Rina Steenkamp - Privacy and technology
[[Vote on the data protection package, October 21st] | General Data Protection Regulation in 10 points | Data Protection Regulation - Leaked compromises | Leaked EU Data Protection Directive | Improving critical infrastructure cybersecurity Executive Order 13636 - Preliminary cybersecurity framework | Leaving out notification requirements for data collection orders? | Experian sold consumer data to ID theft service | On the acceptance of privacy-preserving authentication technology - the curious case of national identity cards | LIBE committee inquiry on electronic mass surveillance of EU citizens | FPDetective - Dusting the web for fingerprints | Working document [...] providing guidance on obtaining consent for cookies | How the Bible and YouTube are fueling the next frontier of password cracking | Piercing through WhatsApp's encryption | Routes for breaching and protecting genetic privacy | Case of Delfi AS v. Estonia | Competitive analysis of the UK cyber security sector | Easily obtained subpoenas turn your personal information against you | Attacking Tor - how the NSA targets users' online anonymity | EPIC online guide to practical privacy tools | Anonymous in context - the politics and power behind the mask | Personality, gender and age in the language of social media - the open-vocabulary approach | Auditing security measures - An overview of schemes for auditing security measures | Warsaw declaration on the "appification" of society | Mobile medical applications - Guidance for industry and Food and Drug Administration staff | Children's online games - report and consultation | Protecting vulnerable data subjects - Findings from a survey of EU data protection officials on the use of cloud services in organisations | Inferring trip destinations from driving habits data | A study of Whois privacy and proxy service abuse]
Documentation for the October 21 vote of the European Parliament, Committee on Civil Liberties, Justice and Home Affairs.
From the press release:
"A major overhaul of current EU data protection rules, to put people in control of their personal data while at the same time making it easier for companies to move across Europe, was voted by the Civil Liberties Committee on Monday. Responding to mass surveillance cases, MEPs inserted stronger safeguards for data transfers to non-EU countries. They also inserted an explicit consent requirement, a right to erasure, and bigger fines for firms that break the rules. [...] The committee vote also sets out Parliament's mandate to start negotiations with national governments in the Council. Inter-institutional talks will start as soon as the Council agrees on its own negotiating position for both proposals (directive and regulation). Parliament aims to reach an agreement on this major legislative reform before the May 2014 European elections."
Read more:
See also:
Media coverage:
A press briefing by Jan Philipp Albrecht.
From the text:
"The proposal for a new data protection regulation aims at high data protection standards, which are better harmonised and fit for the internet age. According to the European Commission's proposal, companies could no longer have their main centre of operation in a country with weak data protection standards. Furthermore, the proposal foresees that EU data protection law is valid whenever the data of European residents is processed – whether within or outside of the EU."
Read more:
Media coverage:
A publication by EDRi.
From the HawkTalk blog post:
"Well I have just had a speed read of the leaked amendments that are being debated by the European Parliament today [...]. The general impression is that the Snowden revelations about the NSA has strengthened the Parliament's view on the provisions that relate to the protection of data subjects when there is data sharing with the authorities. I have also concluded that all that lobbying by corporate USA and Internet business has come to very little. They have very little to show for their efforts; I suspect courtesy of the NSA issues."
Read more:
Media coverage:
Leaked text published by Privacy International.
From the Privacy International blog post:
"While attention is focused on the general data protection Regulation, few have highlighted the fate of the Directive dealing with data protection by law enforcement authorities, which is also scheduled to be voted on this week. Privacy International has received leaked copies of the final amendments for the Directive [...]"
Read more:
See also:
A publication by NIST.
From '1.0 Framework introduction':
"The national and economic security of the United States depends on the reliable functioning of critical infrastructure. To strengthen the resilience of this infrastructure, President Obama issued Executive Order 13636 (EO), 'Improving Critical Infrastructure Cybersecurity' on February 12, 2013. This Executive Order calls for the development of a voluntary Cybersecurity Framework ('Framework') that provides a 'prioritized, flexible, repeatable, performance-based, and cost-68 effective approach' for assisting organizations responsible for critical infrastructure services to manage cybersecurity risk."
Read more:
Media coverage:
A blog post by Jan-Jaap Oerlemans (Leiden Law Blog).
From the text:
"Each time you make a phone call with your mobile phone, the (i) date, (ii) time and (iii) duration of your phone call, as well as the (iv) numbers dialed and the (v) location of the antennas (or region (Cell ID)) your mobile phone connects to are retained by your telecommunication service provider. The data is retained in order to ensure the availability of the data for serious crime investigations by law enforcement authorities. The Dutch Minister of Safety and Justice believes that data collection orders from third parties only create 'minor infringements' to your right to privacy. Taking this into account, he reasons that the poorly enforced requirement that law enforcement authorities must notify individuals about data collection orders when reasonably possible, causes too much of an administrative burden and should therefore be abolished. [...] But ask yourself: do you know exactly what data is retained by telecommunication providers? And does data retention create only 'minor' privacy infringements? Is this a valid argument to get rid of the notification requirements?"
Read more:
Media coverage:
A blog post by Brian Krebs (Krebs on Security).
From the text:
"An identity theft service that sold Social Security and drivers license numbers - as well as bank account and credit card data on millions of Americans — purchased much of its data from Experian, one of the three major credit bureaus, according to a lengthy investigation by KrebsOnSecurity."
Read more:
Media coverage:
A paper by Marian Harbach, Sascha Fahl, Matthias Rieger, and Matthew Smith.
Abstract:
"Many attempts have been made to replace the ubiquitous username-and-password authentication scheme in order to improve user security, privacy and usability. However, none of the proposed methods have gained wide-spread user acceptance. In this paper, we examine the users' perceptions and concerns on using several alternative authentication methods on the Internet. We investigate the adoption of the new German national identity card, as it is the first eID-enabled card with dedicated features to enable privacy-preserving online authentication. Even though its large-scale roll-out was backed by a national government, adoption rates and acceptance are still low. We present results of three focus groups as well as interviews with service providers, showing that preserving privacy is just one of several factors relevant to the acceptance of novel authentication technologies by users as well as service providers."
Read more:
See also:
Contribution of Peter Hustinx (EDPS).
From the text:
"The three most striking points that we know at this stage are (i) the scale of the monitoring that has been going on, (ii) the number of private actors, including well known internet giants, that have apparently been involved, either actively or passively, and (iii) the development of weaknesses and backdoors in encryption, with far reaching perverse effects and very great damage to the public trust. At this stage, there seems to be little doubt that we are facing an existential challenge to our fundamental rights and liberties. We must therefore be prepared to 'draw a line in the sand'."
Read more:
Media coverage:
A paper by Gunes Acar, Marc Juarez, Nick Nikiforakis, Claudia Diaz, Seda Gürses, Frank Piessens and Bart Preneel.
From the Abstract:
"In this paper, we report on the design, implementation and deployment of FPDetective, a framework for the detection and analysis of web-based fingerprinters. Instead of relying on information about known fingerprinters or third-party-tracking blacklists, FPDetective focuses on the detection of the fingerprinting itself. By applying our framework with a focus on font detection practices, we were able to conduct a large scale analysis of the million most popular websites of the Internet, and discovered that the adoption of fingerprinting is much higher than previous studies had estimated. Moreover, we analyze two countermeasures that have been proposed to defend against fingerprinting and find weaknesses in them that might be exploited to bypass their protection. Finally, based on our findings, we discuss the current understanding of fingerprinting and how it is related to Personally Identifiable Information, showing that there needs to be a change in the way users, companies and legislators engage with fingerprinting."
Read more:
See also:
Media coverage:
A working document by the Article 29 Data Protection Working Party.
From the text:
"Although the ePrivacy Directive stipulates the need for consent for the storage of or access to cookies the practical implementations of the legal requirements vary among website operators across EU Member States. [...] Taking into account the different interpretations of the e-Privacy Directive among stakeholders and the respective practical implementations, the emerging question is: what implementation would be legally compliant for a website that operates across all EU Member States?"
Read more:
Media coverage:
An article by Dan Goodin (Ars Technica).
From the article:
"They started small. They took a single article from USA Today, isolated select phrases, and inputted them into their password crackers. Within a few weeks, they expanded their sources to include the entire contents of Wikipedia and the first 15,000 works of Project Gutenberg, which bills itself as the largest single collection of free electronic books. Almost immediately, hashes from Stratfor and other leaks that remained uncracked for months fell. One such password was 'crotalus atrox.' That's the scientific name for the western diamondback rattlesnake, and it ended up in their word list courtesy of this Wikipedia article. The success was something of an epiphany [...]"
Read more:
Media coverage:
A blog post by Thijs Alkemade.
From the Conclusion:
"You should assume that anyone who is able to eavesdrop on your WhatsApp connection is capable of decrypting your messages, given enough effort. You should consider all your previous WhatsApp conversations compromised. There is nothing a WhatsApp user can do about this but except to stop using it until the developers can update it."
Read more:
See also:
A draft paper by Yaniv Erlich and Arvind Narayanan.
Abstract:
"We are entering the era of ubiquitous genetic information for research, clinical care, and personal curiosity. Sharing these datasets is vital for rapid progress in understanding the genetic basis of human diseases. However, one growing concern is the ability to protect the genetic privacy of the data originators. Here, we technically map threats to genetic privacy and discuss potential mitigation strategies for privacy-preserving dissemination of genetic data."
Read more:
Media coverage:
Judgment by the European Court of Human Rights (ECHR).
From the blog post by Dan Cooper and Colin Warriner (Inside Privacy):
"Delfi AS owns one of Estonia's largest news websites. In January 2006, it published an article about changes to a ferry company's route that attracted many offensive and threatening comments about the ferry owner from users of the site. The ferry owner successfully sued Delfi for defamation, and the Estonian court awarded it 5,000 kroons (EUR 320). The Estonian Supreme Court dismissed Delfi's appeal in 2009, so Delfi went to the ECHR to complain that being held liable for its readers' comments violated its freedom of expression under Article 10 of the European Convention on Human Rights."
Read more:
Media coverage:
A study by Pierre Audoin Consultants (Department for Business, Innovation and Skills).
From 'This report':
"This report has been commissioned by BIS to map out the UK's cyber security industry, and capture its dynamics. [...] Within the broad IT sector, there are four major but inter-dependent trends that are reshaping the capabilities of technology and also restructuring the fundamental market dynamics of the industry. These trends are: cloud computing; mobility; social computing; and big data & analytics. These four key trends are driving growth in the IT sector, and their relationship with cyber security is fundamental. Each of these trends both impacts and is impacted by cyber security and that impact can be either positive or negative. Cyber security, then, is tied intrinsically to the shape of the overall IT market."
Read more:
Media coverage:
Investigative reporting by G.W. Schulz (CIR) and Daniel Zwerdling (NPR).
From the web page:
"Many Americans would be surprised by how easily local law enforcement, IRS investigators, the FBI and private attorneys can reach into the vast pool of personal information about their lives with little more than a subpoena, which no judge needs to review. And it's not just for selling you more products or services. It can be wielded against you."
Read more:
Media coverage:
An article by Bruce Schneier (The Guardian).
From the EFF blog post about the article:
"We've long suspected that the NSA, the world's premiere spy agency, was pretty good at breaking into computers. But now, thanks to an article by security expert Bruce Schneier - who is working with the Guardian to go through the Snowden documents - we have a much more detailed view of how the NSA uses exploits in order to infect the computers of targeted users."
Read more:
See also:
A web project by Epic.org.
From the accompanying blog post:
"The EPIC page includes a detailed listing of Internet Anonymizers, Proxy Servers, email encryption, secure Internet messaging, password vaults, antivirus programs, cookie cleaners, and more. Although EPIC does not endorse any particular product or service, EPIC strongly supports the widespread availability of privacy enhancing techniques."
Read more:
A paper by Gabriella Coleman (CIGI).
From the Introduction:
"This paper is divided into three sections. The first provides a fairly straightforward narrative account of Anonymous from 2005 to 2012, honing in on major events and turning points in its constitution and evolution. This chronology is necessary given Anonymous' chameleon nature and the high degree of misinformation surrounding it. The second section briefly considers the core features of Anonymous, which shed light on its political significance. Section three focusses on the strengths and weaknesses of Anonymous as a protest movement."
Read more:
Media coverage:
A paper by H. Andrew Schwartz, Johannes C. Eichstaedt, Margaret L. Kern, Lukasz Dziurzynski, Stephanie M. Ramones et al.
From the Abstract:
"We analyzed 700 million words, phrases, and topic instances collected from the Facebook messages of 75,000 volunteers, who also took standard personality tests, and found striking variations in language with personality, gender, and age. In our open-vocabulary technique, the data itself drives a comprehensive exploration of language that distinguishes people, finding connections that are not captured with traditional closed-vocabulary word-category analyses."
Read more:
Media coverage:
A report by Dr. Marnix Dekker, Christoffer Karsberg, Matina Lakka and Dimitra Liveri (ENISA).
From the Executive Summary:
"This report deals with the issue of how to enforce an adequate level of security across a sector of service providers. By way of response, we give an overview of 12 different audit frameworks or certification schemes for auditing security measures, used in different settings and sectors, which are aimed at ensuring that providers comply with certain security requirements. [...] For each scheme we describe the overall setup and we depict the different entities and their roles in assessing or certifying compliance to the security requirements."
Read more:
Declaration adopted by the 35th International conference of data protection and privacy commissioners.
From the text:
"During their 35th International Conference held on 23 and 24 September 2013 in Warsaw, the data protection and privacy commissioners discussed the “appification” of society, the challenges posed by the increased use of mobile apps, as well as possible ways to address these. [...] The commissioners expressed their clear commitment to ensure users are offered a better privacy experience and plan to address various actors in both the public and the private sector with regard to their roles and responsibilities."
Read more:
See also:
Media coverage:
A publication by the FDA.
From 'II. Background':
"As mobile platforms become more user friendly, computationally powerful, and readily available, innovators have begun to develop mobile apps of increasing complexity to leverage the portability mobile platforms can offer. Some of these new mobile apps are specifically targeted to assisting individuals in their own health and wellness management. Other mobile apps are targeted to healthcare providers as tools to improve and facilitate the delivery of patient care. [...] As is the case with traditional medical devices, certain mobile medical apps can pose potential risks to public health. Moreover, certain mobile medical apps may pose risks that are unique to the characteristics of the platform on which the mobile medical app is run. For example, the interpretation of radiological images on a mobile device could be adversely affected by the smaller screen size, lower contrast ratio, and uncontrolled ambient light of the mobile platform. FDA intends to take these risks into account in assessing the appropriate regulatory oversight for these products. This guidance clarifies and outlines the FDA's current thinking. The Agency will continue to evaluate the potential impact these technologies might have on improving health care, reducing potential medical mistakes, and protecting patients."
Read more:
Media coverage:
A publication by the Office of Fair Trading.
From the Introduction:
"In April 2013, the OFT announced the launch of an investigation into the ways in which online and app-based games encourage children to make purchases. We investigated whether there was general market compliance with consumer protection law [...] We explored whether online and app-based games included commercial practices that may be considered misleading, aggressive or otherwise unfair under that legislation. As part of the investigation, we scrutinised commercial practices in 38 web and app-based games that we considered were likely to appeal to children. The games we examined are produced by businesses in the UK, Europe and the rest of the world. We also received around 200 submissions in response to our call for information, approximately 160 of which were from parents, the rest mostly from industry stakeholders. We met several industry stakeholders – including individual businesses and trade associations – to discuss our concerns. In July 2013, we hosted a meeting with around 45 industry stakeholders to share an early draft of the proposed Principles contained in the Annexe to this report. We used feedback received at that meeting to refine and clarify the Principles. This report outlines the main issues we identified through our investigation and our proposed remedy: to produce a set of industry-wide Principles to make clear the OFT's views on businesses' obligations under consumer protection law and what they should do to avoid being the subject of targeted enforcement action."
Read more:
Media coverage:
A report by Jeff Gould (SafeGov.org).
From the Executive Summary:
"In this paper, we focus on the protection of children using modern commercial cloud services in schools, though we believe our approach is applicable for other public sector user populations. Our extensive survey research into the use of cloud services by schools in Europe and other regions of the world confirms that school authorities and parents clearly understand the powerful benefits that these technologies offer, while recognising the need for strong privacy safeguards. Our interviews with European data protection officials suggest that a consensus exists at least in broad outline that a regulatory approach based on codes of conduct can provide such safeguards."
Read more:
Media coverage:
A paper by Rinku Dewri, Prasad Annadata, Wisam Eltarjaman, and Ramakrishna Thurimella.
Abstract:
"The collection of driving habits data is gaining momentum as vehicle telematics based solutions become popular in consumer markets such as auto-insurance and driver assistance services. These solutions rely on driving features such as time of travel, speed, and braking to assess accident risk and driver safety. Given the privacy issues surrounding the geographic tracking of individuals, many solutions explicitly claim that the customer's GPS coordinates are not recorded. Although revealing driving habits can give us access to a number of innovative products, we believe that the disclosure of this data only offers a false sense of privacy. Using speed and time data from real world driving trips, we show that the destinations of trips may also be determined without having to record GPS coordinates. Based on this, we argue that customer privacy expectations in non- tracking telematics applications need to be reset, and new policies need to be implemented to inform customers of possible risks."
Read more:
Media coverage:
A study by Dr Richard Clayton (NPL Management Ltd).
From the Executive Summary:
"This study is one of series that seek to establish reliable evidence for various beliefs that are held about the operation of the Internet domain name 'Whois' system, which provides the public with information about the registrants of domain names. This particular study was originally proposed by ICANN in 2010, one of several that were to examine the impact of domain registrants using privacy services (where the name of a domain registrant is published, but contact details are kept private) and proxy services (where even the domain licensee's name is not made available on the public database). [...] The initial intention was to test the hypothesis: "A significant percentage of the domain names used to conduct illegal or harmful Internet activities are registered via privacy or proxy services to obscure the perpetrator's identity"."
Read more:
See also:
Media coverage: