Tag Archives: Privacy

Utah Likely to be Fourth State with Comprehensive Privacy Law

The Utah House of Representatives unanimously passed a consumer privacy bill which the Senate passed earlier this year. The governor is expected to sign it and has 20 days to veto it.

This bill has a higher threshold – it targets businesses who target Utah residents, have an annual gross revenue of over $25 million and either control or process data on at least 100,000 residents.

It exempts higher education, nonprofits, and HIPAA and GLBA covered entities.

It is scheduled to take effect on December 31, 2023.

Other features of the bill are similar to other states –

  • The rights of notice, access, portability and deletion
  • The right to opt out of the use of their data for things like targeted advertising
  • The concept of “non-public” information goes away. Now information that is linked or reasonably linkable to a person is covered
  • It excludes employee data and business to business CONTACT information
  • It creates a category of sensitive information such as race, ethic origin, religion, sexual orientation and a number of other categories, but rather than these categories to be opt-in, they are opt-out
  • There is no private right of action; only the AG can enforce this law
  • But it does grant the Utah Department of Commerce, Division of Consumer Protection the power to investigate complaints and refer them to the AG.

I anticipate more laws coming this year. Credit: National Law Review

Security News for the Week Ending Feb. 11, 2022

Google Decreased Account Takeovers by 50% by Mandating 2FA

Late last year Google forced about a hundred fifty million users to start using multi-factor authentication. What results did they see? Account takeovers in that group were reduced by 50%. Google has previously said that only 10% of their users were using MFA. Now they are forcing the issue. Credit: Cybernews

Attacks on Crypto Continue – $320 Million in Ethereum Stolen

The Wormhole token bridge that allows users to send and receive cryptocurrency between Ethereum, Solana, BSC, Polygon, Avalanche, Oasis, and Terra without a centralized exchange experienced a security exploit resulting in the loss of 120,000 wETH tokens worth $321 million from the platform. Again, the hackers found a bug in the software that allowed them to hack the company. This is the root problem with decentralized finance – it is counting on software being bug free and that just does not exist. In their case, they are very lucky because the Jump Trading Group, which is an investor in Wormhole ponied up the $320 mil to make their customers whole. That doesn’t happen often. Credit: Metacurity and Decrypt.co

Apple Says It Won’t Do Biz With Companies that Use Conflict Minerals

According to a report that Apple filed with the SEC, they have terminated relationships with 163 smelters and refiners since 2009 for failing to pass human rights and mineral standards. This is the seventh year of requiring these firms to pass a third party audit. This year 12 companies got axed from the vendor list. Good for Apple. Credit: Vice

French Data Protection Authority Says Google Analytics Violates GDPR

The problem, the French privacy folks say, is that Google transfers your data to the U.S. and, after Shrems II, in which the EU high court struck down the US-EU Privacy agreement called Privacy Shield, the US was deemed to not have equivalent privacy protections. They would like you to forget that they are playing with a stacked deck because the European intelligence agencies do the same stuff the US does, but they don’t have to comply. They suggest anonymizing the data, which is okay for stats but not targeted ads or kicking Google to the curb, which was kind of the EU’s goal in the first place. I think Google could choose to leave EU data in the EU, which simplifies the privacy stuff, but it makes life more complicated for Google because the probably could not do a number of things with your data that they would like to. Credit: The Record

Senators Say CIA is Collecting Bulk Data on US Citizens

Executive Order 12333, issued by Reagan in 1981, covers, among many activities, the data collection practices of the intelligence agencies who operate outside the rules of the FISA court. There is a group that is supposed to watch over the CIA called the PCLOB, but many people think it has a pretty cozy relationship with the CIA and doesn’t have the same level of (very limited) transparency that the FISA Court does. Unlike the Patriot Act and USA Freedom Act, which have to be reauthorized, EO 12333 lives forever with no public discussion. Senators Wyden and Heinrich wrote the Director of National Intelligence asking for more transparency. Credit: Data Breach Today

Schools (And Others) Will Pay More for Cyber Insurance

As a result of the massive increase in cyberattacks against schools (and others), cyber insurance premiums will likely face major premium hikes this year, assuming that you can even get coverage. Hikes of from 100% to 300% are likely if you don’t have the best security controls. One California insurance executive said her school clients were declined for insurance 37 times, saw deductibles climb from $25,000 to a million dollars and premiums increase by up to ten times. This will force some organizations to become self insured, making cybersecurity practices even more important. Credit: The Journal

Security News for the Week Ending October 29th, 2021

Smartphone Counterespionage Tips for Travellers

Most people say “who would be interested in me?” but the reality is that foreign governments track Americans for a variety of reasons, both good and bad. Read this article to find some tips that could keep you below the radar and your information safer.

Are Surveillance Cameras the Answer to Worker Productivity

ZDNet wrote a story this week about a boss who texted an employee at night about what the boss perceived was employee laziness. Apparently the boss was completely uninformed and when the employee pointed out what was really happening, the boss doubled down. The employee told the boss to take his job and shove it. That doesn’t mean that management should ignore what they think they see, but as we are seeing in this recovery after the pandemic shutdowns, employees seem a lot more empowered and your employees may tell you to shove it. Read the details here.

State Department Recreates Cybersecurity Effort After Trump Disbanded it

Cybersecurity will be a core part of the State Department’s mission with the new Bureau of Cyberspace and Digital Policy. Congress forced the issue by legally creating the department after Trump eliminated the position of cyber coordinator in State. State will also add 50% to it tech budget and new civil service positions. Credit: Dark Reading

Britain’s Privacy Commissioner Calls for More End to End Encryption

Britain’s privacy protection agency, the ICO, has called for video conferencing companies to implement end to end encryption at the same time that police and politicians are calling for the elimination of any secure end to end encryption. The ICO attempted to do some spin after the fact, but their statement still stands. Police say that having to get warrants to obtain information is inconvenient for them. This follows last year’s call by British, Canadian, Australian, Chinese, Swiss, Gibraltarian and Hong Kong data protection regulators also asking for end to end encryption. The police have vocally asked for a master decryption key because, of course, you can trust them. This week the master encryption key used to secure Covid passports in the EU was publicly exposed. Covid vaccine passports for Adolf Hitler and Mickey Mouse have been found and fake Covid passports signed with this key are now available on the web. Not to worry, if we give the thousands of police agencies access to these keys, I am sure this would never happen. Credit: The Register

Proton Wins Swiss Appeal Over Surveillance Rules

Weeks after Proton Mail was force to capture the IP address of a user after receiving a Swiss subpoena, they won a different court battle. Swiss courts had earlier ruled that companies like Whatsapp and Zoom were not Internet providers and did not have to maintain surveillance records of their users’ actions, but for some reason, the Swiss Post thinks that Proton does have to. The appeals court said no to that and remanded the case back to a lower court to “change their mind” so to speak. Credit: Cybernews

Google Reveal Data It Captures

Since Apple doesn’t make a lot of money by selling your data to others (or selling targeted ads to others based on data that it captures), it loves poking Google in the eye about its data collection practices.

Apple required “privacy nutrition labels” by vendors, including themselves, for all new releases of software distributed in the app store as of December 8th of last year.

Google’s response was to stop updating its software. Some people said that was because Google didn’t want to tell people what they were collecting. I suspect that it is more likely that Google was trying to figure out exactly what data they were collecting.

Here is an example of some of the data that Google collects:

This is an effort on Apple’s part to give people more information and help them understand whether they want use an app or not. But this is not where they are ending and the next step will hurt Google (and others) even more.

The graphic below compares the data the the search engine Duck-Duck-Go collects compared to the data collected by Google Chrome and the Google App. Click on the graphic below to expand it. Even before that you can see just by the number of bullets the difference between Duck-Duck-Go and Google.

Starting with iOS 14, all apps will not only have to tell users what data they are collecting but also get their permission to do it – what is known as “OPT-IN”. Opt-in is the advertiser’s nightmare. Basically, it requires the advertiser to say to the user “we want to collect, store forever and sell all this data we collect about you and your browsing or other habits, use it however we want without telling you how, not give you any control over that and in exchange – in exchange we are going to give you this app or maybe shove a bunch of ads in your face that you don’t want to see”.

In fairness, if you say no you will still see ads – they just won’t be targeted to you.

This means that the companies won’t be able to get as much money for those ads since the advertisers won’t know who those people are that are seeing those ads. WHAT IS UNKNOWN IS HOW MANY PEOPLE WILL ACTUALLY OPT IN.

Add to that, consumers have to trust app makes to tell the truth. After all, what is the downside if you lie? If Apple finds out, they could ban you from the App Store.

In iOS 14.5, Apple will require apps to get your permission to track you across other apps and websites. Apple has something called an ID for advertising or IDFA. Using IDFA, if Facebook showed you an ad for say a phone and you did not click on it, but you went to Google and searched for that phone.

Then you bought the phone. That vendor has your IDFA, can share it with Facebook and then Facebook gets credit an ad that was converted to a sale.

All this goes away, in stages, with iOS version 14 and 14.5 if the user does not opt in.

The reason this is a problem for Google and other advertisers is that users usually choose the default. The default is that if I don’t do anything, I effectively opt out and Google and the advertisers can’t target me.

That alone might be a reason to buy an iPhone.

Don’t expect Google to do that on Android any time soon. Or ever.

Credit: The Hacker News

A Bridge Too Far?

Okay, gonna do some local humor. What bridges are these?

TappanZeeBridgeFromBelow.JPG

The first one is the Verrazzano-Narrows Bridge between Brooklyn and Staten Island. The second one is the Tappan Zee Bridge between Tarrytown (NY) and Nyack. Neither of these are a bridge too far and both of which I have traveled over many times.

But New York is following in the footsteps of California and State Sen. Leroy Comrie has introduced the “It’s Your Data Act” (SB 9073). Who knows if it will pass but it sounds a lot like CCPA/CCRA/GDPR.

In particular it:

  1. Amends New York’s civil rights law to create a new “right of privacy”. That is something Facebook would be thrilled about.
  2. It also would amend the state’s general business law to add features similar to these other privacy laws.
  3. Like CCPA, it would affect businesses with more than $50 million in revenue -OR- who buy/sell/disclose information on more than 50,000 consumers, households or devices -OR- who derives more than 50% of the company’s revenue from selling your data.

It requires businesses to disclose:

  1. Your rights as a consumer
  2. Categories of sources from which information was collected
  3. Categories of third parties with whom your data is shared
  4. Length of time information is retained
  5. And several more rights

The retention disclosure requirement is new to New York and does not exist in CCPA or CCRA.

Among consumers new rights are:

  1. Right to deletion
  2. Access to retained personal information
  3. Access to disclosure of personal information to third parties
  4. Consent to additional collection or sharing of personal information
  5. Right to not be discriminated against for exercising these rights

Unlike California’s law, it requires reasonable security practices and procedures to protect that information (reasonable to a jury, that is).

Lastly, unlike CCPA, which only allows for a private right to sue a business in case of a breach, the IYDA proposes that same $750 damages (or more if actual damages are more) per consumer, per violation FOR ANY VIOLATION OF THE LAW BY A BUSINESS. That could change the equation of whether it is cheaper to be breached than be secure.

Of course, bills come and go and change a lot, so do not assume that this is what it will look like IF and WHEN it comes out the other end.

Businesses need to rethink the relationship they have towards security and privacy practices because even if this bill does not become law, others like it will. There was another bill introduced in New York earlier this year that proposed that companies that collect your data would have a fiduciary responsibility around using and protecting that data.

In light of that bill, is the IYDA a bridge too far? Seems pretty tame by comparison. Credit: JDSupra and Hinshaw Law Firm

Security News for the Week Ending July 3, 2020

Apple Likely to Make Charger, Earphones Extra on Next iPhone

Before everyone goes crazy, first this is a rumor – a likely accurate rumor, but a rumor, and second, it is likely aligned with the EU’s directive to reduce electronic waste. Your old charger and old earphones probably still work and if, say, 50% of people agree with that, that is a lot of electronic waste avoided. People who are less Apple-friendly say that Apple reduces costs, improves its environmental image and gets many people to buy unbundled, high margin accessories. Do not expect Apple to reduce the price over this. Credit: The Register

Apple Says NO to Advertisers

And now another Apple story. Apple has decided not to implement 16 new web APIs because they might enable advertisers to track users. This only applies to Safari, the default browser on Apple devices, which represents 17% of web users and since Apple doesn’t make it’s livelihood by selling people’s data, it is a win-win. It doesn’t cost Apple anything and it helps their customers. It is OK if everyone wins. Credit: Metacurity

Hackers Selling 100 Million+ Hacked Credentials

A seller of stolen credentials is flooding the black market with stolen userids and passwords. 14 companies worth of breached databases from 2020 represent 130+ million userids. Sites affected include Homechef, Minted, Tokopedia and almost a dozen more. That is just from the first 6 months of this year. In case that is not enough, the broker is selling a number of older databases. Beware of password reuse (also called stuffing) attacks where hackers try those passwords on other sites. Credit: Bleeping Computer

Location Data Used on Specific Voters So Candidates Knew Who Voted

Money is money. A data broker sold location data on Black Lives Matters protesters so that (police) could track their movements and also sold location data on evangelicals so that the (Trump campaign) knew whether people who were favorable to them had not voted so that they could get out the vote in a very targeted manner. All legal. Expect it to be used this year, likely by many candidates. I put the names in parentheses because the broker didn’t exactly say who they sold the data to. Credit: Vice

Denial of Service Attacks up 542% in First Quarter

Distributed Denial of Service attacks jumped more than 500% between fourth quarter last year and first quarter of this year and more than 250% year to year according to NexusGuard. Likely this is due to work from home. The attacks are going after businesses and ISPs. Are you ready? Credit: Dark Reading