Category: USA

Data from dating website stolen and sold

28. April 2016

As BBC just reported the data of more than a million members of the dating website www.beauftifulpeole.com has been sold online. The traded data not only included the weight, height, job, and phone numbers of members but further more income, sexual preferences, smoking and drinking habits and relationship status. The firm stated that the data belonged to members, who joined before July 2015 and that no passwords or financial information were included.

The data has now been sold on the online black market, said security expert Troy Hunt, an Australian security expert, who runs the website HaveIBeenPwned.com, where people can verify whether their data has been leaked. Although he does not know exactly where or for how much money the data was sold, he stated that by selling data tens of thousands of dollars can be earned, bearing in mind that the data originally can cost as little as $300.

Chris Vickery, security researcher, told the BBC that the affected company acted quickly after notifying them that he had discovered it. However, the data had then already been sold. He went on by saying that “they published it openly to the world with no protection whatsoever”. This is a contradiction to the company’s statement that the content was from a test server. Therefore, Vickery added that “whether or not it’s in the test database makes no difference if it’s real data”. His analysis is further supported as a second researcher had identified the same weakness on the same day.

However in a statement BeautifulPeople said that “the breach involves data that was provided by members prior to mid-July 2015. No more recent user data or any data relating to users who joined from mid-July 2015 onward is affected”.

David Emm, principal security researcher at Kaspersky Lab commented on the stolen and sold data by summarizing “now it’s public, cybercriminals have the opportunity to use this information to steal personal identities or more” and added “unfortunately, once a breach of this nature has been made, there is not much that can be done.”

Emm went by giving the advise that “organisations need to take action and use more data, analytical insights and triangulation of multiple-identity proofing techniques to minimise the potential effects of identity theft for both the user and the businesses serving them”.

 

Category: USA
Tags:

FBI paid probably more than 1 Million for cracking San Bernardino iPhone

26. April 2016

NBC News reports that FBI Director James Comey might have disclosed how much the agency spent for cracking the iPhone of the San Bernardino attackers.

Comey commented on the case so that the organization paid “a lot, more than I will make in the remainder of this job, which is seven years and four months, for sure” at a security conference in London. He went on that it “was in my view worth it” and that the FBI will now be able to crack any other iPhone 5s with IOS 9 by using the developed software.

Based on this given timeframe and by multiplying his salary of $180,000 per year, NBC News comes to a figure of $1.3 million. However, there was no official comment on part of the FBI.

Category: USA
Tags: , ,

Tech coalitions write open letter over US bill banning encryption

21. April 2016

A Tech group just wrote an open letter to US Senators Richard Burr and Dianne Feinstein, concerning their bill requiring all encryption to be breakable on command.

The mentioned letter starts by saying “We write to express our deep concerns about well-intentioned but ultimately unworkable policies around encryption that would weaken the very defenses we need to protect us from people who want to cause economic and physical harm.” and goes on by pointing out “unintended consequences”.

Reform Government Surveillance, the Computer and Communications Industry Association, the Internet Infrastructure Coalition, and the Entertainment Software Association have signed the letter. Those four represent most of the major internet and tech companies such as Microsoft, Google, Amazon, eBay, Facebook, Netflix and Verisign.

At the same time an US survey from ACT concludes that 93 percent of peole being asked answered it is important that their data is secured and that 92 percent of people being asked support strong encryption on their devices.

 

Category: USA
Tags:

Criticism at Google’s ‘right to be forgotten’ position

20. April 2016

The New York Times reports that crisicism is raised among European data protection regulators and politicians on Google’s secretive process for deciding whose “right to be forgotten” cases end with a stricken link and whose do not. The lack of the company’s transparency is not the only concern regarding how a private organization has autonomy in these cases instead of the government. Furthermore, Google has ruled on double the amount of national authorities’ privacy judgments. “If Europe really wanted to regain control over personal data, giving Google this type of power is an odd outcome,” concluded Oxford University’s Luciano Floridi.

The criticism is also raised as a result of a general growing discontent from both European regulators and politicians due to the fact that national data protection agencies sometimes lack the financial, technical and human resources to handle the substantial increase of “right to be forgotten” requests, according to regulatory officials and legal experts.

Category: EU · USA
Tags: ,

Article 29 WP releases its opinion on the EU-U.S. Privacy Shield

14. April 2016

The Article 29 WP, represented by the DPAs from the EU Member States, issued yesterday its opinion on the proposed draft of the EU-U.S. Privacy Shield.

Background

Under the Safe Harbor framework, personal data transfers from the EU to the U.S. have been carried out since the year 2000. In October 6th, 2015, the ECJ declared this framework invalid, as it considered that it did not ensure enough safeguards regarding the protection of personal data from EU citizens. In February 2016, the EU Commission and several American Authorities drafted the new framework that shall replace the Safe Harbor Agreement. The draft has been now analyzed by the EU DPAs, who remark the necessity to clear and define some concepts.

Critical aspects of the EU-U.S. Privacy Shield identified by the Article 29 WP

The Article 29 WP does not believe that, in general terms, the current draft of the Privacy Shield ensures a level of data protection equivalent to that in the EU. The most relevant aspects of the published document could be summarized as follows:

  • Data retention periods are not defined in any of the principles of the framework. This means that companies could keep personal data even if they do not renew their Privacy Shield membership. This contravenes the principle of data retention limitation according to EU data protection legislation.
  • The scope and definition of the purpose limitation concept is described under the notice, the choice and the data integrity and purpose limitation principles. However, in each of these principles is the purpose limitation principle differently defined, what leads to an inconsistent definition of this concept.
  • Also the concept of onward transfers has been critically analyzed by the Article 29 WP. Under this principle, Privacy Shield members may legitimately carry out data transfers to third parties. This involves the risk that the recipient of the data does not ensure the same level of data protection as stipulated according to the EU data protection legislation.
  • The redress mechanism available for EU data subjects may be too complex for the data subjects themselves. The Article WP29 recommends that the local DPAs represent the data subjects or act as intermediaries so that they can exercise their rights in Europe.
  • Finally, the Privacy Shield includes certain guarantees regarding the surveillance activities by U.S. authorities. However, the massive collection of personal data from EU citizens is not fully excluded. Regarding this, the institution of the Ombudsman has been created. According to the Article 29 WP, its functions and legitimation are not sufficiently defined.

The Working Party has requested the EU Commission to clarify these aspects and adopt the corresponding solutions, so that the Privacy Shield ensures an equivalent level of data protection to that in the EU. Particularly, it has recommended to introduce a glossary of terms in the “Privacy Shield FAQ” and a review of the Privacy Shield draft after the GDPR becomes effective, in order to ensure that the Privacy Shield reflects the level of protection reached by the GDPR.

What next?

Since the opinion of the Article 29 WP is not binding, the EU Commission could proceed further with the approval of the EU-U.S. Privacy Shield. However, it will consult a Committee of representatives of the EU Member States before issuing its final decision. Until a final decision is reached, the mechanisms to carry out international data transfers are limited to Binding Corporate Rules and Standard Contractual Clauses.

Opinion of the Article 29WP on the EU-U.S. Privacy Shield “leaked” by the German DPAs

12. April 2016

After the details of the draft of the new adequacy decision to carry out international data transfers between the EU and the U.S. have been released (“EU-U.S. Privacy Shield”), the Article 29 WP is expected to express its opinion on the proposed text within this week.

On the 6th and 7th April the German DPAs meet to discuss current privacy topics, among others about the EU-U.S. Privacy Shield. A link to the resolution related to this topic was uploaded in the webpages of each federal DPA. The link to the resolution was deleted afterwards. However, a permanent link to the resolution (in German) can be found under https://www.delegedata.de/wp-content/uploads/2016/04/Beschluss_Mandat_Privacy_Shield.pdf.

The resolution of the German DPAs seems to refer to the current draft of the Article 29WP on the EU-U.S. Privacy Shield:

“Therefore, the WP29 is not yet in a position to confirm that the current draft adequacy decision does, indeed, ensure a level of protection that is essentially equivalent to that in the EU.”

This paragraph suggests that the European DPAs may not release a positive opinion on the EU-U.S. Privacy Shield.

Although the opinion of the Article 29 WP is not binding for the EU Commission, the Article 29 WP may initiate legal actions through the local DPAs against the adequacy decision if it is approved, as stated in paragraph 4 of the above mentioned resolution.

Settlement in lawsuit against Sony Pictures Entertainment

11. April 2016

A multimillion-dollar settlement in a class-action lawsuit against Sony Pictures Entertainment filed by former employees, whose personal data was stolen when a data bleach took place, was appoved by an US District Judge last week.

About 437,000 people were affected by the data breach from the time of the 2014 hack through 2017.  In terms of the settlement Sony agreed to provide theft protection and an optional service covering up to $1 million in losses and furthermore, create a fund to cover any additional losses. As the deadline for workers to sign up for credit protection and reimbursement has not yet passed,  the exact amount of money for setteling is not yet available. However, up until today Sony had to pay $7 million in order to notify the people beingt affected by the breach and to establish a fund to compensate them. Nevertheless, this amount does not take millions of dollars into account that Sony had to pay for credit monitoring services and for attorney fees. Until now, 18,000 people have signed up for the mentioned optional service retailing for $350.

During the data breach sensitive personal data concerning current and former Sony Pictures Entertainment employees was stolen and posted online. The data breach was due to hackers, who broke into the company computers and released thousands of emails, documents and sensitive personal information.

 

WhatsApp just added end-to-end encryption

6. April 2016

WhatsApp is an online messaging service, that has grown into one of the most used applications, owned by Facebook. Messages, phone calls and photos are exchanged via WhatsApp by more than a billion people. Therefore, only Facebook itself operates a larger communications network.

This week was revealed that the company has added end-to-end encryption to every form of communication developed by a team of 15 of out of 50 overall employees for any person using the latest version of WhatsApp, so that all messages, phone calls and photos are encrypted. This regards any smartphone, from iPhones to Android phones to Windows phones. By encrypting end-to-end not even WhatsApp’s employees have access to the data sent through this communication network. This means that WhatsApp will not be able to comply with a court order demanding the disclosure of the content of messages, phone calls and photos sent by using its service.

This way of encryption has generally led to a public discussion between technology companies and governments. For example, in the UK, politicians have proposed banning this encryption so that companies should be forced to install “backdoors” in order to be able to disclose the content only to law enforcement.

 

Category: Countries · EU · USA
Tags: , ,

EU-U.S. Privacy Shield expected to be effective in June 2016

16. March 2016

On the 14th March, the Digital Commissioner Günther Oettinger spoke out on the EU-U.S. Privacy Shield at the CeBIT fair (Center for Office Automation, Information Technology and Telecommunication), which will take place in Hannover (Germany) from the 14th until the 18th March.

Oettinger stated that the EU DPAs will evaluate the EU-U.S. Privacy Shield in the upcoming weeks, so that the new Framework can be effective in June 2016. He also remarked that without a legal regulation for international transfers of personal data, “the trust in cloud services will be low”.

The EU DPAs are expected to meet on the 12th-13th April in order to issue their opinion on the EU-U.S. Privacy Shield. However, this opinion will not be binding.

General overview of the EU-U.S. Privacy Shield

11. March 2016

After the details of the EU-U.S. Privacy Shield were released on February 29th, several institutions will examine its legal implications and validity in order to determine if the new Framework complies with the European Standards on Data Protection. One of these institutions is the Article 29 WP, which will reveal its opinion on the EU-U.S. Privacy Shield by the end of April.

Eduardo Ustaran, an expert in international Privacy and Data Protection, has analyzed the positive impact that the EU-U.S. Privacy Shield may have for the future development of global privacy:

  • This Framework may widespread the European Data Protection culture at an international level because multinationals will globally adopt this model, in order to comply with the European Standards.
  • Additionally, the U.S. government is adapting its legislation to the Data Protection requirements established by the EU Legislation in this field. For example, the U.S. Judicial Redress Act was approved on February 2016 in line with the new conflict resolution system proposed in the Privacy Shield. This way, EU Citizens will have the possibility to raise complaints to U.S. Authorities when their rights to Privacy and Data Protection have been violated by an organization.
  • Also the judiciary will play an important role as ultimate institution that mediates between the citizens and the state.
  • As mentioned above, the conflict resolution system proposed in the Privacy Shield includes the participation of several institutions at different levels, which provides the individuals many possibilities to exercise their rights as data subjects. Therefore, individuals will be able, for example, to raise a complaint towards the organization or to raise a complaint at the local DPA.
  • The Framework may foster the communication and collaboration between American and European Institutions. For instance, it is foreseen that an annual revision of the Framework takes place.
Pages: Prev 1 2 3 4 5 6 7 8 9 10 11 Next
1 8 9 10 11