Category Archives: Privacy

Australia Introduces Bill Requiring Tech Companies Worldwide to Include Encryption Back Doors in their Software

This could get interesting.  The Australian Telecommunications and other Legislation Amendment (Assistance and Access) Bill 2018 would require tech companies to decrypt communications on request and even require tech companies to build back doors into their software if they don’t already have them.

Of course, like all governments (think GDPR), the bill does not stop at Australia’s border and would, in theory, require companies worldwide to comply.  It is not clear what leverage they have against a company that does not have a legal entity in Australia.

It is not clear how they would get Hamas or ISIS to obey their law, so while the law, if enacted, would weaken protections for law abiding citizens worldwide and would possibly allow them to intercept the communications of dumb terrorists, it will do nothing to protect us against smart terrorists – the ones we really need to be concerned about.

The bill defines a designated communications provider as any foreign or domestic communications providers, device manufacturers, component manufacturers, application providers and traditional carriers and carriage service providers.

That means that everything from your email to a physical device that supports encryption is up for grabs.

In explaining the bill the government mentions companies like Facebook, Instagram, Signal, Telegram and even web site logins.

The bill calls for three levels of hacking to be provided on demand:

  1. Technical assistance request – this one is voluntary.  If a company wants to, it can cooperate.
  2. Technical assistance notice – this one requires a company to decrypt stuff that they have the technical ability to decrypt.
  3. Technical capability notice – this one requires the company to build a new back door into the security of their product and somehow secretly get the user to install the new hacked version of the software.  However, the bill says that this back door cannot remove encryption.  HUH?!

The first two are not a big deal.  The last one is a killer.

Australia’s Minister for Law Enforcement and Cyber Security said that this bill would allow law enforcement to access your data without compromising the security of the network.

The Minister did not want to go anywhere near the words encryption back door, but technically that is the only way to accomplish what they are asking for.  The Minister said that tech companies would be able to provide access without weakening security,  He didn’t suggest how this is possible.  It is not.

He said that we are ensuring we don’t break the encryption systems of the company;  so we are only asking them to do what they are capable of doing.  Item 3 above tells companies to do what is not currently possible, so either he has not read the bill, doesn’t understand the bill or is lying.  Take your pick.   The Minister of Magic is convinced that he can do that without breaking the encryption of the technology companies.

On the other side, the tech companies like Apple, Facebook and Google danced around the conversation giving it a wide berth.  They do have a challenge since they don’t want to appear to support terrorists while, at the same time, they know what the government is asking is impossible without compromising the security and privacy of their customers worldwide.  If they give this capability to Australia, what is their justification for not giving it to China or Russia or any other country that asks?

The Australian Prime Minister, Malcolm Turnbull said “The laws of mathematics are very commendable, but the only law that applies in Australia is the law of Australia.”  Apparently, he thinks the laws of physics are optional in his country.

Currently, this is only a bill, so who knows what will happen, but if passed, companies will need to make some very uncomfortable decisions.

Since Australia is a small market, one option for bold companies would be to block the use of their services to residents of that continent.  Remember that there are fewer people in Australia than, say, in Canada or even in just the sate of Texas and a little more than half the population of California.  That being said, businesses rarely like to turn away customers, even if it means violating their core principals, so it will be interesting to see what companies like Apple choose to do.

Information for this post came from CNet.

 

Facebooktwitterredditlinkedinmailby feather

HIPAA Privacy Rules and High Tech Services

Health IT Security wrote an article beating up Amazon on it’s HIPAA compliance process.  The article was not favorable and also interesting.

The issue that they are talking about was a medic-alert style bracelet that someone bought on Amazon.  After this person bought it, the vendor put a picture of it, with the lady’s name, birth date and medical condition on it in an ad on Amazon.  The customer found out about it when her physician called her saying he had seen it.

When the buyer contacted Amazon, she was told they would investigate.  She later received an email from Amazon saying that they would not release the outcome of the investigation.

So the lady reached out to her local NBC TV affiliate.  It is amazing what a little bad PR can do.  The TV station contacted the Amazon vendor and they apologized and said they would fix the problem.  The TV station confirmed that the offending material was removed.

But this post is not about health jewelry.

It is to clear up a possible misunderstanding on the part of the average consumer.

While Amazon may yet get into trouble for not understanding and complying with HIPAA, this is not a HIPAA issue.

For consumers that use apps and other tech products there is an important lesson here.

Amazon does *NOT* have a HIPAA problem.

In fact, as of today, Amazon’s web site does not need to be HIPAA compliant because they are neither a covered entity nor a business associate under the terms of HIPAA.  Covered entities include organizations like doctors, hospitals and insurance companies.  Business associates are companies that handle HIPAA type information on behalf of one or more covered entity.

That means that they have no HIPAA requirement to protect your personal information.

They *MAY* have a requirement to protect it under state law in your state, but they also may not.  This depends on the particular law in your state.  In this case they may be in more trouble for publishing her birth date (which may be covered under her state’s privacy law) than her medical condition.

It does mean that they have no requirement to protect your healthcare information under Federal law because other than HIPAA, which does not apply here, there is no Federal law requiring anyone to protect your healthcare information that I am aware of.

This also includes Apple, Google and any app that is available on either the Apple or Android stores.  Apple and Google are likely covered entities because of the way their employee health insurance plans work, but that is completely separate from iphones, android phones and apps.

So, if one of those apps collects information from a hospital for you, for example, and makes it available to you, they can certainly use the diagnosis, for example, that you have diabetes to show you ads for diabetes medicine or supplies.

It is also possible (although I think this may be pretty dicey) that they could sell your healthcare data.  Depending on the state that you live in, healthcare data may not be protected AT ALL under the state’s privacy laws.  This is likely because legislators are usually lawyers and lawyers rarely understand tech and often don’t understand privacy and they think that your healthcare data is protected under HIPAA.  it is, but only under certain circumstances.  The net effect is that it MAY BE perfectly legal to sell your health care information.

If anyone thinks differently, please post a reply and I will publish it.

Information for this post came from Health IT Security.

 

Facebooktwitterredditlinkedinmailby feather

Security News Bites For Friday July 6, 2018

NSA Deleting All Call Detail Records (CDRs) Acquired Since 2015

While the NSA is not providing a lot of details about what went wrong, the NSA is saying that it is deleting all CDRs acquired since 2015 because of technical irregularities that resulted in it receiving data that, likely, would be illegal under the current law.  They have been accused of breaking the law many times, but this is one of the few times I can remember that they admitted to breaking the law.

Because, they say, it is infeasible to sort out the legal data from the illegal data, they are deleting lots of data.

Gizmodo, in a bit of editorializing, asked if the “technical irregularities” were related to the “programming errors” the FBI said caused it to wildly inflate the number of encrypted phones that they could not access in various criminal cases.

While admitting that they screwed up is important, what would be better would be to get it right as they hoover up all of this data.  (Source:Gizomodo)

3 Weeks Until NOT SECURE Starts Showing Up In Your Browser

I wrote about this a few months ago, but now it is going to happen, so it is worth a reminder.

For all of those web sites that said that HTTPS was not important or a hassle or costs money, as of July 23, 2018, Google is going to flag your site as NOT SECURE in the address bar, every time someone visits your site.

While some visitors will ignore the warning, others will get freaked, especially if your site is not one that they visit often.

Now is the time – like in the next 21 days – to set up an HTTPS certificate for your web site.

By the way, in typical Google fashion, in a few months they will start presenting a pop up box that visitors will have to click through to say, yes, I know this site is not secure, but I want to go there anyway.  Not a great way to attract new visitors.  (Source: The Register)

Bank of England (BoE) Tells British Banks to be on a War Footing

Bank regulators in the UK have told financial service firms to come up with a detailed plan to restore services after a disruption and to invest in the staff and technology to do so.  Bank Boards and senior management should ASSUME that systems and processes that support the business will be disrupted and focus on backup plans, responses and recovery.

Lyndon Nelson, deputy chief executive of the BoE’s regulator said that firms need to be on a “WAR footing: withstand, absorb, recover.”  This is something the Brits understand from World War II, but which the United States hasn’t quite figured out.

In addition to cyber attacks, the BoE said that firms should be ready for disruptions caused by failed outsourcing and tech breakdowns.

As the U.S. relaxes it’s stress tests, the BoE said that it will stress test banks with “severe, but plausible” scenarios.  The BoE will set a time limit for recovery.

It looks like the UK regulators are way ahead of US regulators, but maybe we can learn from them.  (Source: Bloomberg)

US Firms Hit Another Hurdle in GDPR Compliance

Some people say – and no one has proved the contrary – that GDPR was designed to go after big U.S. firms, while dragging along all the little ones with it.

This week, in honor of July 4th (not really), the European Parliament voted in favor of a resolution that says that if the U.S. does not fulfill it’s obligations under Safe Harbor by September 1 of this year, Europe should suspend the deal.  This is in addition to the attacks on Safe Harbor that are currently going on in the EU court system.

Taken together, U.S. firms doing business AND who transfer data between the E.U. and the U.S. should be rightfully worried.

Some of the obligations that the U.S. is behind on include filling vacant posts on the Privacy and Civil Liberties Oversight Board, which has been basically dormant under the current administration,  the lack of a permanent ombudsman, the impact of the President’s executive orders on immigration, the re-authorization of Section 702 of the FISA act and a number of others.

The current relationship between our president and the EU doesn’t help things.

This could turn into a standoff, or, in the worst case scenario, the E.U. could shut off the data spigot for U.S. companies to legally move data from the E.U. to the U.S. for processing, storage and analysis.  While large companies may (repeat MAY) be able to deal with this, smaller companies will be greatly challenged and some may have to abandon the European market to E.U. based businesses, something that would make a lot of E.U. businesses very happy.

Stay tuned!  (Source: The Register)

 

Facebooktwitterredditlinkedinmailby feather

Do You Care If Someone Is Reading Your Email?

For some people, they don’t really care.  For other people, it is a complete invasion of privacy.

For both groups, it is happening every day.

Apps sometimes ask for permission to read your mail.  It could be to get rid of junk mail or clean your mailbox or many other reasons, but in all cases, you MUST give the app permission in order for it to read your mail.

What is sometimes not clear is that while YOU think that means that the app is reading your email, what the developer thinks is that HE/SHE can read your email.

When the app was installed eons ago, Google popped up a dialog box something like this:

You then clicked on the Allow box and the app started working its magic.

The Wall Street Journal reported earlier this week that, for example, employees of Edison Software read the mail of hundreds of users to build a new feature.   Return Path reportedly read the emails of thousands of users.

The developers say, its in the license agreement that I am sure that you read.  NOT!

Google says Not Our Fault!  You gave the app permission.

To see who you gave those permissions to and take them away, follow these steps from Motherboard:

To see which apps you’ve given email permissions to, you can use Google’s Security Checkup for Gmail. To remove these permissions, go to your Google account settings, select “sign-in and security,” navigate to “apps with account access,” click “manage apps,” and then click on your linked apps and hit “remove access.” (Go to the bottom of the post linked at the end of this blog for step-by-step screenshots illustrating how to do this.)

But this really begs a larger question.

Think about all the apps that you have installed on your iPhone or Android phone (or the two people on the planet that are still running Windows phones).

Did you even think about the permissions that the app asked for when you installed it.  Or if it asked for permissions when you ran it.

Absent doing that, there is no telling what your apps are doing.  Reading your texts, tracking your location or who knows what else.

Of course, if you don’t care, then its not a problem.  Otherwise, you should look at the permissions that you have given the various apps that are installed.  And when you install a new app, consider whether you REALLY want that app or its developers to be reading your mail or tracking your location.

 

Information for this post came from Motherboard.

Facebooktwitterredditlinkedinmailby feather

News Bites for Friday June 29, 2018

The Supremes Say Warrant Required For Cell Data

In a 5-4 decision last week, the Supremes said that the police should have gotten a search warrant before they asked for months worth of location data of a suspect.  The suspect in a robbery case was tracked by the police – over 12,000 locations, over 127 days, to correlate robbery locations to the suspect’s location.   Chief Justice John Roberts wrote the opinion, basically saying this this is a search within the bounds of the 4th Amendment.  This is good news for privacy advocates saying the the power of the government is not unbounded.  Source: CNet.

GDPR: One Month In

Not surprisingly, one month in and we have already seen the results of GDPR.

The UK Information Commissioner’s office says they have seen a sharp rise in both complaints and notifications.  In France, they have have seen a 50% rise in complaints compared to last year.

Austria says that they have received 128 complaints and 500 questions, along with 59 breach notifications.  Compare that 59 number to the entire eight months prior to the law going into effect – effectively an 8x increase.

Still numbers in the hundreds and not in the millions means that people are not going crazy.  What we don’t have data on, yet, is how many people requested copies of their information or requested that their information be deleted. Source:  WARC

Exactis Exposes More Than 340 Million Records

And the record for most breached records goes to Exactis.  Well, no, actually that record will hopefully always stay with Yahoo, but still, 340 million records (230 million consumers and 110 million businesses)  is not a drop in the bucket.

Exactis is one of those data aggregation firms that know everything from your name and address to how many kids you have and your income, among literally thousands of data points.

Now it appears that data was exposed because of a lack of controls placed on an Amazon Elastic Search setup.

Given new privacy laws in place and coming in place, this type of breach MAY need to be disclosed.  So far, the company is being quiet about it.  Older privacy laws did not consider things like your kid’s names, ages and genders private.  Newer ones are starting to, hence the requirement for disclosure, possibly.  Source: Wired)

8 States Settle With Equifax Over Breach

8 states – Alabama, California, Georgia, Maine, Massachusetts, New York, North Carolina and Texas – have come to an agreement with Equifax on security practices.  This is only one of MANY legal actions that Equifax will have to deal with.

The requirements are pretty mild and Equifax is likely doing most of these as a response to the breach: conduct annual security audits, develop written data protection policies and guides, monitor its outside vendors, and improve patch management.  It is actually surprising that a company of their size was not already doing all of these items and more.

The agreement does allow these states to take legal action if Equifax does not implement these controls.  Source; The New York Times

Facebooktwitterredditlinkedinmailby feather

CA AB 375 – A Law That Will Change The Internet As We Know It

For those of you who do not have a life and hence follow the shenanigans of the legislative process in various states, today is a day that you will remember.

The California legislature was held hostage by real estate mogul Alastair Mactaggert.  Mactaggert spent $3 million of his own money (for him seat cushion money) to get the California Consumer Privacy Act on the ballot.

Here is the hostage part.

The ballot initiative would have built into the California Constitution consumer privacy protections similar to what just went into effect in Europe with the General Data Protection Initiative or GDPR.  Businesses were geared up to fight the intiative, planning to spend $100 million on it.  Mactaggert could have raised that much from his close friends, so there was going to be a battle.

Of course, no one knows if the ballot initiative would have passed, but if it did, if would have been impossible to change without another ballot initiative.

The alternative was for the legislature to pass a law, Assembly bill 375, that would mimic the major features of the ballot initiative, but would have been much more easily amended if there were unforeseen consequences.

TODAY was the deadline for pulling the ballot initiative.

So the legislature made a bargain from hell.  They passed the bill, Governor Brown signed it, but the bill has a poison pill in it.  If the ballot initiative isn’t pulled, the law is null and void.  Mactaggert agreed to pull the initiative if the bill is passed and signed.  He did pull the initiative today.

So tech companies get a law that has more wiggle room than the initiative would have had, but way less flexibility than what they can do today.

AND, unless they plan on having two Internets, one for California and one for the rest of the country, the change will affect everyone.

The bill was a work in progress up until the time is was voted on – we have seen that in Congress many times, so that should not surprise anyone.  Now that it has been signed into law, people will start dissecting it.  Without regard to the nuances, here  is what the San Jose Mercury News says about it.

First, the bill does not take effect until 2020, which is probably a fgood thing.

Like the GDPR, the law will allow consumers to know what data is collected on them, opt out of collection and hold companies accountable for data breaches.

When California passed the landmark privacy law SB 1386 in 2003, everyone thought they were crazy, and maybe they were, but 1386 is the basis of every privacy law in the United States.

CA AB 375 may do that again – leading the way.  The saying goes, “As goes California, so goes the rest of the country”.

The passing of this bill came right on the heels of the Exactis data breach of 340 MILLION people and businesses, so the California tech companies were playing Russian roulette with at least 4 bullets.  In light of this breach, would California voters enshrine a much more aggressive law into the Constitution?

One part of the bill that companies who do business in California are breathing a sigh of relief over is that, under AB 375 you and I can Sue a company for a breach – something that does not exist today – but under the ballot initiative, we could sue if they violated any part of the law.  Still, the threat of 30 million Californians suing you over a data breach should get the attention of most Board members.

In exchange for limiting the right to sue, residents can ask for what information companies have on them, twice a year, for free.  It also gives people the right to delete it.

For kids under 16, companies must get an opt-in to collect their data in the first place.

Google and Facebook want to change the law already, but I assume that if they stray too far, Mactaggart will dust off the initiative, which now will probably seem to many Californians like a tweak and the odds of passing a new initiative are greatly increased.

After today, Californians will expect this to be the new norm.

Facebook and Google’s trade group said that they want to change it so that Californians get all the benefits and opportunities consumers expect.  One of the benefits many consumers expect is a tiny little bit of privacy.  One of the benefits that Facebook and Google want to sell every little thing that they can find out about you.

A recent poll found that 73 percent of those polled think there should be more regulation of big tech companies, so I would say they (Facebook and Google and their friends) should be very careful about what they do or they may get something that they REEEEEALY don’t like – a new ballot initiative.

Professor Eric Goldman, Professor of Law at Santa Clara University School of Law, co-director of the school’s High Tech Law Institute and supervisor of the school’s Privacy Law Certificate writes an incredible blog.

Yesterday he wrote the longest blog post I have ever seen him write about this, at the time, bill.

I won’t even try to recreate the blog in this post, but a link to it is available at the end.

Professor Goldman calls the bill a privacy bomb.  Depending on which side you are on, it is either a good bomb or a bad bomb.

The bill creates what is now called the California Comsumer Privacy Act of 2018, effective in 18 months on January 1, 2020.

Just like GDPR, businesses of all sizes would need to create a mechanism to respond to consumer requests for data, deletion requests and data sharing limitations.  Businesses can decline to delete information if they meet one of the several allowances.

It prohibit a third party (like Exactis who was just breached) from selling personal data about a consumer unless the consumer has received explicit notice and has the right to opt out.  For businesses that are in the business of selling your data, this is a nightmare.

Just like GDPR, businesses have to provide a conspicuous link on their homepage for “Do Not Sell My Personal Information”.  Today, if there even is a way to do it, it is buried on page 22 of privacy policy full of dense legalese.

The bill would prohibit discrimination against a consumer because they exercised their rights under the law.  Discrimination includes denying goods or services to the consumer, charging different prices, providing a different level or quality of goods or services .

But there is a takeaway here.

They can charge a different price or different level of service if that difference is reasonably (are the lawyers paying attention) related to the value provided to the consumer by their data.  So, if Facebook can make say $5 a month per user by selling their data, they could say that if you don’t want us to sell your data, give us your credit card and we are going to charge you $5 a month.  Under that scenario they could not say that they want to charge you $25 a month.

Businesses are authorized to pay you to be allowed to sell your data (which somehow is different from charging you a different rate for selling your data),  Consumers would have to opt-in for that.

Like GDPR, businesses have to disclose a whole bunch of new information in their privacy policy.

Finally (this post is already way too long), the bill allows consumers to initiate a civil action and collect damages of between $100 and $750 per incident, or actual damages, whichever is GREATER, in case of a breach of unencrypted data.

Professor Goldman’s post has a lot of additional information, so please read it.

The bill does have an exemption for small businesses.  The law applies to businesses which meet ANY of these criteria:

  •  $25 million in revenue -OR-
  • Derives more than 50% of its revenue from selling data -OR-
  • Buys, sells, shares for commercial purposes or receives for commercial purposes the information on 50,000 or more consumers,  households or devices.  That means 137 visitors a day.

My guess is that the last item is the one that will catch most small businesses.

I will write more about this as the details become more solid. Professor Goldman wrote his blog based on a three day old version of the bill, so who knows what got added or deleted.

Information about the bill can be found on the Assembly’s web site, but as of tonight, the enrolled bill is not there.  Here is a link to the bill’s history.

Information for this post came from the San Joe Mercury News and Prof. Eric Goldman’s Privacy Blog.

 

Facebooktwitterredditlinkedinmailby feather