Tag Archives: CCPA

Security News for the Week Ending April 3, 2020

DoD Concerned Covid Will Cause US IP Loss

In an interesting analysis, Ellen Lord, DoD’s top acquisition official, is concerned that foreign interests (including unfriendly foreign interests) will buy or invest in small U.S. defense subs and steal our tech.  In theory CFIUS and FRRMA should make that harder as the government has the right to nix buyouts if they think they will hurt us, but first they have to know about it.  With Covid potentially impacting the stability of these small companies, the government has its work cut out for it.  Source: Defense Systems

Violating a Web Site’s Terms of Service: Hacking or Not?

The Computer Fraud and Abuse Act (CFAA) was written long before the Internet, but leave it to aggressive prosecutors and companies to use it in a way that was never intended.  But the various federal courts can’t seem to figure out how to interpret it.  The DC federal court has just ruled that using a web site with a legally obtained user account in a way that may violate the web site owner’s terms of service is not hacking and cannot be prosecuted under the CFAA.  Since about half of the federal courts have ruled in each direction on this issue, it is likely to make it up to the Supremes.  This is important both for web site operators and security researchers. Source: Ars Technica

Zoom Does Not Support End to End Encryption, Despite Claims that it Does

In some of Zoom’s documentation, as well as in the client, Zoom says that it supports end to end encryption, but in fact, it does not, at least when video is involved.  I am sure now that it has come out that they lied on their web site, they will likely get sued.  If you think about it, given that they have the ability to record your call, there is no way that it can be end to end encrypted.  The video is encrypted between their data center and you, which is probably good enough for 99% of the planet.  This also means that the fuzz can listen into your call.  Moral of the story, if you are doing something illegal. Or classified.  Don’t discuss it on a public video conference (or audio) service.  There are ways to really do end to end encryption and I have set them up before, but they are neither cheap nor simple.  Source: The Intercept

DoJ Inspector General Says FISA Court Requests Are Suspect

The Department of Justice’s Inspector General says that the FBI has not followed the rules when applying for secret FISA warrants over the last five years.  Given that the whole process is secret, it is not surprising that it is flawed.  Any time the government operates outside the light of day, the opportunity for abuse is there and now, the DoJ IG is questioning 700 warrant requests made over the last 5 years.  The court is basically a rubber stamp since there is no “other side” to any request.  This came to light when Carter Page, a Trump campaign advisor, was the subject of a FISA court wiretap.  This is also at the core of the fight between the House and Senate over the renewal of certain parts of FISA that expired last month.  Source: The Register

California AG Revises CCPA Regulations Again

As the deadline set by the legislature for the enforcement of CCPA lurches closer (July 1), the AG has revised the proposed regulations again.  Among the changes are a re-expansion of the definition of personal information, privacy notice guidance, instructions on responding to data subject requests, clarification/restriction of service provider use of information and a minor clarification of the definition of financial incentives.   See the assessment from law firm ReedSmith here and a copy of the again revised regs here.

What Does California’s New Privacy Law Mean to the Average Person

California’s new privacy law, CA AB 375 or the California Consumer Privacy Act (CCPA) along with it’s attendant modifications and rules goes into effect next week.  As companies scurry around to meet the January 1, 2020 deadline, here is some information on what CCPA means to the average resident of California and elsewhere.

While CCPA is still a bit of a work in progress, we need to put a fork in it anyway.

Why is it important?

This is the first time anyone, anywhere in the United States, has any “rights” to their data. While residents of the European Union have enjoyed rights to their data for about 18 months, and the world has not ended. This is a new adventure in the United States.

What Data Does This Cover?

It covers all the things you would expect like drivers license numbers, bank account information and your Social Security number, but it also covers a lot of other information.  All biometrics are covered (like your iris scan, fingerprints and DNA).  Also your IP address and other identifiers used to track you on the Internet.  Even how you smell is covered.  Data extracted DIRECTLY from public government records is not covered.

Can I Tell Those Social Media Giants to Delete Me?

You can, but I guarantee that they are going to try and discourage you or fool you.  You don’t REALLY want us to delete your stuff – how about if we take your name off it; surely that is good enough.  But you can ask them to delete it and they MUST do it.

What if they don’t do it?

The law allows for a $2,500 fine per violation or three times that if it is intentional.  But the catch is that fine can only come from the Attorney General and he doesn’t seem that keen to enforce it.  He is, however, a politician, so if there is political pressure or if he thinks that attacking some company will help get him reelected, it is game over.  The law didn’t give him extra budget or people to enforce it.

What about if there is a breach?

That is a chicken of a different color.  If there is a breach, any California resident can sue (or be part of a class action) for up to $750 per person affected, without having to show that they were damaged, or more if they can show that.

Expect there to be a cottage industry of attorneys in California going after breached companies.

Also, this right cannot be waived, so those shrink wrap agreements that no one reads – the ones that ban class action participation or lawsuits vs. arbitration – when it comes to this, they can’t be enforced.

Can I still use Facebook if I tell them not to sell my data?

They might be able to strip down the services, but only to the extent that they can show how much your data is worth to them.  If they want to charge you, they also have to show how much your data is worth.  Optics being what it is, I doubt very many businesses want the negative PR.  They are just hoping that not very many people opt out.

What if I don’t live in California?

Technically you can’t take advantage of the law.  BUT, you can see what is in the CCPA documents – what data they are collecting and how they are using it, for example.

Also, some companies are offering CCPA coverage to all residents of the U.S.  Microsoft is one of those companies.  In that case, the companies are voluntarily giving you the same rights, even though the law doesn’t force them to .

There will likely be a lot more  information coming out, so stay informed.  This is likely a dawn of a new era.

Unless Congress passes a weak national privacy law which overrides stricter state laws.  Congress is talking about this, but it is a very sticky political subject so I am not counting on this.  Still, no one is safe while Congress is in session.  Source: CNet

 

 

 

 

Mactaggart Gets Ready to Launch New Ballot Initiative – CCPA 2

Alastair Mactaggart, who pretty much single handedly is responsible for the California Consumer Privacy Act is on the warpath again.

CCPA 2, another ballot initiative, would grant California residents new rights in their health and financial records and also their precise location.  It would require consumers to opt in to companies selling that data and would also allow them to block the use of that data for targeted ads.

It would also establish a California privacy agency since it seems that the current AG isn’t real excited about enforcing the current CCPA law.

It would create stronger penalties for violating this law with data on kids under 16 (California already has a stronger law than the feds do for kids called CalOPPA).

It would also require companies to explain how their algorithms work in certain cases like determining employment prospects.

Given that he was able to collect 600,000 signatures very quickly for CCPA and that he is willing to spend his own money for CCPA 2, I would watch what happens closely.

If he collects enough signatures, this will go on the ballot in  2020, with an effective date sometime after that.

Source: WaPo

The Times They Are A Changin – So Says GDPR

The EU’s high court – the Court of Justice of the European Union – said this week that web sites including search engines must ask users to opt in to sharing of their data.

Web sites such as Google know that if users have to actively do something for the sole purpose of allowing Google to sell their data, that some percentage will not do it.  That is why in the US, the best that you might get from a web site is the ability to uncheck a box, which again, most users will not do.

But in Europe you have to deal with GDPR.

This particular case started in Germany when a local web site pre-checked a box that allowed them to use cookies.

I am not sure what these folks were thinking, but I had no doubt that doing what they did would violate GDPR.  Likely these folks will face a  big fine.  Then they should uncheck the box.

I think this is a precursor to this happening in the US, starting with California’s privacy law AB375.  It is not clear what web sites will need to do about cookies because clearly a user can opt out of data sharing and depending on how cookies are used, that could be a problem.

I see a huge number of web sites that have a banner on the home page that says that they are using cookies and the only option that users have to click on is OK.   THIS IS VERY LIKELY A VIOLATION OF GDPR and may well be a violation of laws like CCPA (AB375).  GDPR specifically says that you cannot refuse service if users do not allow you to sell your data and CCPA says that you have to give equal service whether users opt out of data sharing or not.

While companies love collecting data, they love paying large fines somewhat less, so now is the time to understand what is allowed and what is not allowed. Source: Politico

Business Roundtable Lobbying Group Wants Weak National Privacy Law

O P I N I O N

50 Very Data Hungry CEOs (Out of About 30 Million) Try to Fool Congress into Letting Them Abuse Your Data

A group of big data CEOs wrote a letter to Congressional leaders requesting a Federal privacy law which would usurp the state’s rights to protect their consumers as they see fit.

A spokesperson for Facebook responded several months ago to a reporter’s question about a New York bill requiring companies to be a data fiduciary with the response that if the bill passed (it didn’t), Facebook might as well shut down in New York.  The spin doctors tried to walk that back the next day, but the reality is, if that law passed, it would require Facebook and companies like them to change their business models.

In fairness, it is difficult for companies to keep up with all the privacy laws (we help companies do that), but unless your business model requires that you sell your customer’s data to stay in business, complying is manageable, but it does take work.  Unfortunately, the Facebooks and Googles of the world have made things more complex for everyone else.

The state of data privacy is roughly in the same place that cybersecurity was in after California passed it’s landmark security bill (CA SB 1386) in 2003.  SB 1386 is the model that every other state drew from for enact their security laws.  Now CA AB 375 (the new California Consumer Privacy Act) has already begun this process over again with privacy laws.

Even though they don’t say this, what they really want is for Congress to pass a law because they know that their lobbying billions will allow them to buy a very weak law that will nullify laws like the ones in California, New York, Nevada, Vermont and other states.

The longer Congress doesn’t act, the more states will pass strong privacy laws, because that is what consumers want and the harder it will be to get votes at the national level to obliterate rights people already have – hence the urgency from these CEOs.

The California law would allow people to sue businesses that have breaches, which would dramatically change the economics of lax security practices – right now, at the federal court level, you have to prove that you have been tangibly damaged to sue after a breach.  The defense that some companies are using is that there are so many breaches, how do you know that your damage was from our breach.  The California law removes that requirement to prove that the consumer had tangible damages.  That alone scares the crap out of the Facebooks and Googles – and it should.

They are trying to pass this off as stopping consumers from being confused about their rights (like the right to tell Facebook not to sell your data – that is certainly confusing and hard to understand), but that is completely bull.  The 6 rights that the California law gives consumers are each spelled out in one sentence and are easy to understand. For example:

  • The right to know what data a company has and to get a copy of it
  • The right to request that my data be deleted subject to a list of exclusions
  • The right to stop a company from selling my data
  • The right to equal price and service even if I tell you not to sell my data

And a couple of more rights.  These rights are easy to understand and the real problem for CEOs like Amazon’s Jeff Bezos is that people will likely actually use these rights and that might force companies like Amazon to change their business models.

If companies are transparent about their data collection practices, then this is a pretty simple choice.  People can choose to do business with companies that want to sell their data.  Or not.

One thing that makes this conversation different than the conversation around security in 2003 is that places like Europe, Japan and a significant number of others have already given their consumers these rights, so the big data companies already have to deal with this.  No matter what happens in the US, this will happen in the rest of the world.

At that point, as we are already beginning to see, the lack of a strong national privacy law in the US makes it MORE difficult and MORE expensive for US companies to compete in the rest of the world.

In Europe, the first EU/US privacy agreement, Safe Harbor, was struck down by the EU courts as not protecting EU citizens’ rights.  That was replaced by Privacy Shield (which many people say was just Safe Harbor with lipstick) and Privacy Shield is being attacked in the EU courts.  We do not know the outcome of that court battle, but we will soon.  If the courts strike down or force substantial changes to Privacy Shield, that will make the arguments of these 50 CEOs even less intelligent.    Many companies have already decided that it is cheaper, simpler and better PR to have one set of consumer friendly privacy policies worldwide.

Stay tuned;  this will not end any time soon.

Source: C-Net.

NOTE:  This is likely a hot button topic for folks.  Please post your comments to this.  I promise to approve any comment that is moderately sane and rated PG or less.

Are You Ready for California’s New Privacy Law?

Security vendor ESet interviewed 625 business owners and executives to understand their readiness for California’s new privacy law that goes into effect on January 1, 2020.  What most businesses are missing is that Nevada’s version of the law goes into effect on October 1, 2019.  Most of the respondents were from small businesses, some of whom are exempt from the requirements of the law.  Here are the results:

  • 44% had never heard of the law
  • 11% know whether the law applies to them or not
  • 34% say that they don’t know if the law will require them to change the way they collect and store data (it likely does)
  • 22% say they don’t care if they break the law (great if you can get away with that)
  • 35% say they don’t need to change anything to be in compliance (very unlikely)
  • 37% say that they are very confident that they will have the required security in place by January 1.  Another third say that they do not know if they will have security in place
  • Half said that they did not modify their behavior or processes to bring their businesses into compliance with GDPR (most likely because they don’t know what GDPR requires)

40% of the businesses said that they did not have anyone responsible for security or privacy in their company and another 18% said they didn’t know if they had someone.

9% said they are moving to avoid having to comply with CCPA, the new California law.  Those people need to understand that they will also need to block Californians from going to their web site and refuse to ship products or deliver services in California.  None of that is realistic for most businesses.

Given the law goes into effect in less than 6 months and Nevada’s version goes into effect in two months, this lack of knowledge is concerning.  However, attorneys, especially those that specialize in class action lawsuits, are thrilled.

There is one aspect of the law that should be a cause for concern for these businesses who think they understand the law – and likely do not.

Any California resident can sue any California business that has a breach that compromises their personal information.

They do not have to show that they have been damaged to sue.

The maximum you can sue for is $750 per person.  A breach of say 10,000 records – a tiny breach by today’s standards (the Capital One breach last week compromised 106 million people) – would generate a potential lawsuit asking for $7,500,000.

Are you prepared for that?

A one million record breach – still small by today’s standards – translates to a $750 million lawsuit.

My suggestion to small businesses – think again about whether you are prepared.  If you need help, contact us.  Source: HelpNet Security.