Tag Archives: Privacy Shield

Security News Bites For Friday July 6, 2018

NSA Deleting All Call Detail Records (CDRs) Acquired Since 2015

While the NSA is not providing a lot of details about what went wrong, the NSA is saying that it is deleting all CDRs acquired since 2015 because of technical irregularities that resulted in it receiving data that, likely, would be illegal under the current law.  They have been accused of breaking the law many times, but this is one of the few times I can remember that they admitted to breaking the law.

Because, they say, it is infeasible to sort out the legal data from the illegal data, they are deleting lots of data.

Gizmodo, in a bit of editorializing, asked if the “technical irregularities” were related to the “programming errors” the FBI said caused it to wildly inflate the number of encrypted phones that they could not access in various criminal cases.

While admitting that they screwed up is important, what would be better would be to get it right as they hoover up all of this data.  (Source:Gizomodo)

3 Weeks Until NOT SECURE Starts Showing Up In Your Browser

I wrote about this a few months ago, but now it is going to happen, so it is worth a reminder.

For all of those web sites that said that HTTPS was not important or a hassle or costs money, as of July 23, 2018, Google is going to flag your site as NOT SECURE in the address bar, every time someone visits your site.

While some visitors will ignore the warning, others will get freaked, especially if your site is not one that they visit often.

Now is the time – like in the next 21 days – to set up an HTTPS certificate for your web site.

By the way, in typical Google fashion, in a few months they will start presenting a pop up box that visitors will have to click through to say, yes, I know this site is not secure, but I want to go there anyway.  Not a great way to attract new visitors.  (Source: The Register)

Bank of England (BoE) Tells British Banks to be on a War Footing

Bank regulators in the UK have told financial service firms to come up with a detailed plan to restore services after a disruption and to invest in the staff and technology to do so.  Bank Boards and senior management should ASSUME that systems and processes that support the business will be disrupted and focus on backup plans, responses and recovery.

Lyndon Nelson, deputy chief executive of the BoE’s regulator said that firms need to be on a “WAR footing: withstand, absorb, recover.”  This is something the Brits understand from World War II, but which the United States hasn’t quite figured out.

In addition to cyber attacks, the BoE said that firms should be ready for disruptions caused by failed outsourcing and tech breakdowns.

As the U.S. relaxes it’s stress tests, the BoE said that it will stress test banks with “severe, but plausible” scenarios.  The BoE will set a time limit for recovery.

It looks like the UK regulators are way ahead of US regulators, but maybe we can learn from them.  (Source: Bloomberg)

US Firms Hit Another Hurdle in GDPR Compliance

Some people say – and no one has proved the contrary – that GDPR was designed to go after big U.S. firms, while dragging along all the little ones with it.

This week, in honor of July 4th (not really), the European Parliament voted in favor of a resolution that says that if the U.S. does not fulfill it’s obligations under Safe Harbor by September 1 of this year, Europe should suspend the deal.  This is in addition to the attacks on Safe Harbor that are currently going on in the EU court system.

Taken together, U.S. firms doing business AND who transfer data between the E.U. and the U.S. should be rightfully worried.

Some of the obligations that the U.S. is behind on include filling vacant posts on the Privacy and Civil Liberties Oversight Board, which has been basically dormant under the current administration,  the lack of a permanent ombudsman, the impact of the President’s executive orders on immigration, the re-authorization of Section 702 of the FISA act and a number of others.

The current relationship between our president and the EU doesn’t help things.

This could turn into a standoff, or, in the worst case scenario, the E.U. could shut off the data spigot for U.S. companies to legally move data from the E.U. to the U.S. for processing, storage and analysis.  While large companies may (repeat MAY) be able to deal with this, smaller companies will be greatly challenged and some may have to abandon the European market to E.U. based businesses, something that would make a lot of E.U. businesses very happy.

Stay tuned!  (Source: The Register)

 

Facebooktwitterredditlinkedinmailby feather

Friday News for May 11th, 2018

Irish High Court Deals Blow to Facebook

In yet another case that could deal a blow to the way that Facebook and others transfer data between the EU and the US, the Irish High Court told Facebook that it would not stay it’s “referral” to the European Court of Justice.  The case in question is a ruling about whether “Standard Contract Clauses” and the U.S. Privacy Shield provide sufficient protections for E.U. residents private data.  Facebook wants to appeal the decision to turn the question over to the ECJ to the Irish Supreme Court because the last place they want to be is at the ECJ – who ruled against them in their last privacy suit that destroyed the predecessor to Privacy Shield,  Safe Harbor (Source: Reuters).

Georgia Governor Vetos Cybersecurity Bill

The Georgia legislature recently passed a cybersecurity bill that would have likely criminalized cybersecurity research and allowed so-called hack back attacks where victims can hack the hackers (what could possibly go wrong when security novices go after professional hackers?).  The law, written by lawyers, was so vague that it might have made reporting a vulnerability a crime.  Equally likely, the large cybersecurity firms with offices in Georgia would have left the state and security researchers at Georgia Universities would have likely found more understanding states to do their research in.  Faced with a horribly drafted bill and the prospect of losing hundreds or maybe thousands of high paying jobs, the governor did the expedient thing – he vetoed the bill and told the legislature to find someone who knows something about security before they wrote the next version (Source: CSO Online).

IBM Bans All Removable Storage

IBM has issued a new company-wide policy that bans ALL FORMS OF REMOVABLE STORAGE from the company.  IBM’s Global Chief Information Security Officer made the announcement saying “the possible financial and reputational damage from misplaced, lost or misused removable portable storage devices must be minimised.” IBM isn’t saying “Why now?” , but likely someone screwed up big time.

That being said, it is relatively easy to technically implement this ban and, if done along side a policy on the appropriate use of services like Dropbox, Box, One Drive and others, it likely will reduce the certain types of information leakage.

What is or should be your company’s policy?  (Source: Gizmodo)

Beware of those Browser Extensions

Social engineering is still a very popular way to get you to load malware.  Researchers are warning people of a campaign, said to have already infected a hundred thousand users, where people are lured to click on a link on social media which redirects them to a page that tells them that they have to install a plugin or browser extention to continue reading the page.  DON’T!  Once the software is invited in by the user,  it steals passwords for a variety of accounts.  Other variants of this type of attack could empty your bank account when you log in to your bank or forward all of your email to the hacker, as other examples.

If you think you need a plugin or browser extension to view a page and  it is not already installed, independently find that extension and install it from the vendor’s site.  Make sure that the site is not one with a name similar to the real site (think App1e is not Apple, for example) that hackers have set up to fool you (source: The Hacker News).

The Dangers Of Government Surveillance

The conversation often comes up about trusting the government with all of the data that they have of ours.   Some people say there is nothing to worry about if you didn’t do anything wrong.

And then reality creeps in.

Sheriff Cory Hutcheson of Mississippi County, MO, used a service sold by Securus Technologies that is used to record and track phone calls to and from prisoners,

Unfortunately, he used it to track calls of a Judge and members of the State Highway Patrol.  This would allow him to track the location and obtain call data of these people. And anyone else he wanted to.

Securus requires someone to upload a document authorizing the request and certify that the activity was legal – basically, pinky swearing.

When the sheriff was arrested and the media went to Securus to ask about their practices, they claimed that they weren’t judges or lawyers, so, basically, they just trust people.

Sometimes trust is good, but verifying usually better.

How much of this activity goes on – who knows (Source: NY Times)?

Facebooktwitterredditlinkedinmailby feather

Section 702 Renewal Could Have Huge Negative Impact on Business

As I said in an earlier post, after 9-11 Congress passed some major new surveillance laws.  The idea was to increase surveillance in a move to try and find more terrorists.  Congress also wasn’t completely sold on the idea, so the law sunsets every few years and Congress has to renew it.  This is one of those renewal years.

But there is a wrinkle.  Congress is still not sold on the idea.  The law was set to expire at the end of December and rather than allowing it to lapse while they were on vacation, Congress renewed the law prior to leaving town.  Renewed that is, for four weeks.  The law is set to expire, again, next week.

There are several bills in various stages of approval that range from a permanent renewal with no restrictions to a limited renewal with restrictions.

Apparently one of the sticking points is something called “About” collection.  This was abandoned last year, but some of the bills in Congress now reincarnate it.  About collection, some say, is a back door to allow the FBI via the NSA to collect information ABOUT Americans without a warrant, using some slight of hand saying the information was collected incidental to someone or some thing they were interested ABOUT.

Congress has 9 days to either figure it out or kick the can down the road.  Again.

But here is the negative business impact.

For U.S. companies that do business in Europe, many of them, especially smaller ones, need to be able to bring that data back to the United States.  Due to Europe’s much stricter privacy laws, they can’t do this unless the agree to offer E.U. citizens the same protections that they would get in Europe.  Enter Privacy Shield, son of Safe Harbor.  Privacy shield is an agreement between the U.S. government and the E.U. government regarding what we will and will not do with respect to protecting E.U. citizen’s privacy.  About 2.400 U.S. companies currently follow the Privacy Shield agreement and more are in process.

But the E.U. lawmakers are not very fond of Section 702.  In fact, they have said so publicly.  In fact, they have threatened to go to E.U. court to have Privacy Shield declared null and void.

And that is exactly what will likely happen (and did happen to Safe Harbor) if the U.S. extends Section 702 as is.

I am not clear that some U.S. Senators and Congresspeople understand that;  they would much rather deal in crisis.

So here is one possible outcome.  Congress renews Section 702 with no reforms, the E.U. goes to court and gets Privacy Shield declared unconstitutional and American businesses get to scramble to figure out how to continue to do business in Europe.  This is worth billions to U.S. businesses.

It probably won’t be that bad.  The court will probably give the U.S. 6-12 months to figure out a solution.  Then bureaucrats in the U.S. and E.U. will need to try and figure out how to deal with it and Congress may have to amend Section 702.

Alternatively, Congress could be proactive.  Not. Counting. On, That.

If you sell into Europe, you might want to contact your Congress-critters.

Otherwise, get some popcorn and watch the fun.

Information for this post came from The Hill.

Facebooktwitterredditlinkedinmailby feather

Max Schrems’ Fight With Facebook – Next Chapter

Some of you probably remember when then Austrian law student Max Schrems started fighting a battle over privacy with Facebook.

Now probably neither you nor I would want to pick a fight with Facebook’s legal team, but Max, a law STUDENT, said, hey, what the heck.

That battle wound up at the CJEU – The Court of Justice of the European Union.  The CJEU, the equivalent of the U.S. Supreme Court, is the final legal arbiter of EU law.

In October 2015, the CJEU ruled in favor of Max.  Against Facebook.  And against the United States.  Safe Harbor, the agreement negotiated between the EU and the United States 15 years before to protect EU citizens data that was transferred by companies like Facebook from the EU to the US, was flushed down the toilet.

To replace that, the Commerce Department under President Obama negotiated a replacement agreement called Privacy Shield and that has been in force for about a year.

One of the clauses in the Privacy Shield agreement says that it will be reviewed one year after it became effective.

Many people, Schrems included, said that Privacy Shield was just Safe Harbor with a bit of lipstick on it.  Not even a lot of lipstick.

An alternative to Safe Harbor was something called Standard Contract Clauses.  These legal terms were written by the EU and when included in end user agreements VERBATIM, provided pre-approved permission to move data from the EU to the US because these clauses, supposedly, provided EU citizens with protection regarding their data.

Schrems being the thorn in the backside of Facebook that he was decided that these standard contract clauses didn’t really protect his data, so he went to the Irish Data Protection Commissioner and ultimately the Irish High Court and asked them to rule on Standard Contract Clauses.

Well that High Court decision is in and Facebook (and many other US companies that want to be able to move data back and forth between Europe and the US) is not happy.  The Irish High Court agreed to ask the CJEU – the same folks that invalidated Safe Harbor – to rule on Standard Contract Clauses.

While we have no idea what the final ruling will be, Facebook and others, including the US government, have a very different interpretation of a person’s expectations of privacy.  In general, US privacy rules are much looser than EU privacy rules and penalties are almost non-existent.  Under a new law going into effect mid next year called the General Data Protection Regulation (GDPR), Facebook could be fined up to 4% of it’s global annual revenue for a privacy breach.  For Facebook, with revenue of $27 billion last year, that means that they could be fined UP TO a billion dollars.  That is why they are fighting so hard to keep these known rules in place.

The CJEU is the final stop.  There is no appeal from there.  Given that the CJEU ruled against Facebook two years ago, the odds of ruling for Facebook this time are shaky – but we don’t know how it will turn out.

Schrems, on the other hand, is a pretty happy camper.

Stay tuned.  IF the CJEU rules in favor of Schrems, President Trump and the current administration will have to do some interesting dancing.

Alternatively, all data transfer between the EU and the US could be stopped unless the person who’s data it is has EXPLICITLY approved that transfer.  That approval cannot be buried on page 27 of a terms of service agreement that no one reads.

STAY TUNED.  It could get interesting.

Information for this post came from Fortune.

Facebooktwitterredditlinkedinmailby feather

US-EU Agree On New Data Privacy Rules But Hold The Champagne

UPDATE:  EU Commissioner for Justice made statements just before the agreement was approved indicating  that not everyone has signed up for this agreement.  Read Commissioner For Justice Vera Jourova’s comments here.

While the US and EU did not meet their targeted deadline of January 31st for coming up with a a replacement for Safe Harbor, they sort of came close.  But, apparently, there are still a number of hurdles to jump through.

First, the US and the European Commission agreed on February 2nd to a new agreement called Privacy Shield to replace the 15+ year old Safe Harbor Agreement.  However, they don’t have the final say on the agreement.

A next step is to get the Article 29 Working Party to agree to the agreement.  WP29 is a group of all 28 EU Nation’s Data Protection Authorities.  Their approval of this agreement is key to not having another court fight once this rule (if approved) goes into effect.  That is expected to take about 3 months.

Next, the Data Protection Authorities need to agree on what they are going to do in the mean time.  After the court struck down Safe Harbor, they agreed not to enforce the court ruling until January 31st so that the US and EU could come up with a replacement and so that they did not throw the thousands of businesses that used the Safe Harbor Agreement to transfer data between the US and EU into chaos.  That deadline  has passed.  I speculate that they will extend the moratorium, but that is anyone’s guess.

And, there is always the court to contend with.  Max Schrems could always go back to the court and say that this new agreement does not solve the problem.

Finally, the agreement requires the US to do certain things and my understanding is that those would have to happen before the agreement could go into effect.  One requirement that WP29 has already said must happen is that the US must pass a law giving EU residents a right to sue in US court for breaches of any agreement.  A bill to that affect is winding its way through Congress, but has not been passed by both Houses, reconciled or signed by the President.

While the diplomats may have signaled success by agreeing to the terms that they did, getting the 28 Data Protection Authorities to agree that these protections are sufficient is another matter.

While I have not seen the actual agreement, reports are that it calls for:

  • Clear safeguards and transparency obligations on the part of US government access.  I think this could be a challenge.  While the US has given the EU written assurances that data access will be limited, whether the gang of 28 believes the US or not could be key to getting the agreement approved.
  • Stronger obligations for US data importers to protect EU citizens’ data.
  • EU citizens must have effective rights of redress.  This includes requirements for the data importer to set up processes, the Federal Trade Commission to create a process for handling EU citizen complaints – something it has never done – and for the Intelligence Community to set up an independent ombudsman to address complaints of inappropriate access.

Some of these may require Congressional action – or not.  In any case, what is clear is that this is not over yet and US companies should not breathe a sigh of relief.  It is, however, a sign that progress is being made.

Information for this post came from the Data Protection Report.

Facebooktwitterredditlinkedinmailby feather