Rina Steenkamp - Privacy and technology
[The retention of the fingerprints of a person who had not been convicted breached his right to respect for his private life | The disconcerting details - How Facebook teams up with data brokers to show you targeted ads | 2013 Data breach investigations report | 2013 Information security breaches survey | 1Q 2013 security roundup - Zero-days hit users hard at the start of the year | "How old do you think I am?": A study of language and age in Twitter | Net neutrality in Europe | Clarifications regarding the U.S.-EU Safe Harbor framework and cloud computing | Can recent attacks really threaten Internet availability? | Microsoft security intelligence report - Volume 14 | Internet security threat report 2013 | Opinion 03/2013 on purpose limitation | Internet privacy - the right to be forgotten | Avoiding the hidden costs of the cloud | The modern malware review - Analysis of new and evasive malware in live enterprise networks | EU online trustmarks - Building digital confidence in Europe | Sleights of privacy - framing, disclosures, and the limits of transparency | The pursuit of privacy in a world where information control is falling | Privacy 101 - Skype leaks your location]
A press release by the European Court of Human Rights.
From the press release:
"In today's Chamber judgment in the case of M.K. v. France (application no. 19522/09), which is not final, the European Court of Human Rights held, unanimously, that there had been:
a violation of Article 8 (right to respect for private and family life) of the European Convention on Human Rights.
The case concerned a French national who complained of the fact that his fingerprints had been retained on a database by the French authorities. He had been the subject of two investigations concerning book theft, which ended in one case with his acquittal and in the other with a decision not to prosecute.
The Court considered, in view of the circumstances of the case, that the retention of the data in question amounted to disproportionate interference with the applicant's right to respect for his private life."
Full text (PDF linked from this page):
See also:
A blog post by Kurt Opsahl and Rainey Reitman (EFF).
From the blog post:
"Recently, we published a blog post that described how to opt out of seeing ads on Facebook targeted to you based on your offline activities. This post explained where these companies get their data, what information they share with Facebook, or what this means for your privacy. So get ready for the nitty-gritty details: who has your information, how they get it, and what they do with it. It’s a lot of information, so we’ve organized it into an FAQ for convenience."
Full text:
A report by Verizon.
From 'Results and analysis':
"The 2012 combined dataset represents the largest we have ever covered in any single year, spanning 47,000+ reported security incidents, 621 confirmed data disclosures, and at least 44 million compromised records (that we were able to quantify). Over the entire nine-year range of this study, that tally now exceeds 2,500 data disclosures and 1.1 billion compromised records."
Full text (PDF linked from this page):
See also:
A report commissioned by the Department for Business Innovation and Skills.
From 'Survey approach':
"This is the latest of the series of Information Security Breaches Surveys, carried out every couple of years since the early 1990s. Infosecurity Europe carried out the survey, and PwC analysed the results and wrote the report. [...] In total, there were 1,402 respondents. [...] As in the past, we have presented the results for large organisations (more than 250 employees) and small businesses (less than 50 employees) separately, and explained in the text any differences seen for medium-sized ones (50-249 employees)."
Full text (PDF):
See also:
A report by Trend Micro.
From the report:
"While exploits and vulnerabilities are a common problem for users, zero-day exploits in high-profile applications are relatively rare. That was not the case in the first quarter of 2013. Multiple zero-day exploits were found targeting popular applications like Java and Adobe Flash Player, Acrobat, and Reader. In addition, as predicted, we saw improvements in already-known threats like spam botnets, banking Trojans, and readily available exploit kits. Other high-profile incidents include the South Korean cyber attacks in March, which reiterated the dangers targeted attacks pose. On the mobile front, fake versions of popular apps remained a problem though phishers found a new target in the form of mobile browsers."
Full text (PDF):
See also:
A paper by Dong Nguyen, Rilana Gravel, Dolf Trieschnigg and Theo Meder.
Abstract:
"In this paper we focus on the connection between age and language use, exploring age prediction of Twitter users based on their tweets.We discuss the construction of a fine-grained annotation effort to assign ages and life stages to Twitter users. Using this dataset, we explore age prediction in three different ways: classifying users into age categories, by life stages, and predicting their exact age. We find that an automatic system achieves better performance than humans on these tasks and that both humans and the automatic systems have difficulties predicting the age of older people. Moreover, we present a detailed analysis of variables that change with age. We find strong patterns of change, and that most changes occur at young ages."
Full text (PDF):
See also:
A timeline by EDRi.
From the introduction:
"This timeline shows the key moments in the net neutrality debate in Europe in the last three years."
Full text (Tiki-Toki, may not be fully accessible in older browsers):
See also:
Questions and answers developed by the U.S. Department of Commerce's International Trade Administration (ITA).
The introduction to the document:
"These questions and answers were developed by the U.S. Department of Commerce's International Trade Administration (ITA) to provide some clarification regarding the U.S.-EU Safe Harbor Framework and how the Framework applies to cloud computing. This clarification was prepared, in part, to respond to inquiries generated by the July 2012 Article 29 Working Party Opinion on Cloud Computing, as well as an opinion and various statements made by certain EU Member State data protection authorities. ITA does not believe that 'cloud computing' represents an entirely new business model or presents any unique issues for Safe Harbor. The existing Safe Harbor Privacy Principles are comprehensive and flexible enough to address the issues raised by the cloud computing model; nevertheless, ITA offers the following information as guidance, given that organizations and authorities continue to grapple with how best to apply data protection principles to the cloud environment."
Full text (PDF):
See also:
A flash note by ENISA.
From the text:
"ENISA is recommending that Internet network providers implement long-known traffic filtering techniques, which could have countered a major cyber incident that hit services across western Europe last Month (March 2013). The incident was an attack mounted against the non-profit organisation Spamhaus, leading to noticeable delays for internet users mostly in the UK, Germany and other parts of Western Europe. [...] This incident highlights some important vulnerabilities of the internet infrastructure, but at the same time also demonstrate its inherent resilience."
Full text (PDF linked from this page):
See also:
A report by Microsoft.
From the Executive Foreword:
"Over the past six and a half years we've published literally thousands of pages of threat intelligence in this report. Categories of focus continue to include trends and insights on security vulnerabilities, exploit activity, malware and potentially unwanted software, spam, phishing, malicious websites, and security trends from 105+ locations around the world. Volume 14 contains the latest intelligence with analysis completed, focused on the second half of 2012 and inclusive of trend data going back a year or more. To summarize across the findings of hundreds of pages of new data: industry-wide vulnerability disclosures are down, exploit activity has increased in many parts of the world, several locations with historically high malware infection rates saw improvements but the worldwide malware infection rate increased slightly, Windows 8 has the lowest malware infection rate of any Windows-based operating system observed to date, Trojans continue to top the list of malware threats, spam volumes went up slightly, and phishing levels remained consistent."
Full text (PDF linked from this page):
See also:
A report by Symantec.
From the Executive Summary:
"Threats to online security have grown and evolved considerably in 2012. From the threats of cyberespionage and industrial espionage to the widespread, chronic problems of malware and phishing, we have seen constant innovation from malware authors. We have also seen an expansion of traditional threats into new forums. In particular, social media and mobile devices have come under increasing attack in 2012, even as spam and phishing attacks via traditional routes have fallen. Online criminals are following users onto these new platforms."
Full text (PDF linked from this page):
See also:
A publication by the Article 29 Data Protection Working Party (WP29).
From the Executive Summary:
"This Opinion analyses the principle of purpose limitation. It provides guidance for the principle's practical application under the current legal framework, and formulates policy recommendations for the future. Purpose limitation protects data subjects by setting limits on how data controllers are able to use their data while also offering some degree of flexibility for data controllers. The concept of purpose limitation has two main building blocks: personal data must be collected for 'specified, explicit and legitimate' purposes (purpose specification) and not be 'further processed in a way incompatible' with those purposes (compatible use)."
Full text (PDF):
See also:
A series of articles by The Guardian.
'About this series':
"The internet has a long memory. But what if the pictures, data and personal information that it can pull up about you appear unfair, one-sided or just plain wrong? More and more people are claiming they have a 'right to be forgotten' and are even trying to delete themselves from the web. The issue appears poised to generate legal, technological and moral wranglings for years to come."
Full text:
See also:
A report by ReRez Research, commissioned by Symantec.
From 'Compliance and eDiscovery':
"Often, IT has their hands full with simply provisioning and maintaining cloud. A common refrain is that 'second order' issues such as compliance can wait. This is a mistake. In fact, 23 percent of organizations have been fined for privacy violations in the cloud within the past 12 months. Smart organizations know this: Roughly half today are saying they are concerned about meeting compliance requirements in the cloud. Interestingly, simply meeting compliance requirements is not enough; an even larger percentage say they worry about being able to prove their compliance."
Full text (PDF):
See also:
A report by Palo Alto Networks.
From 'Background and goals':
"The Modern Malware Review presents an analysis of 3 months of malware data derived from more than 1,000 live customer networks [...]. The review focuses on malware samples that were initially undetected by industry-leading antivirus products. The goal of focusing on unknown or undetected malware is not to point out deficiency in traditional antivirus solutions—but rather to better understand the problems, and hopefully identify practices that can help."
Full text (PDF):
See also:
A study carried out for the European Commission by Luca Alessandro Remotti, Anne Fleur van Veenstra, Marc van Lieshout, Gudrun Rumpf, Babis Ipektsidis and Tonia Damvakeraki.
From the accompanying web page:
"One of the key factors of eCommerce, be it cross-border or at national level, is trust between the parties: the purchaser and the merchant. Trustmarks can play a role in establishing trust relations: a trustmark is a sign displayed on an eCommerce website, it has the purpose to provide an independent guarantee of the trustworthiness and reliability of the webshop. Trustmarks are especially useful for smaller webshops that are not (yet) a strong online brand of their own. Four policy options are reviewed by the study and the final report addresses the pros and cons of these options. The Commission is currently considering the results of the study."
Full text (PDF linked from this page):
A draft - preliminary paper by Idris Adjerid, Alessandro Acquisti, Laura Brandimarte and George Loewenstein.
Abstract:
"In an effort to address persistent consumer privacy concerns, policy makers and the data industry seem to have found common grounds in proposals that aim at making online privacy more 'transparent.' Such self-regulatory approaches rely on, among other things, providing more and better information to users of Internet services about how their data is used. However, we illustrate in a series of experiments that even simple privacy notices do not consistently impact disclosure behavior, and may in fact be used to nudge individuals to disclose variable amounts of personal information. In a first experiment, we demonstrate that the impact of privacy notices on disclosure is sensitive to relative judgments, even when the objective risks of disclosure actually stay constant. In a second experiment, we show that the impact of privacy notices on disclosure can be muted by introducing simple misdirections that do not alter the objective risk of disclosure. These findings cast doubts on the likelihood of initiatives predicated around notices and transparency to address, by themselves, online privacy concerns."
Full text (PDF):
See also:
An article by Adam D. Thierer.
From the Abstract:
"This article — which focuses not on privacy rights against the government, but against private actors — cuts against the grain of much modern privacy scholarship by suggesting that expanded regulation is not the most constructive way to go about ensuring greater online privacy. The inherent subjectivity of privacy as a personal and societal value is one reason why expanded regulation is not sensible. Privacy has long been a thorny philosophical and jurisprudential matter; few can agree on its contours or can cite firm constitutional grounding for the rights or restrictions they articulate. [...] Because it will be exceedingly difficult to devise a fixed legal standard for privacy that will be satisfactory for a diverse citizenry (not all of whom value privacy equally), and because it will be increasingly difficult to enforce that standard even if it can be determined, alternative approaches to privacy protection should be considered."
Full text (SSRN):
See also:
A blog post by Brian Krebs.
From the blog post:
"The fact that Skype betrays its users' online location information is hardly news. [...] What's changed is that over the past year, a number of services have emerged to help snoops and ne'er-do-wells exploit this vulnerability to track and harass others online. For example, an online search for 'skype resolver' returns dozens of results that point to services (of variable reliability) that allow users to look up the Internet address of any Skype user, just by supplying the target's Skype account name. [...] Typically, these Skype resolvers are offered in tandem with 'booter' or 'stresser' services, online attack tools-for-hire than can be rented to launch denial-of-service attacks [...]"
Full text: