Tag Archives: Privacy Shield

Cybersecurity News for the Week Ending March 25, 2022

FCC Publishes Notice of Inquiry on Digital Redlining

The recently passed jobs act gave the FCC two years to adopt rules that will “facilitate equal access to broadband internet access service.” Congress says that these rules should prevent “digital discrimination … based on income level, race, ethnicity, color, religion, or national origin”. The FCC is asking, publicly, an awful lot of questions. Stay tuned for what happens next. Comments are due by May 16th. Credit: Wiley Law

EU and US Sign New Data Transfer Deal

The EU and US signed a deal to replace Privacy Shield today, in Brussels. We have not seen the details of the deal and Max Shrems, who killed the last two versions of the deal in court says his group will review it in detail for compliance with EU law, so this is not over yet, but it is a good sign for US businesses who are looking for some certainty when it comes to data transfers. Credit: Security Week

Hackers Unlock and Remote Start Honda Civics for $300 in Parts

Nobody told Honda that sending security information from the fob to the car unencrypted or sending the same information each and every time to unlock or start the car is a problem. If you are worried about your Honda being stolen, the only thing you can do is, well, not much. The article says you can put your key fob in Faraday bag, but reality is, that doesn’t help at all. Credit: The Register

Google Trains Employees to CC: Attorneys to Claim Privilege

In the face of the massive anti-trust lawsuit between the feds, 14 attorneys general and Google, the government is asking the judge to sanction Google for arbitrarily CC:ing lawyers on sketchy emails and ask for an opinion. Google’s attorneys understand this is a scam and don’t respond. Google even trains its employees to do this. We shall see what the judge decides. Credit: Ars Technica

US-EU Inching Closer to New Privacy Shield Agreement

The U.S. and the E.U. have been struggling for years over data flow of E.U. residents to the United States.

Curiously, their big complaint is that the NSA is a spy agency and they intercept communications. The way the E.U. constructed GDPR, their intelligence agencies are exempt from complying with the law – but ours are not.

This has caused some challenges in crafting an agreement that the E.U. courts find acceptable.

Agreement after agreement has gone down in flames. Safe Harbor. Privacy Shield. Now companies have resorted to Standard Contract Clauses, which are problematic at best.

But the E.U. and the U.S. keep plugging away at a new agreement.

In four years, the Trump administration did nothing the resolve the problem. In part, I suspect, it is because big tech arguably has the most to gain. But as a result of that, tens of thousands of small companies wound up as collateral damage.

In light of the renewed cooperation as a result of Russia’s invasion of Ukraine, the U.S. Chamber of Commerce is optimistic that an agreement will be reached soon, hopefully by the summer.

In addition to drawing a fine line between what the E.U. High Court wants and what the U.S. Constitution requires, negotiators also have to deal with E.U. standards on tech like for A.I. and data governance. These are much more restrictive than what the U.S. allows, which is pretty much the Wild West.

Still, there is reason for hope – stay tuned. Credit: Law 360

Top EU Court Says ‘National Security’ Does Not Override Everything Else

This is not a done deal yet, but it is a very interesting development and one, if it holds, that could have significant impact on a lot of countries, including the U.S.

Over the last few years, a number of countries have enacted laws that allow their intelligence apparatuses to override many privacy laws and hoover up vast quantities of data without any particular justification – just in case.   They say that they don’t know what they might need – until they do.  And, there is some justification to that story.  Some.  Justification.

The EU high court, technically called the Court of Justice of the European Union or ECJ can appoint an advocate to advise it on matters where they feel that is  justified.

In this case, Privacy International, a privacy rights organization, sued both the UK and France, saying that their respective laws that require businesses to hand over anything they ask for just because they say the magic words “national security”.

Specifically, this case says that the UK’s Investigatory Powers Act (also referred to as the Snooper’s Charter) and France’s Data Retention law go too far.

What happened yesterday is that the Advocate General advising the high court released his opinion.

The opinion says screaming terrorist is insufficient to violate people’s rights under the European Directive on privacy and electronic communications.

Very importantly, the ECJ has not handed down it’s opinion yet;  this is just the advise from the AG.  HOWEVER, the ECJ does agree with the AG about 80 percent of the time.

*IF* the ECJ does agree with the AG, that will mean several things:

  1. UK’s Snooper’s Charter is likely illegal under EU law and will need to be revised if the UK wants to enforce it in the EU.
  2. Likely France’s Data Retention law would violate EU law.
  3. For those of us in the U.S., it would likely mean that the U.S. government’s use of large scale data vacuum cleaners also does not comply with E.U. law.

The AG said that whatever the government does by itself is OK IF IT IS INTENDED TO SAFEGUARD NATIONAL SECURITY AND IS UNDERTAKEN BY THE PUBLIC AUTHORITIES THEMSELVES, WITHOUT REQUIRING THE COOPERATION OF PRIVATE INDIVIDUALS.  So, for example, they could intercept data on fiber optic Internet cables but they can’t ask AT&T to let them tap those cables (which they did) and cannot ask Google or Facebook to hand over their encryption keys.

What the AG is saying is that rather than vacuuming up terabytes of data per hour, that hoovering needs to be done “on an exceptional and temporary basis” and only when justified by “overriding considerations relating to threats to public security or national security”.

When the U.K. leaves the E.U. – maybe this month – it doesn’t have to be bound by E.U. law, but if it doesn’t agree to abide by E.U. law, then companies in the E.U. will not be able to send data to the U.K. and U.K. companies will not be able to collect any data of E.U. residents.

Probably more important for U.S. companies is this.

A few years ago, when the E.U.  started enacting privacy laws, they said that laws in the U.S. were not adequate to protect the privacy of E.U. citizens so data collected by U.S. companies could not be sent to the U.S.

In response to that, the U.S. and E.U. came up with this agreement called Safe Harbor which supposedly protected the privacy rights of E.U. residents.

Unfortunately, this same court ruled that Safe Harbor didn’t really protect the rights of E.U. citizens.  This threw U.S. businesses that suck large quantities of data out of the E.U. into a bit of a tailspin.

After Safe Harbor was struck down, the U.S. got out a large tube of lipstick and put it on Safe Harbor.  The new agreement was called Privacy Shield and it is under review by this same court right now.

If the ECJ agrees with the AG in this different case, it seems like a REALLY small step to say that Privacy Shield doesn’t hack it either, which would create tailspin 2.0.

That would require that the U.S. and E.U. try a third time to come up with something that the courts will hold as adequate.

Various authorities have gotten their respective countries to pass laws that say as long as they claim “national security” privacy laws do not apply.  Countries who have done this include the U.S., U.K. and Australia, three of the “five eyes” countries.

This battle is far from over, but this is a very interesting development.  Source: The Register

 

Security News Bites For Friday July 6, 2018

NSA Deleting All Call Detail Records (CDRs) Acquired Since 2015

While the NSA is not providing a lot of details about what went wrong, the NSA is saying that it is deleting all CDRs acquired since 2015 because of technical irregularities that resulted in it receiving data that, likely, would be illegal under the current law.  They have been accused of breaking the law many times, but this is one of the few times I can remember that they admitted to breaking the law.

Because, they say, it is infeasible to sort out the legal data from the illegal data, they are deleting lots of data.

Gizmodo, in a bit of editorializing, asked if the “technical irregularities” were related to the “programming errors” the FBI said caused it to wildly inflate the number of encrypted phones that they could not access in various criminal cases.

While admitting that they screwed up is important, what would be better would be to get it right as they hoover up all of this data.  (Source:Gizomodo)

3 Weeks Until NOT SECURE Starts Showing Up In Your Browser

I wrote about this a few months ago, but now it is going to happen, so it is worth a reminder.

For all of those web sites that said that HTTPS was not important or a hassle or costs money, as of July 23, 2018, Google is going to flag your site as NOT SECURE in the address bar, every time someone visits your site.

While some visitors will ignore the warning, others will get freaked, especially if your site is not one that they visit often.

Now is the time – like in the next 21 days – to set up an HTTPS certificate for your web site.

By the way, in typical Google fashion, in a few months they will start presenting a pop up box that visitors will have to click through to say, yes, I know this site is not secure, but I want to go there anyway.  Not a great way to attract new visitors.  (Source: The Register)

Bank of England (BoE) Tells British Banks to be on a War Footing

Bank regulators in the UK have told financial service firms to come up with a detailed plan to restore services after a disruption and to invest in the staff and technology to do so.  Bank Boards and senior management should ASSUME that systems and processes that support the business will be disrupted and focus on backup plans, responses and recovery.

Lyndon Nelson, deputy chief executive of the BoE’s regulator said that firms need to be on a “WAR footing: withstand, absorb, recover.”  This is something the Brits understand from World War II, but which the United States hasn’t quite figured out.

In addition to cyber attacks, the BoE said that firms should be ready for disruptions caused by failed outsourcing and tech breakdowns.

As the U.S. relaxes it’s stress tests, the BoE said that it will stress test banks with “severe, but plausible” scenarios.  The BoE will set a time limit for recovery.

It looks like the UK regulators are way ahead of US regulators, but maybe we can learn from them.  (Source: Bloomberg)

US Firms Hit Another Hurdle in GDPR Compliance

Some people say – and no one has proved the contrary – that GDPR was designed to go after big U.S. firms, while dragging along all the little ones with it.

This week, in honor of July 4th (not really), the European Parliament voted in favor of a resolution that says that if the U.S. does not fulfill it’s obligations under Safe Harbor by September 1 of this year, Europe should suspend the deal.  This is in addition to the attacks on Safe Harbor that are currently going on in the EU court system.

Taken together, U.S. firms doing business AND who transfer data between the E.U. and the U.S. should be rightfully worried.

Some of the obligations that the U.S. is behind on include filling vacant posts on the Privacy and Civil Liberties Oversight Board, which has been basically dormant under the current administration,  the lack of a permanent ombudsman, the impact of the President’s executive orders on immigration, the re-authorization of Section 702 of the FISA act and a number of others.

The current relationship between our president and the EU doesn’t help things.

This could turn into a standoff, or, in the worst case scenario, the E.U. could shut off the data spigot for U.S. companies to legally move data from the E.U. to the U.S. for processing, storage and analysis.  While large companies may (repeat MAY) be able to deal with this, smaller companies will be greatly challenged and some may have to abandon the European market to E.U. based businesses, something that would make a lot of E.U. businesses very happy.

Stay tuned!  (Source: The Register)

 

Friday News for May 11th, 2018

Irish High Court Deals Blow to Facebook

In yet another case that could deal a blow to the way that Facebook and others transfer data between the EU and the US, the Irish High Court told Facebook that it would not stay it’s “referral” to the European Court of Justice.  The case in question is a ruling about whether “Standard Contract Clauses” and the U.S. Privacy Shield provide sufficient protections for E.U. residents private data.  Facebook wants to appeal the decision to turn the question over to the ECJ to the Irish Supreme Court because the last place they want to be is at the ECJ – who ruled against them in their last privacy suit that destroyed the predecessor to Privacy Shield,  Safe Harbor (Source: Reuters).

Georgia Governor Vetos Cybersecurity Bill

The Georgia legislature recently passed a cybersecurity bill that would have likely criminalized cybersecurity research and allowed so-called hack back attacks where victims can hack the hackers (what could possibly go wrong when security novices go after professional hackers?).  The law, written by lawyers, was so vague that it might have made reporting a vulnerability a crime.  Equally likely, the large cybersecurity firms with offices in Georgia would have left the state and security researchers at Georgia Universities would have likely found more understanding states to do their research in.  Faced with a horribly drafted bill and the prospect of losing hundreds or maybe thousands of high paying jobs, the governor did the expedient thing – he vetoed the bill and told the legislature to find someone who knows something about security before they wrote the next version (Source: CSO Online).

IBM Bans All Removable Storage

IBM has issued a new company-wide policy that bans ALL FORMS OF REMOVABLE STORAGE from the company.  IBM’s Global Chief Information Security Officer made the announcement saying “the possible financial and reputational damage from misplaced, lost or misused removable portable storage devices must be minimised.” IBM isn’t saying “Why now?” , but likely someone screwed up big time.

That being said, it is relatively easy to technically implement this ban and, if done along side a policy on the appropriate use of services like Dropbox, Box, One Drive and others, it likely will reduce the certain types of information leakage.

What is or should be your company’s policy?  (Source: Gizmodo)

Beware of those Browser Extensions

Social engineering is still a very popular way to get you to load malware.  Researchers are warning people of a campaign, said to have already infected a hundred thousand users, where people are lured to click on a link on social media which redirects them to a page that tells them that they have to install a plugin or browser extention to continue reading the page.  DON’T!  Once the software is invited in by the user,  it steals passwords for a variety of accounts.  Other variants of this type of attack could empty your bank account when you log in to your bank or forward all of your email to the hacker, as other examples.

If you think you need a plugin or browser extension to view a page and  it is not already installed, independently find that extension and install it from the vendor’s site.  Make sure that the site is not one with a name similar to the real site (think App1e is not Apple, for example) that hackers have set up to fool you (source: The Hacker News).

The Dangers Of Government Surveillance

The conversation often comes up about trusting the government with all of the data that they have of ours.   Some people say there is nothing to worry about if you didn’t do anything wrong.

And then reality creeps in.

Sheriff Cory Hutcheson of Mississippi County, MO, used a service sold by Securus Technologies that is used to record and track phone calls to and from prisoners,

Unfortunately, he used it to track calls of a Judge and members of the State Highway Patrol.  This would allow him to track the location and obtain call data of these people. And anyone else he wanted to.

Securus requires someone to upload a document authorizing the request and certify that the activity was legal – basically, pinky swearing.

When the sheriff was arrested and the media went to Securus to ask about their practices, they claimed that they weren’t judges or lawyers, so, basically, they just trust people.

Sometimes trust is good, but verifying usually better.

How much of this activity goes on – who knows (Source: NY Times)?

Section 702 Renewal Could Have Huge Negative Impact on Business

As I said in an earlier post, after 9-11 Congress passed some major new surveillance laws.  The idea was to increase surveillance in a move to try and find more terrorists.  Congress also wasn’t completely sold on the idea, so the law sunsets every few years and Congress has to renew it.  This is one of those renewal years.

But there is a wrinkle.  Congress is still not sold on the idea.  The law was set to expire at the end of December and rather than allowing it to lapse while they were on vacation, Congress renewed the law prior to leaving town.  Renewed that is, for four weeks.  The law is set to expire, again, next week.

There are several bills in various stages of approval that range from a permanent renewal with no restrictions to a limited renewal with restrictions.

Apparently one of the sticking points is something called “About” collection.  This was abandoned last year, but some of the bills in Congress now reincarnate it.  About collection, some say, is a back door to allow the FBI via the NSA to collect information ABOUT Americans without a warrant, using some slight of hand saying the information was collected incidental to someone or some thing they were interested ABOUT.

Congress has 9 days to either figure it out or kick the can down the road.  Again.

But here is the negative business impact.

For U.S. companies that do business in Europe, many of them, especially smaller ones, need to be able to bring that data back to the United States.  Due to Europe’s much stricter privacy laws, they can’t do this unless the agree to offer E.U. citizens the same protections that they would get in Europe.  Enter Privacy Shield, son of Safe Harbor.  Privacy shield is an agreement between the U.S. government and the E.U. government regarding what we will and will not do with respect to protecting E.U. citizen’s privacy.  About 2.400 U.S. companies currently follow the Privacy Shield agreement and more are in process.

But the E.U. lawmakers are not very fond of Section 702.  In fact, they have said so publicly.  In fact, they have threatened to go to E.U. court to have Privacy Shield declared null and void.

And that is exactly what will likely happen (and did happen to Safe Harbor) if the U.S. extends Section 702 as is.

I am not clear that some U.S. Senators and Congresspeople understand that;  they would much rather deal in crisis.

So here is one possible outcome.  Congress renews Section 702 with no reforms, the E.U. goes to court and gets Privacy Shield declared unconstitutional and American businesses get to scramble to figure out how to continue to do business in Europe.  This is worth billions to U.S. businesses.

It probably won’t be that bad.  The court will probably give the U.S. 6-12 months to figure out a solution.  Then bureaucrats in the U.S. and E.U. will need to try and figure out how to deal with it and Congress may have to amend Section 702.

Alternatively, Congress could be proactive.  Not. Counting. On, That.

If you sell into Europe, you might want to contact your Congress-critters.

Otherwise, get some popcorn and watch the fun.

Information for this post came from The Hill.