Rina Steenkamp - Privacy and technology
[Draft report on the US NSA surveillance programme, surveillance bodies in various Member States and their impact on EU citizens' fundamental rights and on transatlantic cooperation in Justice and Home Affairs | Military targeting based on cellphone location | In the matter of state surveillance | Handling ethical problems in counterterrorism - An inventory of methods to support ethical decisionmaking | Privacy engineering - proactively embedding privacy, by design | Judgment in Case C-466/12 - Nils Svensson and Others v Retriever Sverige AB | Framework for improving critical infrastructure cybersecurity | Unveiling 'Careto' - The Masked APT | Why we need to rethink how we view security | Sizing the EU app economy | Biometric identification and privacy | Consumer concerns about data privacy rising - What can business do? | Police will have 'backdoor' access to health records despite opt-out, says MP | Data protection in the European Union - the role of national data protection authorities | 2013 in review - revelations, tragedy and fighting back | 2013 Year in review | Cisco 2014 Annual security report | Security protocols and evidence - where many payment systems fail | Report on the telephone records program conducted under section 215 of the USA PATRIOT Act and on the operations of the Foreign Intelligence Surveillance Court | Access to data protection remedies in EU member states | Graduated response policy and the behavior of digital pirates - Evidence from the French three-strike (Hadopi) law | The value of online privacy | Big data and privacy - Making ends meet | The evolving legal framework regulating commercial data security standards | BakerHostetler 2013 year-end review of class actions (and what to expect in 2014) | Data classification for cloud readiness]
A draft report by Claude Moraes (European Parliament).
From 'Recommendations':
"[The European Parliament,] 19. Calls on the US authorities and the EU Member States to prohibit blanket mass surveillance activities and bulk processing of personal data; 20. Calls on certain EU Member States, including the UK, Germany, France, Sweden and the Netherlands, to revise where necessary their national legislation and practices governing the activities of intelligence services so as to ensure that they are in line with the standards of the European Convention on Human Rights and comply with their fundamental rights obligations as regards data protection, privacy and presumption of innocence; in particular, given the extensive media reports referring to mass surveillance in the UK, would emphasise that the current legal framework which is made up of a 'complex interaction' between three separate pieces of legislation - the Human Rights Act 1998, the Intelligence Services Act 1994 and the Regulation of Investigatory Powers Act 2000 – should be revised;"
Read more:
A blog post by Ryan Goodman and Derek Jinks (Just Security).
From the text:
"A recent news story by Glenn Greenwald and Jeremy Scahill details the use of NSA signals intelligence (SIGINT) – including cellphone and SIM card data – to locate and kill suspected militants in Afghanistan, Iraq, Pakistan, Somalia, and Yemen. It has long been public knowledge that US operations use mobile phone SIGINT in this way to carry out military strikes (since at least 2004)—and that so do our allies such as Canada (since at least 2004) and Israel (since at least 2003). So what’s new here? The key revelation in the Greenwald and Scahill story is that the United States may be increasingly dependent on such SIGINT and that this form of intelligence can have serious reliability problems in some situations–with the result that the wrong people may be killed."
Read more:
See also:
Advice by Jemima Stratford QC and Tim Johnston.
From the Introduction:
"We are asked to advise Tom Watson MP, Chair of the All Party Parliamentary Group on Drones, on the lawfulness of five possible scenarios concerning state surveillance in the United Kingdom. [...] The five scenarios are necessarily to some degree based on assumed facts. However, we have been referred to a number of news reports arising out of the recent disclosures made by Edward Snowden, upon which the scenarios are based."
Read more:
See also:
A report by Anaïs Reding, Anke van Gorp, Kate Robertson, Agnieszska Walczak, Chris Giacomantonio and Stijn Hoorens.
From the Executive Summary:
"Counterterrorism professionals routinely face decisions that appear to require trade-offs between moral values such as privacy, liberty and security, and broader human rights considerations. Given that ethics are integral to this field, it is essential that counterterrorism professionals are proficient at making these types of decision. However, there is no existing overview of the methods that may support ethical decision-making specifically aimed at counterterrorism practitioners. To address this gap, the Research and Documentation Centre (Wetenschappelijk Onderzoek- en Documentatiecentrum, WODC) of the Dutch Ministry of Security and Justice (Ministerie van Veiligheid en Justitie), on behalf of the National Coordinator for Counterterrorism and Security (Nationaal Coördinator Terrorismebestrijding en Veiligheid, NCTV), commissioned RAND Europe to develop an inventory of methods to support ethical decision-making for the counterterrorism field. The objective of this study is not to recommend which methods should be developed, strengthened or implemented in the Netherlands. Rather, the aim is to outline the methods that counterterrorism professionals could draw on to support their ethical decision-making process."
Read more:
A whitepaper by Ann Cavoukian, Ph.D., Stuart Shapiro, Ph.D. and R.Jason Cronk, Esq.
From 'I. Introduction':
"If Privacy by Design provides the 'what' to do, then privacy engineering provides the 'how' to do it. [...] This paper is by no means exhaustive. A full treatment of privacy engineering would be voluminous. It begins with an introduction as to what privacy engineering entails, an acknowledgement that privacy is not strictly a technical concept (i.e. requires multidisciplinary considerations), and a look into how a privacy engineer approaches risks and risk analysis. Next, the broad classes of mitigating controls are considered. Finally, we briefly examine trade-offs; not between privacy and functional requirements, but rather against other considerations (costs, performance, etc.), and between the privacy implications of differing systems implementations."
Read more:
Judgement by the Court of Justice of the European Union.
From the text:
"16 It is thus apparent from that provision that the concept of communication to the public includes two cumulative criteria, namely, an 'act of communication' of a work and the communication of that work to a 'public' [...] 20 [...] the provision of clickable links to protected works must be considered to be 'making available' and, therefore, an 'act of communication' [...] 21 So far as concerns the second of the abovementioned criteria, that is, that the protected work must in fact be communicated to a 'public', it follows from Article 3(1) of Directive 2001/29 that, by the term 'public', that provision refers to an indeterminate number of potential recipients and implies, moreover, a fairly large number of persons [...] 22 An act of communication such as that made by the manager of a website by means of clickable links is aimed at all potential users of the site managed by that person, that is to say, an indeterminate and fairly large number of recipients. 23 In those circumstances, it must be held that the manager is making a communication to a public. 24 None the less, according to settled case-law, in order to be covered by the concept of ‘communication to the public’, within the meaning of Article 3(1) of Directive 2001/29, a communication, such as that at issue in the main proceedings, concerning the same works as those covered by the initial communication and made, as in the case of the initial communication, on the Internet, and therefore by the same technical means, must also be directed at a new public, that is to say, at a public that was not taken into account by the copyright holders when they authorised the initial communication to the public [...]"
Read more:
See also:
A framework by the National Institute of Standards and Technology.
From the Executive Summary:
"The Framework focuses on using business drivers to guide cybersecurity activities and considering cybersecurity risks as part of the organization's risk management processes. The Framework consists of three parts: the Framework Core, the Framework Profile, and the Framework Implementation Tiers. The Framework Core is a set of cybersecurity activities, outcomes, and informative references that are common across critical infrastructure sectors, providing the detailed guidance for developing individual organizational Profiles. Through use of the Profiles, the Framework will help the organization align its cybersecurity activities with its business requirements, risk tolerances, and resources. The Tiers provide a mechanism for organizations to view and understand the characteristics of their approach to managing cybersecurity risk. The Executive Order also requires that the Framework include a methodology to protect individual privacy and civil liberties when critical infrastructure organizations conduct cybersecurity activities. While processes and existing needs will differ, the Framework can assist organizations in incorporating privacy and civil liberties as part of a comprehensive cybersecurity program."
Read more:
See also:
A paper by Kapersky Lab.
From '1. Executive Summary':
"The Mask is an advanced threat actor that has been involved in cyber-espionage operations since at least 2007. [...] More than 380 unique victims in 31 countries have been observed to date. What makes 'The Mask' special is the complexity of the toolset used by the attackers. This includes an extremely sophisticated malware, a rootkit, a bootkit, 32- and 64-bit Windows versions, Mac OS X and Linux versions and possibly versions for Android and iPad/iPhone (Apple iOS). [...] When active in a victim system, The Mask can intercept network traffic, keystrokes, Skype conversations, PGP keys, analyse WiFi traffic, fetch all information from Nokia devices, screen captures and monitor all file operations. The malware collects a large list of documents from the infected system, including encryption keys, VPN configurations, SSH keys and RDP files. There are also several extensions being monitored that we have not been able to identify and could be related to custom military/government-level encryption tools."
Read more:
See also:
A blog post by John Hawes (Naked Security).
From the text:
"Looking back at the major security stories of the last few months, there's something of a pattern emerging. While many may seem to be down to a simple flaw in a single layer of security, on deeper examination most actually involve problems with multiple layers, and highlight the importance of an in-depth approach to security."
Read more:
See also:
A report by Mark Mulligan and David Card (GigaOm Research / European Commission).
From the Executive Summary:
"Apps running on mobile and social platforms have transformed the global gaming market and disrupted the order of the technology industry. The emerging platforms and business models like app stores and freemium pricing are rippling through — if not ripping apart — enterprise tech sectors. A few Nordic companies — including Rovio, King.com, and Supercell — are showing tremendous success from beyond Silicon Valley. But will the emerging app economy reboot a struggling Europe, jump-starting job growth and infusing European Union countries with startup energy? Signs are promising. This report focuses on sizing and qualifying the EU app ecosystem, with an eye toward revenue generation, jobs supported, and the bottlenecks still facing EU app developers."
Read more:
Comparative research prepared for the Centre for Law and Policy Research, India, by Oxford Pro Bono Publico.
From 'Summary of research':
"OPBP has been requested to prepare research on two questions:
a. Have biometric identification schemes in other countries been challenged on privacy grounds?
b. In jurisdictions that collect biometric data, what measures are in place to protect citizens' right to privacy?"
Read more:
See also:
A report by Gina Pingitore, Ph.D., Jay Meyers, Ph.D., Molly Clancy and Kristin Cavallero (J.D. Powers).
Executive Summary:
"J.D. Power conducted a research study with SSI among consumers in the United States, China and India to evaluate concerns about data privacy and its ownership.Results of this research show that consumers' concerns about data privacy and ownership have increased across the past three decades and remain high. Moreover, results show that concern about personal privacy is an issue for consumers in all countries and across all age groups. To avoid a potential backlash, businesses need to provide transparent data privacy policies to build trust and brand loyalty among all of their customers."
Read more:
An article by Randeep Ramesh (The Guardian).
From the article:
"David Davis MP, a former shadow home secretary, told the Guardian he has established that police will be able to access the health records of patients when investigating serious crimes even if they had opted out of the new database, which will hold the entire population's medical data in a single repository for the first time from May. [...] Davis, who established the existence of these 'backdoors' in a parliamentary question answered by health services minister Dan Poulter, said he had 'no problems with the data being used for licensed medical research, but when we have police accessing from a database that people have opted out from, and companies being able to buy this data, I think we need to have a debate about whether my property, which are my patient records, can be sold and used'."
Read more:
Media coverage:
A report by the European Union Agency for Fundamental Rights.
From the Foreword:
"The fundamental rights architecture in the European Union has developed over time and continues to evolve. This report is one of four by the European Union Agency for Fundamental Rights (FRA) that looks at three closely related issues, and institutions, which contribute to the overarching architecture of fundamental rights in the European Union: namely, equality bodies, data protection authorities, and national human rights institutions (NHRIs). [...] The report at hand, on data protection authorities, is an analysis of their crucial role with respect to the fundamental right of data protection, and encompasses an assessment of their eff ectiveness, functioning and independence."
Note: this report was published in 2010 and may be outdated in places.
Read more:
Media coverage:
A series of blog posts by EFF.
From the blog post:
"When it comes to the fight for free expression and privacy in technology, 2013 changed everything. This was the year we received confirmation and disturbing details about the NSA programs that are sweeping up information on hundreds of millions of people in the United States and around the world. This set off a cascade of events, from EFF’s newest lawsuit against the NSA to protests in the streets to a United Nations resolution to Congressional bills both promising and terrifying. In December, a federal judge even found the surveillance likely unconstitutional, calling it 'almost-Orwellian.' It was also a year we lost a beloved friend and activist, Aaron Swartz. Aaron was a fellow freedom fighter working to bring the world access to knowledge. We’re still mourning his suicide, which was spurred in part by an aggressive prosecution under the vaguely worded and over-penalized Computer Fraud and Abuse Act (CFAA). In his memory, EFF and our friends at Demand Progress created a coalition to fight for reform of the CFAA."
Read more:
A series of blog posts on Data Privacy Monitor.
From the 'International privacy' post:
"Therein lies the two contrasts starkly evident within data privacy news in 2013: The attempts to direct and curb behavior at a government level that sometimes take years between passage and force [...] contrasted with the matter of weeks it took one individual to collect and disseminate tens of thousands of ostensibly extraordinarily sensitive documents. The concerted efforts within the EU to even propose a new standard law for data privacy again contrasted with the efforts of one individual to undermine years of U.S.-EU negotiation, diplomacy, and representations. 2013 was the year big data, concerns about data privacy, and one man proved Archimedes' assertion from ~250 BC; with at least 57,974 or so documents still awaiting release, 2014 should shape up to be even more interesting."
Read more:
A publication by Cisco.
From the Executive Summary:
"Using methods ranging from the socially engineered theft of passwords and credentials to stealthy, hide-in-plain-sight infiltrations that execute in minutes, malicious actors continue to exploit public trust to effect harmful consequences. However, the trust problem goes beyond criminals exploiting vulnerabilities or preying on users through social engineering: it undermines confidence in both public and private organizations. Today’s networks are facing two forms of trust erosion. One is a decline in customer confidence in the integrity of products. The other is mounting evidence that malicious actors are defeating trust mechanisms, thus calling into question the effectiveness of network and application assurance, authentication, and authorization architectures."
Read more:
Media coverage:
A paper by Steven J. Murdoch and Ross Anderson.
Abstract: