Rina Steenkamp - Privacy and technology
[Assessing cyber security export risks | Clubbing seals - Exploring the ecosystem of third-party security seals | FTC alleges debt brokers illegally exposed personal information of tens of thousands of consumers on the internet | Privacy and security developments 2014 Issue 1 | Opinion [on] device fingerprinting | Technical analysis of client identification mechanisms | PrivacyGrade - Grading the privacy of smartphone apps | Hacking the Street? Fin4 likely playing the market | CIGI-Ipsos Global survey on internet security and trust | Privacy detective - Detecting private information and collective privacy behavior in a large social network]
A publication by techUK.
From the Executive Summary:
"This guidance provides detailed background information and a framework to help companies develop their due diligence processes, enabling them to identify and manage human rights and national security risks associated with the export of security cyber products and services. [...] Most often cyber security capabilities are used only to defend networks or disrupt criminal activity. However, some cyber products and services can enable surveillance and espionage, or disrupt, deny and degrade online services. If used inappropriately by the end user they may pose a risk to human rights, to UK national security and to the reputation and legal standing of the exporter."
Read more:
See also:
A paper by Tom van Goethem, Frank Piessens, Wouter Joosen and Nick Nikiforakis.
Abstract:
"In the current web of distrust, malware, and server compromises, convincing an online consumer that a website is secure, can make the difference between a visitor and a buyer. Third-party security seals position themselves as a solution to this problem, where a trusted external company vouches for the security of a website, and communicates it to visitors through a security seal which the certified website can embed in its pages. In this paper, we explore the ecosystem of third-party security seals focusing on their security claims, in an attempt to quantify the difference between the advertised guarantees of security seals, and reality. Through a series of automated and manual experiments, we discover a real lack of thoroughness from the side of the seal providers, which results in obviously insecure websites being certified as secure. Next to the incomplete protection, we demonstrate how malware can trivially evade detection by seal providers and detail a series of attacks that are actually facilitated by seal providers. Among other things, we show how seals can give more credence to phishing attacks, and how the current architecture of third-party security seals can be used as a completely passive vulnerability oracle, allowing attackers to focus their energy on websites with known vulnerabilities."
Read more:
A publication by the FTC.
From the press release:
"At the request of the Federal Trade Commission, a federal court has ordered two debt sellers that posted the sensitive personal information of more than 70,000 consumers online to notify the consumers and explain how they can protect themselves against identity theft and other fraud in light of the disclosures. In two separate cases, the FTC alleges the debt sellers posted consumers' bank account and credit card numbers, birth dates, contact information, employers' names, and information about debts the consumers allegedly owed on a public website. The complaints allege that the debt sellers exposed this sensitive information in the course of trying to sell portfolios of past-due payday loan, credit card, and other purported debt."
Read more:
See also:
An article by Daniel Solove and Paul M. Schwartz.
From the article:
"We spend a lot of time staying up to date so we can update our casebooks and reference books, so we thought we would share with you some of the interesting news and resources we're finding. We plan to post a series of posts like this one throughout the year."
Read more:
A publication by WP29.
From '1. Summary':
"Device fingerprinting presents serious data protection concerns for individuals. For example, a number of online services have proposed device fingerprinting as an alternative to HTTP cookies for the purpose of providing analytics or for tracking without the need for consent under Article 5(3). This demonstrates that the risks presented by device fingerprinting are not theoretical and research has shown that device fingerprinting is already being exploited. In this Opinion, the Article 29 Working Party (WP29) addresses the topic of device fingerprinting and the applicability of Article 5(3) of the ePrivacy Directive 2002/58/EC, as amended by Directive 2009/136/EC, without prejudice to the provisions of the Data Protection Directive 95/46/EC. The key message of this Opinion is that Article 5(3) of the ePrivacy Directive is applicable to device fingerprinting."
Read more:
See also:
An article by Artur Janc and Michal Zalewski (The Chromium Projects).
From the introduction:
"To guide us in improving the range of existing browser controls and to highlight the potential pitfalls when designing new web APIs, we decided to prepare a technical overview of known tracking and fingerprinting vectors available in the browser. After reviewing the known tracking and fingerprinting techniques, we also discuss potential directions for future work and summarize some of the challenges that browser and other software vendors would face trying to detect or prevent such behaviors on the Web."
Read more:
A project by Carnegie Mellon University.
From the website:
"We're a team of researchers from Carnegie Mellon University. We have assigned privacy grades to Android apps based on some techniques we have developed to analyze to their privacy-related behaviors."
Read more:
See also:
A report by Barry Vengerik, Kristen Dennesen, Jordan Berry and Jonathan Wrolstad (FireEye).
From the introduction to the 'Key Findings':
"FireEye is currently tracking a group that targets the email accounts of individuals privy to the most confidential information of more than 100 companies. The group, which we call FIN4, appears to have a deep familiarity with business deals and corporate communications, and their effects on financial markets. Operating since at least mid-2013, FIN4 distinctly focuses on compromising the accounts of individuals who possess non-public information about merger and acquisition (M&A) deals and major market-moving announcements, particularly in the healthcare and pharmaceutical industries. FIN4 has targeted individuals such as top executives, legal counsel, outside consultants, and researchers, among others."
Read more:
See also:
A survey by CIGI / Ipsos.
From 'Survey findings':
"60% of users have heard about Edward Snowden;
Of those aware of Edward Snowden, 39% have taken steps to protect their online privacy and security as a result of his revelations;
Compared to one year ago, 43% of users now avoid certain websites and applications and 39% now change their passwords regularly"
Read more:
See also:
A paper by Aylin Caliskan-Islam, Jonathan Walsh and Rachel Greenstadt.
From the Abstract:
"Detecting the presence and amount of private information being shared in online media is the first step towards analyzing information revealing habits of users in social networks and a useful method for researchers to study aggregate privacy behavior. In this work, we aim to find out if text contains private content by using our novel learning based approach 'privacy detective' that combines topic modeling, named entity recognition, privacy ontology, sentiment analysis, and text normalization to represent privacy features. Privacy detective investigates a broader range of privacy concerns compared to previous approaches that focus on keyword searching or profile related properties. [...] Additionally, we show that a user's privacy level is correlated with her friends' privacy scores and also with the privacy scores of people mentioned in her text but not with the number of her followers. As such, privacy in social networks appear to be socially constructed, which can have great implications for privacy enhancing technologies and educational interventions."
Read more: