident to the Court. Although hyperlinking takes many forms and has multiple functions, there can be no doubt that it is the single most important feature that differentiates the Internet from other forms of cultural production and dissemination. Hyperlinking is intimately bound to the conception of the Internet as a network, and hyperlinks constitute paths leading users from one location to another. As the Supreme Court of Canada has stated '[h]yperlinks ... are an indispensable part of [the Internet's] operation.' [...] 68. In this case, the Court needs equally to consider the effect of its ruling. If hyperlinking is regarded as communication to the public, all hyperlinks would need to be expressly licensed. In our view, that proposition is absurd."
European Copyright Society (ECS): Opinion on [whether a hyperlink to content can be considered a communication to the public] (PDF)
[Open link in this window | Open link in new window]
See also:
A compendium by Gerald J. Ferguson, Theodore J. Kobus III and Gonzalo S. Zeballos.
From 'Welcome':
"Securing data is a daunting task that is further complicated by cross-border transfer issues and the differences in privacy laws around the world. These laws are complex and can pose myriad and sometimes conflicting obligations to a multinational enterprise. [...] This compendium represents our global experience in this field. While it is not a substitute for legal advice, it is a reference guide that outlines the basic requirements in place when dealing with international data breach so that you can know what immediate steps to take, and what questions you need to ask to minimize your company's exposure."
Gerald J. Ferguson, Theodore J. Kobus III and Gonzalo S. Zeballos: International compendium of data privacy laws (PDF)
[Open link in this window | Open link in new window]
See also:
A memorandum released by Senator John D. Rockefeller.
From the introduction to the document:
"On September 19, 2012, you sent letters to the Chief Executive Officers of the five hundred largest companies in the United States, commonly referred to as the “Fortune 500.” You wrote to the Fortune 500 to request information related to each company’s views on cybersecurity and the Cybersecurity Act of 2012, the legislation that you, Senators Lieberman, Collins, Feinstein, Carper and others worked to pass during the 112th Congress. [...] As described in greater detail below, approximately three hundred companies in the Fortune 500 have now responded to your letters."
Senator John D. Rockefeller: [Summary of the feedback on cybersecurity legislation from 'Fortune 500' companies] (PDF)
[Open link in this window | Open link in new window]
See also:
A paper by Anand Ajjan.
'1. Overview':
"Ransomware is a type of malware which is widely classified as a Trojan. It restricts access to or damages the computer for the purpose of extorting money from the victim. It also has the capability to encrypt a user's files, display different threat messages, and force the user to pay ransom via an online payment system. There are various types of ransomware, which we shall describe in detail in the latter part of this paper. This paper describes in detail our findings about the motivations, strategies and techniques utilized in creating and propagating ransomware."
Anand Ajjan: Ransomware - next-generation fake antivirus (PDF linked from this page)
[Open link in this window | Open link in new window]
See also:
A report by Ponemon Institute.
From 'Part 1. Introduction':
"Since 2010, we have tracked endpoint risk in organizations, the resources to address the risk and the technologies deployed to manage threats. This study reveals that the state of endpoint risk is not improving. One of the top concerns is the proliferation of personally owned mobile devices in the workplace such as smart phones and iPads. In fact, 80 percent of those surveyed say laptops and other mobile data-bearing devices pose a significant security risk to their organization's networks or enterprise systems because they are not secure. Yet, only 13 percent say they use stricter security standards for employees' personal devices rather than for corporate-owned devices. Malware attacks are increasing and are having a significant impact on IT operating expenses. Advanced persistent threats and hactivism pose the biggest headache to IT security pros. However, only 12 percent of those surveyed say current anti-virus/anti-malware technology is very effective in protecting their IT endpoints from today’s malware risk and only 5 percent report a planned increase in the use of the technology. This comfort level with standalone anti-virus remains virtually unchanged since the 2010 study."
Ponemon Institute: 2013 State of the endpoint (PDF linked from this page)
[Open link in this window | Open link in new window]
A report by Cisco.
From the report:
"Cybercriminals are taking advantage of the rapidly expanding attack surface found in today's 'any-to-any' world, where individuals are using any device to access business applications in a network environment that utilizes decentralized cloud services. The 2013 Cisco Annual Security Report highlights global threat trends based on real-world data, and provides insight and analysis that helps businesses and governments improve their security posturing for the future. The report combines expert research with security intelligence that was aggregated from across Cisco, focusing on data collected during the 2012 calendar year."
Cisco: 2013 Cisco annual security report (PDF)
[Open link in this window | Open link in new window]
See also:
A report by the KPMG Audit Committee Institute.
From 'Risk & Compliance':
"While 37 percent of survey respondents describe the company's risk management program as 'robust and mature,' nearly half say their program requires 'substantial work.' Other key areas of audit committee concern: crisis readiness and response plans; the quality of risk-related information — particularly about cyber risk, global systemic risk, and the pace of technology change; hearing dissenting views (including from middle management) about critical risks facing the company; and focusing the company's key governance activities (risk management, compliance, controls, strategy, board oversight) on the greatest risks to the company's brand."
KPMG Audit Committee Institute: Global audit committee survey (PDF)
[Open link in this window | Open link in new window]
See also:
A report by the National Audit Office (NAO).
From 'Purpose of this landscape report':
"An effective UK response to cyber threats is essential for future economic prosperity, making public services digital by default, and maintaining the values and freedom of an open society. This landscape review describes government’s evolving approach to cyber security and describes the programme of work it has under way. [...] Part Two identifies the challenges that government faces in delivering its strategy."
National Audit Office (NAO): The UK cyber security strategy - Landscape review (PDF)
[Open link in this window | Open link in new window]
See also: