Rina Steenkamp - Privacy and technology
[The US [NSA] surveillance programmes (PRISM) and [FISA] activities and their impact on EU citizens' fundamental rights | Data broker giants hacked by ID theft service | Data and security breaches and cyber-security strategies in the EU and its international counterparts | Who commits virtual identity suicide? Differences in privacy concerns, internet addiction and personality between Facebook users and quitters | OECD Guidelines governing the protection of privacy and transborder flow of personal data | Privacy in the digital economy - requiem or renaissance? | Why privacy pros need to look beyond "detective" practices and embrace technology | Diluted privacy law | Mobile security - from risk to revenue | Direct marketing | Submission [...] on the surveillance activities of the United States and certain European States' national security and "intelligence" agencies | Just delete me | 2013 Data breach investigations report | Anonymity, privacy, and security online | Privacy and big data - Making ends meet | U.S. spy network's successes, failures and objectives detailed in 'black budget' summary | Cookieless monster - Exploring the ecosystem of web-based device fingerprinting | Users get routed - Traffic correlation on Tor by realistic adversaries | Looking inside the (Drop) box | Head in the digital sand - How the Obama Administration's NTIA-led multistakeholder effort doesn't deliver its promised privacy Bill of Rights | [ACLU v. James R. Clapper et al] Declaration of professor Edward W. Felten | The next generation Communications Privacy Act | The FTC and the new common law of privacy | Who is the more active privacy enforcer - FTC or OCR? | [August 13 letter to Commissioner Viviane Reding] | An analysis of service provider transparency reports on government requests for data | Decision notice [Appellant: Scottish Borders Council, Respondent: The Information Commissioner] | Case of Nagla v. Latvia | UK ISP Sky Broadband says no need to fear SessionCam snooping]
A report by Caspar Bowden (European Parliament).
Abstract:
"In light of the recent PRISM-related revelations, this briefing note analyzes the impact of US surveillance programmes on European citizens' rights. The note explores the scope of surveillance that can be carried out under the US FISA Amendment Act 2008, and related practices of the US authorities which have very strong implications for EU data sovereignty and the protection of European citizens' rights."
Read more:
See also:
Media coverage:
A blog post by KrebsOnSecurity.
From the text:
"An identity theft service that sells Social Security numbers, birth records, credit and background reports on millions of Americans has infiltrated computers at some of America’s largest consumer and business data aggregators, according to a seven-month investigation by KrebsOnSecurity."
Read more:
Media coverage:
A report by Mr Neil Robinson, Ms. Veronika Horvath, Prof Jonathan Cave, Dr Arnold P. Roosendaal and Dr Marieke Klaver (European Parliament).
Abstract:
"This long briefing provides an overview of the definition of security incidents and breaches and an analysis of their scale and trends. We summarise the current EU-level efforts to address network and information security, review some of the provisions of the Commission's 2013 proposals for a Network and Information Security Directive and offer recommendations. We have some potentially major concerns including the relationship of incident notification achieving the outcomes of the directive, potential for overlapping regulation and definitions of covered entities. We also suggest that it would be helpful to clarify what kind of incidents the Directive is aimed to address."
Read more:
Media coverage:
An article by Stefan Stieger, Christoph Burger, Manuel Bohn and Martin Voracek.
From the Abstract:
"Social networking sites such as Facebook attract millions of users by offering highly interactive social communications. Recently, a counter movement of users has formed, deciding to leave social networks by quitting their accounts (i.e., virtual identity suicide). To investigate whether Facebook quitters (n=310) differ from Facebook users (n=321), we examined privacy concerns, Internet addiction scores, and personality."
Read more:
Media coverage:
Revised guidelines by OECD.
From the introduction to the supplementary explanatory memorandum:
"In 1980, the OECD adopted the Guidelines Governing the Protection of Privacy and Transborder Flows of Personal Data ('1980 Guidelines') to address concerns arising from the increased use of personal data and the risk to global economies resulting from restrictions to the flow of information across borders. The 1980 Guidelines, which contained the first internationally agreed-upon set of privacy principles, have influenced legislation and policy in OECD Member countries and beyond. Framed in concise, technology-neutral language, they have proven remarkably adaptable to technological and societal changes. Nevertheless, changes in personal data usage, as well as new approaches to privacy protection, have left the 1980 Guidelines in need of updating in a number of important respects."
Read more:
Media coverage:
An essay on the future of privacy, by Gerald Santucci (The Privacy Surgeon).
From the essay:
"[...] the question is: do we want to live in a surveillance society that might ensure justice for all, yet privacy for none? Are we ready to live in a 'City of Control' or do we definitely cherish a 'City of Trust'? Would we accept a panopticon – a scenario in which the “few” see everything without ever being seen, while the 'many' are totally seen but never see who is watching them – or would we prefer an openspace/synopticon – a scenario in which individuals are fully empowered to define borders of their own personal space? Looking at these issues, it appears clearly that current approaches to data protection, primarily based on contractual agreements, are largely inadequate to address such asymmetries. We need new thinking and new concepts to structure an interdisciplinary discussion (including science, technology, law, politics, and business), and formulate approaches that ensure protection of personal data as well as innovation in service and policy development."
Read more:
See also:
A blog post by Nick Crown (Privacy Perspectives).
From the text:
"As privacy professionals, we have the opportunity to help companies restore balance in the personal data ecosystem by considering the business needs of our employers as well as those of the individual. Many companies are reluctant to institute transformative changes, yet these changes could create an environment in which individuals feel good about sharing more data. Reluctance may stem from the belief that if you give consumers more choice and control, you risk losing the data you have already collected. However, numerous research studies continue to prove this is wrong. In fact, history will show that those who hoard data will eventually lose the data. To give the individual control over the use of their data, our industry needs to look beyond static, 'detective' approaches to privacy practices. Privacy Impact Assessments, privacy awareness training and compliance auditing will always have a place, but we should embrace technology as an enabler of preventative privacy controls. And while technology cannot solve every privacy issue, it can get us closer to 'walking the walk' of the 'talk we talk' in privacy notices. I've outlined some pragmatic steps below that we believe will help companies to better provide transparency, choice and control to individuals regarding the collection, processing and transfer of their personal data."
Read more:
Paraphrased translation from Dutch of the inaugural lecture by prof. dr. Gerrit-Jan Zwenne.
From the English translation:
"The current privacy law applies to data about persons whose identity is known or may be known. In the new proposal, this law should also apply to data that singles out, or differentiates, one person from another, without their identity being known. This proposal is ambitious, and yes, perhaps even too ambitious. If the privacy law is to apply to all data which distinguishes one person from another, it will be hard to imagine situation in which the privacy law will not apply. The criteria for use of the law will be so ill-defined (that is to say, to ability to single out one individual from another) that its scope will almost be unlimited. One could call this the watering down or dilution of the privacy law."
Read more:
A report by KPMG.
From the Foreword:
"[...] the widespread adoption of mobile services, coupled with some recent high-profile security mishaps, have focused the attention of both consumers and corporate users on the potential risk that mobile poses to their privacy and security. Industry research consistently shows that security and trust are two of the top barriers to mobile adoption and innovation. Clearly, telecom and technology companies – in partnership with their customers and corporate clients – will need to overcome these challenges quickly if mobile’s current trajectory is to be maintained. But, as we highlight in this report, mobile security also provides telecom and technology companies with a significant opportunity to leverage their core skills to generate new revenue."
Read more:
Media coverage:
Guidance by the ICO.
From the Introduction:
"This guidance explains the DPA and PECR rules on direct marketing – with a focus on calls and texts to individuals – and how this affects lead generation and the use of marketing lists. It will help responsible organisations to keep within the law and maintain a good reputation with customers, and sets out what enforcement action the ICO can take against those who ignore the rules."
Read more:
See also:
Media coverage:
A publication by EDRi and FREE.
From the document:
"12. The ultimate aim should be for both the US and the European legal systems to offer high-level privacy/data protection to 'everyone', in line with the established European minimum standards [...], that are also in line with UN standards [...]; and for those standards to be adhered to in practice by the USA, all European States, and the EU, whether acting independently or jointly. To this end, we demand urgent action from both the US and the European institutions."
Full text (PDF):
See also:
A website by Robb Lewis and Ed Poole.
From the front page:
"Many companies use dark pattern techniques to make it difficult to find how to delete your account. JustDelete.me aims to be a directory of urls to enable you to easily delete your account from web services."
Full text:
See also:
A report by Verizon.
From the Introduction:
"All in all, 2012 reminded us that breaches are a multi-faceted problem, and any one-dimensional attempt to describe them fails to adequately capture their complexity. The 2013 Data Breach Investigations Report (DBIR) corroborates this and brings to bear the perspective of 19 global organizations on studying and combating data breaches in the modern world."
Full text (PDF linked from this page):
See also:
A Pew Internet report by Lee Rainie, Sara Kiesler, Ruogu Kang and Mary Madden.
Front page summary:
"86% of adult internet users have taken steps from time to time to avoid surveillance by other people or organizations when they were using the internet. Despite their precautions, 21% of online adults have had an email or social media account hijacked and 11% have had vital information like Social Security numbers, bank account data, or credit cards stolen - and growing numbers worry about the amount of personal information about them that is available online."
Full text (PDF linked from this page):
See also:
An SLR symposium issue by various authors (Stanford Law Review Online).
From the web page:
"Although the solutions to many modern economic and societal challenges may be found in better understanding data, the dramatic increase in the amount and variety of data collection poses serious concerns about infringements on privacy. In our 2013 Symposium Issue, experts weigh in on these important questions at the intersection of big data and privacy."
Full text (contributions linked from this page):
See also:
An article by the Washington Post.
From the article:
"The $52.6 billion 'black budget' for fiscal 2013, obtained by The Washington Post from former intelligence contractor Edward Snowden, maps a bureaucratic and operational landscape that has never been subject to public scrutiny. Although the government has annually released its overall level of intelligence spending since 2007, it has not divulged how it uses the money or how it performs against the goals set by the president and Congress. The 178-page budget summary for the National Intelligence Program details the successes, failures and objectives of the 16 spy agencies that make up the U.S. intelligence community, which has 107,035 employees."
Full text:
See also:
A paper by Nick Nikiforakis, Alexandros Kapravelos, Wouter Joosen, Christopher Kruegel, Frank Piessens and Giovanni Vigna.
From the Abstract:
"In this paper, we examine how web-based device fingerprinting currently works on the Internet. By analyzing the code of three popular browser-fingerprinting code providers, we reveal the techniques that allow websites to track users without the need of client-side identifiers. Among these techniques, we show how current commercial fingerprinting approaches use questionable practices, such as the circumvention of HTTP proxies to discover a user's real IP address and the installation of intrusive browser plugins. At the same time, we show how fragile the browser ecosystem is against fingerprinting through the use of novel browseridentifying techniques.With so many different vendors involved in browser development, we demonstrate how one can use diversions in the browsers' implementation to distinguish successfully not only the browser-family, but also specific major and minor versions. Browser extensions that help users spoof the user-agent of their browsers are also evaluated. We show that current commercial approaches can bypass the extensions, and, in addition, take advantage of their shortcomings by using them as additional fingerprinting features."
Full text (PDF):
See also:
A paper by Aaron Johnson, Chris Wacek, Rob Jansen, Micah Sherr and Paul Syverson.
From the Abstract:
"We present the first analysis of the popular Tor anonymity network that indicates the security of typical users against reasonably realistic adversaries in the Tor network or in the underlying Internet. Our results show that Tor users are far more susceptible to compromise than indicated by prior work."
Full text (PDF):
See also:
A paper by Dhiru Kholia and Przemyslaw Wegrzyn.
Abstract:
"Dropbox is a cloud based file storage service used by more than 100 million users. In spite of its widespread popularity, we believe that Dropbox as a platform hasn't been analyzed extensively enough from a security standpoint. Also, the previous work on the security analysis of Dropbox has been heavily censored. Moreover, the existing Python bytecode reversing techniques are not enough for reversing hardened applications like Dropbox. This paper presents new and generic techniques, to reverse engineer frozen Python applications, which are not limited to just the Dropbox world. We describe a method to bypass Dropbox's two factor authentication and hijack Dropbox accounts. Additionally, generic techniques to intercept SSL data using code injection techniques and monkey patching are presented. We believe that our biggest contribution is to open up the Dropbox platform to further security analysis and research. Dropbox will / should no longer be a black box. Finally, we describe the design and implementation of an open-source version of Dropbox client (and yes, it runs on ARM too)."
Full text (PDF linked from this page):
See also:
A report by Jeff Chester (Center for Digital Democracy).
From 'Executive Summary':
"Frustrated by the lack of candor on the part of industry stakeholders and the inability of the [National Telecommunications and Information Agency] to pursue an objective analysis of the state of mobile app data collection, [the Center for Digital Democracy] began its own inquiry into the mobile app marketplace. The report addresses 12 areas that that required stakeholder scrutiny. They include mobile industry research initiatives; app monetization practices; mobile app “discoverability” techniques; mobile measurement techniques; real-time surveillance; cross-platform tracking and device identification; lack of candor by industry standards groups; mobile marketing's use of data for targeting; mobile real-time bidding & targeting; apps and sensitive data; the impact of mobile design on consumers; and issues raised by mobile tablets."
Full text (PDF linked from this page):
See also:
A declaration by Edward W. Felten.
From the text:
"1. The plaintiffs in this lawsuit have challenged what they term the 'mass call-tracking' program of the National Security Agency, and they have asked me to explain the sensitive nature of metadata, particularly when obtained in the aggregate. Below, I discuss how advances in technology and the proliferation of metadata-producing devices, such as phones, have produced rich metadata trails. Many details of our lives can be gleaned by examining those trails, which often yield information more easily than do the actual content of our communications. Superimposing our metadata trails onto the trails of everyone within our social group and those of everyone within our contacts’ social groups, paints a picture that can be startlingly detailed. 2. I emphasize that I do not in this declaration pass judgment on the use of metadata analysis in the abstract. It can be an extraordinarily valuable tool. But because it can also be an unexpectedly revealing one—especially when turned to the ommunications of virtually everyone in the country - I write in the hope that courts will appreciate its power and control its use appropriately."
Full text (PDF):
See also:
An article by Orin S. Kerr.
From the Abstract:
"In 1986, Congress enacted the Electronic Communications Privacy Act (ECPA) to regulate government access to Internet communications and records. ECPA is widely seen as outdated, and ECPA reform is now on the Congressional agenda. At the same time, existing reform proposals retain the structure of the 1986 Act and merely tinker with a few small aspects of the statute. This Article offers a thought experiment about what might happen if Congress repealed ECPA and enacted a new privacy statute to replace it."
Full text (SSRN):
See also:
An article by Daniel J. Solove and Woodrow Hartzog.
Abstract:
"One of the great ironies about information privacy law is that the primary regulation of privacy in the United States has barely been studied in a scholarly way. Since the late 1990s, the Federal Trade Commission (FTC) has been enforcing companies' privacy policies through its authority to police unfair and deceptive trade practices. Despite more than fifteen years of FTC enforcement, there is no meaningful body of judicial decisions to show for it. The cases have nearly all resulted in settlement agreements. Nevertheless, companies look to these agreements to guide their privacy practices. Thus, in practice, FTC privacy jurisprudence has become the broadest and most influential regulating force on information privacy in the United States – more so than nearly any privacy statute and any common law tort. In this article, we contend that the FTC's privacy jurisprudence is the functional equivalent to a body of common law, and we examine it as such. We explore how and why the FTC, and not contract law, came to dominate the enforcement of privacy policies. A common view of the FTC's privacy jurisprudence is that it is thin, merely focusing on enforcing privacy promises. In contrast, a deeper look at the principles that emerge from FTC privacy 'common law' demonstrates that the FTC's privacy jurisprudence is quite thick. The FTC has codified certain norms and best practices and has developed some baseline privacy protections. Standards have become so specific they resemble rules. We contend that the foundations exist to develop this “common law” into a robust privacy regulatory regime, one that focuses on consumer expectations of privacy, that extends far beyond privacy policies, and that involves a full suite of substantive rules that exist independently from a company's privacy representations."
Full text (SSRN):
See also:
A blog post by Robert Gellman (Concurring Opinions).
From the post:
"Those who follow FTC privacy activities are already aware of the hype that surrounds the FTC's enforcement actions. For years, American businesses and the Department of Commerce have loudly touted the FTC as a privacy enforcer equivalent to EU Data Protection Authorities. The Commission is routinely cited as providing the enforcement mechanism for commercial privacy self-regulatory activities, for the EU-US Safe Harbor Framework, and for the Department of Commerce sponsored Multistakeholder process. American business and the Commerce Department have exhausted themselves in international privacy forums promoting the virtues of FTC privacy enforcement. I want to put FTC privacy activities into a perspective by comparing the FTC with the Office of Civil Rights (OCR), Department of Health and Human Services. OCR enforces health privacy and security standards based on the Health Insurance Portability and Accountability Act (HIPAA)."
Full text:
A letter from the Article 29 Data Protection Working Party (WP29).
One of the points raised in the letter:
"One point that has been revealed is that data may only be accessed if they originate from non-US persons and are collected from sources within the US. The WP29 would however like to know when US authorities consider personal data to be inside the US, especially given the continuously increasing use of the internet for processing personal data, where much information currently is stored in the cloud, without knowing the exact location of the datasets, and following the global scale of backbone networks and their inherent capability to convey a wide range of communication services."
Full text (PDF):
See also:
A Hogan Lovells white paper by Christopher Wolf.
From 'Methodology':
"This White Paper analyzes government requests for information across several countries for at least a full year. We have used data from the transparency reports of Google Inc., Microsoft Corporation, Skype Communications S.A. (acquired by Microsoft in 2011), Twitter, Inc., and LinkedIn Corporation because they are the only such reports that provide data on government information requests across multiple countries. While some companies recently have obtained U.S. permission to disclose the aggregated number of national security and law-enforcement-related information requests they receive, they are authorized to release these numbers only in ranges of thousands of requests. Further, released reports do not include comparable figures for non-U.S. national security requests. Therefore, as these data do not enable meaningful statistical comparison across countries, they are outside the scope of this White Paper."
Full text (PDF linked from this page):
See also:
A decision notice by the First-tier Tribunal, General Regulatory Chamber, Information Rights.
From 'F. Was the contravention of a kind likely to cause substantial damage or substantial distress?'
"46. Having considered all the relevant circumstances we were not satisfied that the contravention in this case was of a kind likely to cause substantial damage or substantial distress. No doubt some breaches of the [seventh data protection principle - 'personal data must be securely kept'] in respect of some data might be of such a kind. In this case, it seems to us that the fact that the data processor was a specialist contractor with a history of 25-30 years of dealings with Scottish Borders carries weight. He was no fly by night. The council had good reason to trust the company. 47. Focussing on the contravention we have been unable to construct a likely chain of events which would lead to substantial damage or substantial distress. What did happen was of course startling enough. Again, though, looking at the facts of the case, what did happen was in our view a surprising outcome, not a likely one. The overwhelmingly likely result of the summer 2011 arrangements, it seems to us was that the data processor would arrange for the files to be properly destroyed – to the extent that we would not describe any other outcome as likely."
Full text (PDF):
See also:
A judgment by the European Court of Human Rights.
From 'I. The circumstances of the case':
"6. The applicant, at the time of the material events, was working for the national television broadcaster ['LTV']. She was a producer, reporter and host of the weekly investigative news programme De facto, aired in prime time every Sunday night. 7. On 10 February 2010 the applicant received an e-mail from a person who called himself 'Neo', revealing that there were serious security flaws in a database maintained by the State Revenue Service ([...] 'the VID'). Allegedly, these flaws made it possible to access the data stored in the Electronic Declaration System ([...] 'the EDS') without breaching any security protocols. In support of his allegations, 'Neo' attached some examples of the data which he had downloaded in this manner (for example, salaries of LTV employees), the veracity of which the applicant could confirm. The applicant concluded that the data were genuine and that, most probably, there was a serious security flaw in the system. She then proceeded to inform the VID of a possible security breach. [...] 9. On 14 February 2010 the applicant, acting in her capacity as a journalist, announced during the broadcast of De facto that there had been a massive data leak from the EDS. She reported that the information concerned the income, tax payments and personal identity details of public officials, as well as private individuals and companies. 10. One week after the broadcast, 'Neo' started to publish data through his Twitter account concerning the salaries paid at various public institutions, at State and municipal levels; in some cases the names of the officials were included, and in others only the salaries were published. The information received wide media coverage. On 18 April 2010 he stopped publishing it. [...] 12. On 19 February 2010 the police went to LTV to take evidence from the applicant as a witness in the criminal proceedings. They asked for a transcript of the 14 February 2010 broadcast, as well as access to the e-mail correspondence with 'Neo'. The applicant declined to disclose the identity of her source or any information which could lead to its disclosure, referring to the right of non-disclosure as set forth in section 22 of the Law on Press and Other Mass Media. [...] 21. On 11 May 2010, from 9.34 to 10.30 p.m., the police conducted a search at the applicant's home. 22. According to the applicant, upon her return home that night a plain-clothes policeman approached her in the stairwell and, without identifying himself, physically prevented her from closing the doors. Only then did he present a search warrant and proceed to conduct the search together with two other officers. During the search the following data storage devices were seized: a personal laptop, an external hard drive, a memory card and four flash drives. According to the applicant, these devices contained a large body of her personal data as well as most of her work-related material."
Full text (PDF):
See also:
An article by Mark Jackson (ISP Preview).
From the article:
"The chances are good that you won't be familiar with SessionCam. It's essentially a powerful visitor tracking tool that allows websites to forensically monitor the activity of their readers, such as by recording key presses, mouse movements, mouse clicks, mobile gestures, scrolling and it can even replay the activity as a video. On the one hand such tools are excellent for improving customer service and identifying problems with how a website functions, so it would make sense for an ISP to be using it. But at the same time you wouldn't normally expect such services to be found tracking activity on payment detail pages or other similarly sensitive sections. But this is the reason why one of ISPreview.co.uk's readers raised their concerns with us and sure enough, after a little checking of our own, we found that JavaScript code for SessionCam.com's Client Integration v4.0 was indeed being used on the members-only My Sky pages and their 'Make a payment' page... among others."
Full text:
See also: