Rina Steenkamp - Privacy and technology
[[Google Spain] v. [Spanish data protection authority] | Commission Regulation on the measures applicable to the notification of personal data breaches under Directive 2002/58/EC [...] | Beyond location - data security in the 21st century | The law of the future and the future of law - Volume II | Needle in a datastack - the rise of big security data | Explanatory document on the Processor Binding Corporate Rules | A guide to FISA §1881a - The law behind it all | PRISM-Break list is dangerously misleading | Amendments [...] on the proposal for a directive of the European Parliament and of the Council on attacks against information systems [...] | Opinion on [the EU cyber security strategy and the proposed cybersecurity directive] | 'Something bad might happen' - Lawyers, anonymization and risk | Employers and schools that demand account passwords and the future of cloud privacy | What does Prism tell us about privacy protection? | Stop watching us | PRISM Break | 2013 Cost of data breach study - global analysis | McAfee threats report - first quarter 2013 | Report of the Special Rapporteur on the promotion and protection of the right to freedom of opinion and expression, Frank La Rue | Transcripts from Bradley Manning's trial | Annual report 2012 | Facebook costing 16-34s jobs in tough economic climate | ESignature - Study on the supply side of EU e-signature market | The Canadian access to social media information project (CATSMI) | Teens, social media, and privacy | Cyber security and fraud - The impact on small businesses | National SME fraud segmentation 2012 | Electric grid vulnerability - Industry responses reveal security gaps | Anatomy of a hack - How crackers ransack passwords like "qeadzcwrsfxv1331"]
An opinion of Advocate General Jääskinen.
From 'VIII - Conclusion':
"2. An internet search engine service provider, whose search engine locates information published or included on the internet by third parties, indexes it automatically, stores it temporarily and finally makes it available to internet users according to a particular order of preference, 'processes' personal data in the sense of Article 2(b) of Directive 95/46 when that information contains personal data. However, the internet search engine service provider cannot be considered as 'controller' of the processing of such personal data in the sense of Article 2(d) of Directive 95/46, with the exception of the contents of the index of its search engine, provided that the service provider does not index or archive personal data against the instructions or requests of the publisher of the web page.
3. The rights to erasure and blocking of data, provided for in Article 12(b), and the right to object, provided for in Article 14(a), of Directive 95/46, do not confer on the data subject a right to address himself to a search engine service provider in order to prevent indexing of the information relating to him personally, published legally on third parties' web pages, invoking his wish that such information should not be known to internet users when he considers that it might be prejudicial to him or he wishes it to be consigned to oblivion."
Full text:
See also:
A document by European Commission.
From the accompanying web page:
"Under the revised ePrivacy Directive (2009/136/EC), when a personal data breach occurs, the provider has to report this to a specific national authority. Also, the provider has to inform the concerned subscriber directly when the breach is likely to adversely affect personal data or privacy. To ensure consistent implementation of the data breach rules across Member States, the Commission has adopted "technical implementing measures" – practical rules to complement the existing legislation – on the circumstances, formats and procedures for the notification requirements."
Full text (page with link to PDF linked from this page):
See also:
An article by Deven R. Desai.
From the Abstract:
"In this short piece, I argue that data protection goals that focus on where data is located as a way to exert jurisdiction clash with best practices in security and networking. From a security perspective, location-based rules falter in a large area such as the EU; they fail in smaller markets."
Full text (SSRN):
See also:
A book by Sam Muller, Stavros Zouridis, Morly Frishman and Laura Kistemaker (editors).
From '3.3 The perspective of technology - How is technology affecting law?'
"Because of new technologies, rules sometimes become obsolete. But the impact of new technologies goes beyond rules and statutory legislation. Just as internationalisation raises some serious questions regarding basic legal principles and basic legal concepts, new technologies can render legal concepts that have been used for ages obsolete."
Full text (PDF):
See also:
A report by McAfee.
From the report:
"500 interviews with senior IT decision makers were carried out for this report, Needle in a Datastack, which investigates how well organisations are positioned to address the challenges of managing security in a world of ever increasing amounts and types of data. Our research highlights the scale of the challenge but also the business imperative of spotting and managing anomalous and potentially dangerous activity amid the colossal amounts of data traffic. Specifically, the report reveals an alarming lack of appropriate security monitoring systems that leaves organisations vulnerable for entire working days to cybercrime. This is further compounded by a misplaced confidence in the robustness of cyber defences, and the increasing exposure to advanced threats. As volumes of security data grows ever bigger, IT and security professionals within organisations need to ensure that they are working closely together, as big data threatens to reveal a worrying dichotomy between the two."
Full text (PDF linked from this page):
See also:
A document by the Article 29 Data Protection Working Party (WP29).
From '1.3 Binding corporate rules for Processors':
"While standard contractual clauses appear to be efficient to frame non-massive transfers made by a data exporter located in the EU to a data importer located outside the EU, the outsourcing industry has been constant in its request for a new legal instrument that would allow for a global approach to data protection in the outsourcing business and officially recognize internal rules organisations may have implemented. Such new legal instrument would be efficient to frame massive transfers made by a Processor to subprocessors part of the same organisation acting on behalf and under the instructions of a Controller. Given the growing interest of industry for such a tool, the Working Party adopted in the course of 2012 a working document setting up a table with the elements and principles to be found in BCR for Processors and an application form for submitting binding corporate rules for Processors."
Full text (PDF):
See also:
A blog post on Privacy International, by Caroline Wilson.
From the blog post:
"Simply put, the National Security Agency is an intelligence agency. Its purpose is to monitor the world's communications, which it traditionally collected by using spy satellites, taps on cables, and placing listening stations around the world. In 2008, by making changes to U.S. law, the U.S. Congress enabled the NSA to make U.S. industry complicit in its mission. No longer would the NSA have to rely only on international gathering points. It can now go to domestic companies who hold massive amounts of information on foreigners and order them to submit any information of interest to the NSA. This could include the content of communications, documents, photos, videos, or locations and other so-called metadata - any information held by the companies. No warrant is required - though there is a secret court review. But that review's primary purpose appears to be to provide assurances that Americans won't be targeted."
Full text:
A selection from the most recent links on PRISM:
A blog post by Alexander Hanff.
From the blog post:
"The web site makes a bold claim that by using the software and services listed, people can avoid the NSA from accessing their data and communications - this is completely false and as stated above, dangerously misleading. The web site lists a number of services and software provided by companies based in the United States - all US entities (whether they be global foundations like Mozilla, Tor exit node operators, non-profits or global corporations) are vulnerable to orders under Foreign Intelligence Surveillance Act (FISA) or USA PATRIOT Act via orders issued by the Foreign Intelligence Surveillance Court (FISC) or National Security Letters (NSLs)."
Note: I linked to PRISM-break last week, so I'm afraid I dropped the ball on this one.
Full text:
A draft report by Monika Hohlmeier.
From the 'Naked Security' post:
"The EU has drafted a new directive that includes harsher penalties for those convicted of hacking. The European Parliament last week approved a draft of the proposal and will vote on it in July."
Full text (PDF):
See also:
A publication by the European Data Protection Supervisor (EDPS).
"76. [...] However, [the EDPS} regrets that the Strategy and the proposed Directive do not underline better the contribution of existing and forthcoming data protection law to security and fail to fully ensure that any obligations resulting from the proposed Directive or other elements of the Strategy are complementary with data protection obligations and do not overlap or contradict each other.
77. Furthermore, the EDPS notes that due to the lack of consideration and taking full account of other parallel Commission initiatives and ongoing legislative procedures, such as the Data Protection Reform and the proposed Regulation on electronic identification and trust services, the Cyber Security Strategy fails to provide a really comprehensive and holistic view of cyber security in the EU and risks to perpetuate a fragmented and compartmentalised approach. The EDPS also notes that the proposed Directive on NIS does not yet permit a comprehensive approach of security in the EU either and that the obligation set forth in data protection law is probably the most comprehensive network and security obligation under EU law. [...]
79. As to the Cyber Security Strategy, the EDPS underlines that: [a] clear definition of the terms 'cyber-resilience', 'cybercrime' and 'cyberdefence' is particularly important since these terms are used as a justification for certain special measures which could cause interference with fundamental rights, including the rights to privacy and data protection. However, the definitions of 'cybercrime' provided in the Strategy and in the Cybercrime Convention remain very broad. It would be advisable to have a clear and restrictive definition of 'cybercrime' rather than an overreaching one [...]"
Full text (PDF):
See also:
A blog post by Marion Oswald.
From the blog post:
"If you wanted to predict the future, who would you call upon? An economist; a statistician; Nate Silver? A lawyer might not be high on your list. Yet when faced with questions of individual privacy and data anonymization, this is what lawyers are being asked to do. This article aims to illustrate how this is the case and consequently why lawyers need help from statisticians and computer scientists."
Full text:
A blog post by Daniel Solove.
From the blog post:
"In 2012, the media erupted with news about employers demanding employees provide them with their social media passwords so the employers could access their accounts. This news took many people by surprise, and it set off a firestorm of public outrage. It even sparked a significant legislative response in the states. I thought that the practice of demanding passwords was so outrageous that it couldn't be very common. What kind of company or organization would actually do this? I thought it was a fringe practice done by a few small companies without much awareness of privacy law. But Bradley Shear, an attorney who has focused extensively on the issue, opened my eyes to the fact that the practice is much more prevalent than I had imagined, and it is an issue that has very important implications as we move more of our personal data to the Cloud."
Full text:
An article by BBC News.
This story is getting overwhelming media attention at the moment, so it's hard to decide which sources to include. This article by the BBC gives an overview of what we knew by the middle of last week, and contains this handy time line:
- 5 June: The Guardian reports that the National Security Agency (NSA) is collecting the telephone records of millions of US customers of Verizon, under a top-secret court order
- 6 June: The Guardian and the Washington Post report the NSA and the FBI are tapping into US internet companies to track online communication, in a scheme known as Prism
- 7 June: The Guardian reports President Obama has asked intelligence agencies to draw up a list of potential overseas targets for US cyber-attacks
- 7 June: President Obama defends the programmes, saying they are closely overseen by Congress and the courts
- 8 June: US director of national intelligence James Clapper calls the leaks 'literally gut-wrenching'
- 9 June: The Guardian names former CIA technical worker Edward Snowden as the source of the leaks
Full text:
A small sample of everything else that's been published on the subject:
An initiative by 86 Civil liberties groups and internet companies.
From the front page:
"The revelations about the National Security Agency's surveillance apparatus, if true, represent a stunning abuse of our basic rights. We demand the U.S. Congress reveal the full extent of the NSA's spying programs."
Full text:
See also:
A project by Nylira.
From the front page:
"Stop reporting your online activities to the American government with these free alternatives to proprietary software."
Note: there has been criticism of this site.
Full text:
See also:
Benchmark research sponsored by Symantec, independently conducted by Ponemon Institute LLC.
From the Executive Summary:
"[...] this year’s study examines the costs incurred by 277 companies in 16 industry sectors after those companies experienced the loss or theft of protected personal data. It is important to note the costs presented in this research are not hypothetical but are from actual data loss incidents. They are based upon cost estimates provided by the individuals we interviewed over a ten-month period in the companies that are represented in this research."
Full text (PDF):
See also:
A report by McAfee Labs.
From the introduction:
"McAfee Labs researchers have analyzed the threats of the first quarter of 2013 and recognized several familiar trends: steady growth in mobile malware and a rapid increase in general malware, including Facebook threat Koobface, AutoRun malware, and stealth malware that attacks the master boot record (MBR). Worldwide spam doubled during the quarter - as it makes a comeback after more than a year of decline. Narrowly targeted attacks focused on the financial sector, but one came with a twist. Our analysis of the Citadel Trojan shows that cybercriminals have found a way to turn this traditional bank-account threat into the broader theft of personal information from narrowly targeted victims in certain countries. Will the attackers use this data in the future?"
Full text (PDF, Perspagina.nl):
See also:
A publication by the Office of the High Commissioner for Human Rights.
From 'A. Updating and strengthening laws and legal standards':
"81. Communications surveillance should be regarded as a highly intrusive act that potentially interferes with the rights to freedom of expression and privacy and threatens the foundations of a democratic society. Legislation must stipulate that State surveillance of communications must only occur under the most exceptional circumstances and exclusively under the supervision of an independent judicial authority. Safeguards must be articulated in law relating to the nature, scope and duration of the possible measures, the grounds required for ordering them, the authorities competent to authorize, carry out and supervise them, and the kind of remedy provided by the national law.
82. Individuals should have a legal right to be notified that they have been subjected to communications surveillance or that their communications data has been accessed by the State. Recognizing that advance or concurrent notification might jeopardize the effectiveness of the surveillance, individuals should nevertheless be notified once surveillance has been completed and have the possibility to seek redress in respect of the use of communications surveillance measures in their aftermath."
Full text (PDF linked from this page):
See also:
A project by the Freedom of the Press Foundation.
From the front page:
"The US military has refused to release transcripts of Bradley Manning's trial. In addition, they've denied press passes to 270 out of the 350 media organizations that applied. Without public transcripts or a press pass, it's virtually impossible for media organizations to accurately cover the trial and for the public to know what the government is doing in its name. In response, Freedom of the Press Foundation has crowd-sourced funding to place a professional stenographer in the media room covering the trial. We will post full transcripts shortly after each day's proceedings end."
Full text (PDF files linked from this page):
See also:
A publication by the European Data Protection Supervisor (EDPS).
From '5.2.1. Data protection principles must work with new technologies':
"Since its infancy in the 1970s, the potential of automated data processing has been a driving force in society's efforts to protect the fundamental rights of individuals. Even in those days, when the power of mainframe computers was less than that of a smart phone today, the promoters of data protection were aware of the potential offered by technology to exercise control over individuals and to restrict personal freedoms. [...] Having overcome the technical limitations of the past we are faced with entirely new ways of processing, so it is all the more necessary to monitor and assess these technological developments to ensure their effectiveness in data protection."
Full text (PDF linked from this page):
See also:
A publication by OnDevice Research.
From the publication:
"We have just finished the third wave of our Young People's Consumer Confidence (YPCC) Index, which is designed to help businesses understand what young people (16-34) think about their current and future economic and employment prospects, in both developed and growth markets. The index which covers 6000 16-34 year olds across six countries revealed some surprising results."
Full text:
See also:
A study report by Simona Cavallini, Fabio Bisogni, Doriano Gallozzi, Claudio Cozza and Claudia Aglietti.
From the Executive Summary:
"The adoption of [Directive 1999/03/EC on a Community framework for electronic signatures], and the consequent introduction of a legal framework with respect to the use of electronic signatures and related products and services, laid the basis for the development of a new market segment, with players on the supply-side addressing the demand of e-signature solutions. Within this context and in order to assess the way the market has developed over the years, Information Society and Media Directorate-General promoted a study carried out by FORMIT Foundation, aiming to carry out an analysis of the electronic signature market in the European Union and collecting qualitative and quantitative data about the main characteristics of stakeholders involved, with particular specific focus on the supply-side of the e-signature market."
Full text (PDF linked from this page):
A project by Dr. Colin J. Bennett, Christopher Parsons and Adam Molnar.
From the 'About... Project' page:
"The main objective of the Project is to determine how the expectations of social networking websites and environments, whose raison d'etre is the facilitation of the sharing of personal information about and by users, can be reconciled with prevailing understandings about 'reasonable expectations of privacy' and the existing Canadian regimes that are designed to protect personal data. Organizations have to make decisions about the granularity and range of privacy choices to offer users. Are there significant variances between organizations' perspectives and policies on access to personal information by data subjects on the one hand, and those of government authorities on the other? Are data subjects meaningfully made aware of their own rights to access data, and the capabilities of authorities to access the same subjects' data?"
Full text:
See also:
A report by Mary Madden, Amanda Lenhart, Sandra Cortesi, Urs Gasser, Maeve Duggan, Aaron smith and Meredith Beaton.
From 'Summary of Findings':
"Teens share a wide range of information about themselves on social media sites; indeed the sites themselves are designed to encourage the sharing of information and the expansion of networks. However, few teens embrace a fully public approach to social media. Instead, they take an array of steps to restrict and prune their profiles, and their patterns of reputation management on social media vary greatly according to their gender and network size."
Full text (PDF linked from this page):
See also:
A report by the Federation of Small Businesses (FSB).
From the Executive Summary:
"Two thirds of businesses have acted in some way to prevent fraud. This includes 'regular installation of security patches' (36%), 'risk assessments' (20%) and 'staff training' (20%). Formal and written counter fraud policies and plans are less common. In terms of action to minimise online crime, four in five members have acted in some way including 'regular updates of virus scanning software' (59%), 'firewall' (47%) and, 'spam filtering software', (43%). Written formal information security plans and the introduction of information security standards are less common."
Full text (PDF):
See also:
A report by the Department for Business Innovation & Skills, the National Fraud Authority and the Home Office.
From the Executive summary:
"This document contains information on the market segments for small and medium sized enterprises (SMEs), based on attitudes and behaviours towards fraud and internet crime. 26 qualitative and 2,400 quantitative interviews were undertaken with key SME decision makers exploring how, when and why SMEs fall vulnerable to fraud and internet crime. Six distinct SME segments were identified based on an analysis of awareness of fraud, perceived risk and actual risk."
Full text (PDF):
See also:
A report written by the staff of Congressmen Edward J. Markey (D-MA) and Henry A. Waxman (D-CA).
From the Executive Summary:
"The electric grid is the target of numerous and daily cyber-attacks. More than a dozen utilities reported 'daily,' 'constant,' or 'frequent' attempted cyber-attacks ranging from phishing to malware infection to unfriendly probes. One utility reported that it was the target of approximately 10,000 attempted cyber-attacks each month. More than one public power provider reported being under a 'constant state of 'attack' from malware and entities seeking to gain access to internal systems.'"
Full text (PDF):
See also:
An article by Dan Goodin.
From the article:
"In March, readers followed along as Nate Anderson, Ars deputy editor and a self-admitted newbie to password cracking, downloaded a list of more than 16,000 cryptographically hashed passcodes. Within a few hours, he deciphered almost half of them. The moral of the story: if a reporter with zero training in the ancient art of password cracking can achieve such results, imagine what more seasoned attackers can do. Imagine no more. We asked three cracking experts to attack the same list Anderson targeted and recount the results in all their color and technical detail Iron Chef style. The results, to say the least, were eye opening because they show how quickly even long passwords with letters, numbers, and symbols can be discovered."
Full text (Ars Technica):
See also: