Tag Archives: Privacy

$67 Million Jury Verdict for Violating People’s Privacy

This is not directly a security issue.  Or a privacy issue. Because the County did not get hacked.

BUT it still is important to businesses.  And governments.

Juries are no longer sitting back and allowing organizations to ignore basic privacy law without consequences.

In this case it is Bucks County, Pennsylvania (population about 650,000), and this is going to cost them some bucks.

The federal jury awarded $1,000 for each of the 67,000 people who were booked into jail in the county since 1938.

The Bucks County budget is about $400 million, so this verdict, if it stands, represents about 16% of the total county budget for a year.

These people, whether they were convicted of a crime or not, were added to a publicly available web site  called the Inmate Lookup Tool.

The suit started in 2013 – six years ago – when Daryoush Taha was arrested and charged with harassment, disorderly conduct and resisting arrest.  He was released the next day.  He completed a one year probationary program for first time offenders and the judge ordered that his arrest record be expunged.

For whatever reason, the folks that ran the Inmate Lookup Tool didn’t get the message and his name, photo, personal details and charges were available online.  Apparently, posting that information online is against the law in Pennsylvania.

The federal judge granted class action status and the plaintiff’s attorney said, in closing arguments, that residents have the right to expect that local governments follow the law.

The county said that they did not know that posting all of this personal information on people who were arrested was illegal.

Basically, their defense was “we’re dumb.  We didn’t know the law.”

I wonder how that defense would work for someone they arrested?

Likely the County does not have insurance for this and, for the most part, you cannot get insurance to cover the penalty for being convicted of a crime.

This is only one of a number of cases we have seen lately where juries have said (to steal a line from a movie) “I’m as mad as hell and I am not going to put up with it any more“.

For businesses, this means that a defense of ignorance or gee, I’m sorry, is not a sure fire defense anymore.  We just saw Equifax’s Moody’s rating downgraded to NEGATIVE as a result of their breach as an example.

Information for this post came from the Philly Inquirer.

I don’t have a crystal ball, but I don’t see this getting better for companies that violate privacy or security laws in the future.

Facebooktwitterredditlinkedinmailby feather

What is Going to Happen in Europe Regarding Privacy?

Well, we certainly DO live in interesting times.

The UK is supposed to leave the EU at the end of March, but no one knows if they will, if there will be a deal, if they will delay Brexit, if they will have another vote.

The European Data Protection Supervisor says do not expect anything with regard to UK “adequacy” (meaning that you can freely move data between the EU and the UK) for at least a couple of years.  For folks with large operations in the UK, that could be a problem.

The Supervisor also said that it is unlikely that GDPR will be revisited for another 7-10 years; then considering the adoption process, do not assume any changes to GDPR of around 20 years.  For those hoping for relief, do not count on it.

He also told the European Parliament that Privacy Shield, the Frankenstein agreement concocted by the US and EU after the EU courts struck down Safe Harbor, is “an instrument of the past”.  He said that Privacy Shield is an interim instrument.  He said that when you look at the full scope of GDPR, Privacy Shield doesn’t make any sense.

Regarding the ePrivacy legislation that is in the works, he is hoping to get some consensus this summer, but whether that means there will be a vote-ready version, that is another story.  That, once approved, will be another set of rules for companies to adopt.

When it comes to data retention, he wasn’t happy about Italy’s law which allows people to keep data for 6 years.  Of course, in the US, there is no limit on retention.  He did, however, like the German approach, which allows retention for weeks, not years.

Suffice it to say, there is a huge gap between European desires (and their laws) and current American practices and that will likely continue to play out in the courts.  Stay tuned.  Source: IAPP (membership may be required to view).

Facebooktwitterredditlinkedinmailby feather

Security News Bites for the Week Ending February 1, 2019

GDPR Gone Crazy

I think we’re gonna need a bigger boat!

According to the European Commission, Europe’s data protection regulators received more than 95,000 complaints about possible data breaches in the first 8 months of GDPR.

At the same time businesses reported over 41,000 breaches.

But regulators only opened 255 investigations.

Many of the complaints were related to email marketing,  telemarketing and video surveillance.  Source: Bleeping Computer.

 

1987 and 1999 DNS Standards to be Enforced Soon

We often think about things moving at Internet speed.  Except when it comes to Internet standards.

On or about February 1, 2019, many major DNS resolver vendors are going to release upgrades that will stop supporting many DNS band-aids that have been implemented over the years to allow non-compliant DNS software to work – albeit slowly.  Major DNS providers such as Google, Cisco, Quad 9, Cloudflare and others have all agreed to rip off these band-aids in the next few weeks.  If your DNS vendor does not operate a fully 1987 or 1999 compliant DNS service, your web site will go dark to users of these major DNS resolvers.

You can test your DNS service provider by going to www.DNSFlagDay.Net and entering your domain name.  If it passes then there is nothing to worry about.  If it fails, talk to your DNS provider ASAP.  Source: DNSFlagDay .

 

Alastair Mactaggart Says He Thinks CCPA Will Survive

Alastair Mactaggart, who is the reason that the California Consumer Protection Act was passed, says that he believes that the CCPA will survive the attacks by telecom companies and the tech industry.  After all, with all of the negative news about tech companies, Congressional investigations, etc., the tech companies need to watch out for negative press.  Also, people are getting used to Europe’s GDPR.  Stay tuned – it doesn’t mean that they won’t try. Source: The Recorder.

 

Russia Targeting Robert Mueller’s Investigation Directly

Prosecutors revealed this week that The Kremlin sent reporters a trove of documents supposedly leaked from the Mueller investigation.

In reality, the Kremlin mixed documents that had actually been leaked or filed with the courts with fake documents that they created in an attempt to change the narrative around the investigation.

The reporters were very excited to receive the trove of documents but equally disappointed when they figured out that they were being targeted by a Russian disinformation campaign.

Obviously, the Russians have not given up their old ways and will continue to try and create disinformation if it works to their best interest.   Source: NBC.

 

FBI is Notifying Victims of North Korea Joanap Malware

The FBI and the Air Force have gotten the U.S. courts approval to infiltrate a North Korean botnet to create a map of Americans whose computers are infected.

While the malware is very old and can be detected by anti virus software, there are still large numbers of infected computers.

The FBI is using the map to get ISPs to notify users of infected computers and in some cases is directly contacting the infected users to clean up their computers.  Source:  Ars Technica.

 

Facebooktwitterredditlinkedinmailby feather

Facebook 0, Apple 1; Google is Collateral Damage

You would think that in light of all of the negative publicity that Facebook has had, it would reign in some of it’s badder practices, but maybe they are just daring Congress to regulate them.

Facebook created a VPN product called Onavo Protect.  The public claim was that it was designed to protect your traffic, but in reality, it was a data collection tool since every web site that you visited, every search query you made and every link that you clicked on while using their VPN was visible and captured (and sold) by Facebook.

When the Ka-Ka hit the proverbial rotating air movement device (AKA the sh*t hit the fan) Apple banned the product from the iWorld.

Well Facebook is not easily deterred.

Unlike Android, Apple makes it difficult for developers to bypass the Apple store, in part to protect users and in part so that Apple can control developers.  But, in order to get enterprises to allow employees to use iPhones for work, Apple created an Enterprise signing certificate.  According to the rules, apps signed with those certificates can only be used inside a company.

Facebook decided that those rules did not apply to them and used that enterprise certificate to distribute an app to users age 13 to 35 where Facebook paid users up to $20 a month plus referral fees to install an app called Facebook Research.  Under the hood, it is just Onavo Protect that collects all of a user’s Internet activity so that they can better target that high value demographic.  To hide what they were doing, they offered it through several “beta testing” firms.

After Apple found out about it they REVOKED – aka invalidated – Facebook’s enterprise certificate.  Not only did this shut down the Facebook Research app, but also shut down any iPhone apps that Facebook was using internally to run it’s business.  This gave Apple a huge crowbar to swing at Facebook’s head to get them to change their ways.

As a side note, Google was also doing the same thing (with a product called Screenwise), although not quite so covertly and Apple also revoked their enterprise cert.  Of course, 99% of the people at Google likely use Google or other Android phones, so the impact on Google is likely a lot less than at Facebook.  Google shut down the service before Apple whacked them and apologized.  Facebook did neither of those.

After some behind the scenes begging, no doubt, Apple restored Facebook’s cert after a day and a half.

Facebook is saying that users should trust them.  Some Congress-people are suggesting a new law may be required.  Certainly, they are not doing a great job at building trust.

So what does all this mean to a user?

Since this was targeted, in part, at kids under 18, parents need to educate kids that they should not sell their soul for $20 a month.  Apparently both Facebook and Google think this is a good business model.

It also indicates how much your data is worth.  There were millions of copies installed and if they were paying $20 a month per user plus other perks, that means that the data was worth hundreds of millions of dollars a month to them.

If adults think that selling all of their data – every single click that they make online plus all of the data going up and down – for $20 a month, I guess that is okay, but kids are probably not in a position to make an informed decision.

By the way, because of how the software was installed, they would have the ability to see every password, your banking information and your health information, in addition to your surfing habits.

But trust them;  they wouldn’t keep that data.  Or use it.  Or sell it.

Definitely a case of buyer beware.

Information from the post came from Apple Insider, here and here.

Facebooktwitterredditlinkedinmailby feather

Smart Home Manufacturers Won’t Say if They are Giving Your Data to the Feds

From a sales and branding perspective, the last thing that smart home device manufacturers (think Amazon Echo, Google Home, Apple HomePod and a raft of other) want you to worry about is whether the Feds are snarfing up your data.

We do know of a few highly publicized cases like asking for smart water heater data in a murder case, Fitbit data to charge a 90 year old man with murdering his stepdaughter and a few others, but at least as far as media coverage is concerned, this has not been in the news much.

So Tech Crunch went to a number of players to ask them.  Here is some of what they got:

  • Google’s Nest says it has responded to government requests about 300 times (a pretty small number) since 2015 and has not received any national security letters.  Yet.  Google is the only vendor that currently publishes numbers.
  • Amazon won’t say.  They are burying the requests for Echo data deep in other reports so you can’t tell and has no plans to impact sales by telling you.
  • Facebook also says that it will bury the data for its Portal device and wouldn’t say if it will ever break that data out.
  • Google would not comment on requests for Google Home data and instead tried a slight of hand and said “look at our Nest data”.
  • Apple said there would be nothing to report regarding HomePod because all requests are given a random identifier (such as an IP address?   Nice try Apple!) that can’t be tied to a person.  An IP address might not tie directly to a person, but it does tie directly to a household.
  • Ring refused to answer the question and said they require a legal demand.

Bottom line, everybody is dodging and weaving, so I think it is reasonable to assume that the cops are asking them for data.  Probably a small amount right now because smart homes are still a very small niche, but as it goes more mainstream, expect more requests.  And, probably, no more transparency, at least at first.

So what should you do?

The first question is do you care?  The second is well, exactly what data are they collecting.  We know a couple of TV makers (Vizio and Samsung, I think) paid multi-million dollar fines for snooping.

Will vendors decide to collect more data or less data over time?

We don’t know and the vendors aren’t saying.  Assume the worst.  Probably a safe bet.

Assuming you care, there are limited things that you can do.

For things like smart TVs, there is no easy way to turn recording of you off.  Vizio was required to notify customers that they should not say anything sensitive in the same room as the TV.  So, watch TV in silence.

Check for devices with on-off switches.  Check the vendor’s policy statements.  That’s not a guarantee of anything, but better than nothing.

Of course there is the nuclear option – again assuming that you care – do you REALLY need you refrigerator telling you to get milk?  Maybe?  But maybe not!  If you do, then turn the smart device into a dumb device.  If you don’t connect the device to the Internet, it cannot blab.

Information for this post came from Tech Crunch.

 

 

Facebooktwitterredditlinkedinmailby feather

News Bites for Friday June 29, 2018

The Supremes Say Warrant Required For Cell Data

In a 5-4 decision last week, the Supremes said that the police should have gotten a search warrant before they asked for months worth of location data of a suspect.  The suspect in a robbery case was tracked by the police – over 12,000 locations, over 127 days, to correlate robbery locations to the suspect’s location.   Chief Justice John Roberts wrote the opinion, basically saying this this is a search within the bounds of the 4th Amendment.  This is good news for privacy advocates saying the the power of the government is not unbounded.  Source: CNet.

GDPR: One Month In

Not surprisingly, one month in and we have already seen the results of GDPR.

The UK Information Commissioner’s office says they have seen a sharp rise in both complaints and notifications.  In France, they have have seen a 50% rise in complaints compared to last year.

Austria says that they have received 128 complaints and 500 questions, along with 59 breach notifications.  Compare that 59 number to the entire eight months prior to the law going into effect – effectively an 8x increase.

Still numbers in the hundreds and not in the millions means that people are not going crazy.  What we don’t have data on, yet, is how many people requested copies of their information or requested that their information be deleted. Source:  WARC

Exactis Exposes More Than 340 Million Records

And the record for most breached records goes to Exactis.  Well, no, actually that record will hopefully always stay with Yahoo, but still, 340 million records (230 million consumers and 110 million businesses)  is not a drop in the bucket.

Exactis is one of those data aggregation firms that know everything from your name and address to how many kids you have and your income, among literally thousands of data points.

Now it appears that data was exposed because of a lack of controls placed on an Amazon Elastic Search setup.

Given new privacy laws in place and coming in place, this type of breach MAY need to be disclosed.  So far, the company is being quiet about it.  Older privacy laws did not consider things like your kid’s names, ages and genders private.  Newer ones are starting to, hence the requirement for disclosure, possibly.  Source: Wired)

8 States Settle With Equifax Over Breach

8 states – Alabama, California, Georgia, Maine, Massachusetts, New York, North Carolina and Texas – have come to an agreement with Equifax on security practices.  This is only one of MANY legal actions that Equifax will have to deal with.

The requirements are pretty mild and Equifax is likely doing most of these as a response to the breach: conduct annual security audits, develop written data protection policies and guides, monitor its outside vendors, and improve patch management.  It is actually surprising that a company of their size was not already doing all of these items and more.

The agreement does allow these states to take legal action if Equifax does not implement these controls.  Source; The New York Times

Facebooktwitterredditlinkedinmailby feather