29. September 2016
Forbes just released an article saying that Apple invited some of the best hackers to its headquarter in Cupertino.
- the 19-year-old teenage prodigy who was the first to jailbreak an iPhone 7, and therefore now being a world-renowned iOS hacker as well as an
- ex-NSA employee who has repeatedly found security lacks concerning Mac OS X Luca Todesco.
The meeting should have been secret and kept confidential, but unfortunately some details leaked. So for example that Apple plans to brief them on the launch of its bug bounty program. The hackers will be rewarded with up to $200,000 in case they can provide Apple with information on vulnerabilities about its laptops and phones. Furthermore, the mentioned program is expected to be put into effect before the end of the month due to the fact that this has been promised at the Black Hat security conference in Las Vegas last months. Nevertheless, Apple pursues an invite-only list-strategy in order to get quality over quantity.
27. September 2016
Today, the Hamburg Data Protection Commissioner (DPA) issued a press release announcing an administrative order that aims at prohibiting the data exchange between Facebook and WhatsApp.
The critical opinion of the Hamburg DPA is based on the following arguments:
- Facebook and WhatsApp are legally independent companies, each of which has its own service terms and conditions.
- This data exchange infringes German Data Protection Law, as a legal basis for the collection and processing of personal data is required. In this case, the Hamburg DPA does not identify a legal basis for this data exchange.
- The legal basis is neither based on the user’s consent because Facebook has not obtained the effective consent of WhatsApp’s users.
- The ECJ has recently ruled that if a subsidiary processes personal data on behalf of its mother company, the national data protection laws are applicable. Facebook has its subsidiary for German speaking countries in Hamburg. According to this ruling, German data protection law is applicable in this case.
Johannes Caspar, Commissioner of the Hamburg DPA, has remarked that the administrative order protects personal data of around 35 million WhatsApp users in Germany, who have not given their consent for the processing of their personal data by Facebook. Upon this data exchange Facebook would receive personal data of WhatsApp users that do not even have a Facebook account.
Heise online released an article last week talking about a new possibility for Dropbox users, namely to select a German server location.
As already announced, EU citizens are now able to save their data on a server located in Germany. However, this new storage possibility is only available for business use so far. The requirement is that more than 250 employees use Dropbox. Therefore, the new server location is not applicable for private use.
However, Dropbox did not build the new server location on its own. In fact, the infrastucture is provided by Amazon though AWS.
26. September 2016
Last week, the Belgian Data Protection Authority “Privacy Commission”, published Guidelines containing 13 Steps that will help organizations in order to prepare for the EU General Data Protection Regulation. The Guidelines were published in French and in Dutch.
The Belgian Data Protection Authority recommended to follow the steps shown below in order to be compliant with the GDPR:
- Awareness: Instruct the relevant persons about the upcoming changes.
- Internal Records: Document the stored data, where it came from and to whom it is transfered.
- Privacy Notice: Review and update the Privacy Notice.
- Individuals’ Rights: Check existing procedures in order to comply with individuals’ rights.
- Access Requests: Review current procedures about access requests. Consider how these requests will be handled in accordance with the new GDPR time limits.
- Legal Basis: Document all data processing procedures. Demonstrate the respective legal basis for each data processing procedure.
- Consent: Review how consent is collected and recorded.
- Children’s Personal Data: Plan procedures in order to verify the ages of individuals. Determine how to gather parental or legal guardian consent for processing procedures that involve children’s data.
- Data Breach: Guarantee that procedures are implemented on how to handle data breaches.
- Data Protection by Design and Data Protection Impact Assessments: Check these concepts. Consider how to implement them.
- Data Protection Officer: Appoint and review the Data Protection Officer.
- International: Check which Data Protection Authority will be responsible for you.
- Existing Contracts: Review the current contracts.
22. September 2016
Recode just published an interview with Margrethe Vestager, Europeans Commissioner for Competition, talking about her impression that Europeans care more about their data than Americans.
First, she elaborates that Europe has historically been more critical towards new technology practices such as data collection. In this context, Vestager said “I am an economist, so I know that there is no such thing as a free lunch” she went on “You pay with one currency or another — either cents, or you pay with your data, or you pay with the advertisements that you accept. And I think people are becoming more and more aware of the fact that their personal data do have a value.”
Vestager underlined her point of view that Europeans care more about their data than Americans by saying “What we see in Europe is that a huge proportion of citizens find that they are not in control” she added “They distrust the companies to protect their data, and I think that is very bad, because then there is a risk of withdrawing from all the benefits of our digital economy. And in order to build up trust I think it is very important that we enforce privacy rules, that we get privacy by design in new services, so that privacy is not just an add-on, that it is very basic.”
Therefore, according to Vestager the Europeans have a greater need to protect their data than Americans.
This week, heise-online reported that after last years attack on the German Parliament, this year on the 15th and 24th August the offices of several members of Parliament as well as their employees were targeted again in a new attack.
Emails containing malware were sent to the respective politicians. The Emails were supposedly sent by Heinrich Krammer working for the NATO-Headquarter.
The German Federal Office for Information Security (BSI) stated that the attacks probably originated from Russia. The BSI believes that the attacks might be linked to the hacking of private emails from Hillary Clinton’s campaign team in the US earlier this year.
The BSI assumes that the hackers might have been looking for potentially damaging information which could be released a few weeks before elections next year in an attempt to influence the result.
21. September 2016
The students asked the Court to order the Government to issue guidelines for messaging apps so that users’ rights are not compromised by the use of such apps.
India is not the only jurisdiction where this legal challenge takes place. Other jurisdictions such as the EU and the U.S. Federal Trade Commission are also examining the recent changes.
WhatsApp stated that users are given the possibility to opt-out by turning off the data sharing function and that the only shared information relates to user names and phone numbers. The company also remarks that the use of the app is voluntary.
16. September 2016
The European Court of Justice decided that free Wifi providers are not liable for illegal downloads.
The decision is based on a case between Sony and a German shop owner. Sony sued the German shop owner due to the fact that an internet user unlawfully offered music downloads by using the shop’s free Wifi. Although the case originated in Munich, the judges referred the issue to the European Court of Justice.
The European Court of Justice then found that free Wifi is provided by companies in order to attract potential customers. Therefore, they cannot be held liable for illegal acts committed by others using this respective internet network.
Furthermore, Sony can not claim compensation or seek reimbursement for its court costs.
Nevertheless, the European Court of Justice ruled that Sony could demand internet connections to be password protected, so that a user is required to identify himself before accessing the Wifi.
Last week Google announced that specific icons will appear on HTTP websites that transfer data without using encryption methods. This measure will be implemented beginning 2017. However, not every unencrypted website will be marked. Furthermore, the icon will appear on those websites that transmit passwords or credit card data.
Currently, unencrypted HTTP websites are marked with a neutral sign. So that users are not always able to identify unsecure websites. The new indicator will consist of a red triangle. This is the same triangle that appears on broken HTTPS.
The number of websites that have started using a secure system (HTTPS) has increased considerably.
Google encourages website administrators to start using encrypted HTTPS websites in order to ensure a better functioning of websites and provides a guide to get started.
15. September 2016
Although it is difficult to predict the exact costs of a data breach as it depend on the individual case, the new Ponemon-IBM study tries to examine the costs arising in such a case.
The results can be summed up so that
- the average breach caused $4 million in damage or in other words
- roughly $158 per lost record have to be paid.
Privacy Ref, Bob Siegel tried to analyze what a data breach would cost for individual organizations as a part of a project with St. Joseph’s University professor Ronald Klimberg. For this projects undergraduate data analytics students compete to create the best metric in order to predict the impact of a data breach on an organization.