Category: General

Facebook & Instagram improve privacy for user data

10. April 2017

The social networks Facebook and Instagram improve the privacy of their customer data. In the past, a research held by the Civil Liberties Association (ACLU) had revealed data usage by third parties in he Internet analysis company “Geofeedia”, in which the company publicly viewed customer data from Facebook, Instagram and Twitter regarding participation in protest actions, which were evaluated and sold to government agencies. Facebook and Instagram responded by improving the conditions with regard to data usage so that they should be more stringent now. Accordingly, software developers are now expressly forbidden to use data from the networks for monitoring purposes. By the end of 2016 Twitter had already issued appropriate regulations.

Hundreds of thousands of users affected by CloudPets data breach

2. March 2017

Yet another toy maker named Spiral Toys hit the headlines. The company suffered a big data breach with its stuffed animals called CloudPets resulting in the disclosure of 800,000 users’ personal data such as email addresses, passwords, profile pictures and 2 million voice recordings.

Spiral Toys’ CloudPets are able to connect to an app on a smartphone via Bluetooth so that parents can provide the toy with voice messages for their children.

The personal data were stored in an online database without authentication requirements so that hackers could easily access the database. According to Troy Hunt, a web security expert, the passwords were encrypted but Spiral Toys set no requirements for the password strength. That means hackers “could crack a large number of passwords, log on to accounts and pull down the voice recordings”.

Spiral Toys’ Mark Meyers denied that voice records were stolen. Still the company wants to increase the requirements for the password strength after the data breach was made public.

Both the decision of the German Federal Network Agency to take the doll “My friend Cayla” off the market in Germany and the data breach suffered by Spiral Toys, show that the privacy concerns smart toy producers are exposed to, should be taken seriously.

Talking doll deemed to be “concealed listening device”

21. February 2017

The German Federal Network Agency took the “My friend Cayla” doll off the market due to privacy concerns. The doll, which is equipped with a microphone, can answer children’s questions by the use of the Internet. Thus it was deemed as “concealed listening device” in accordance with section 90 Telecommunications Act (“Telekommunikationsgesetz”).

The Agency stated that the doll could be used for recording and transmitting children’s conversations without parents’ knowledge. Besides, it shall be possible to listen to children’s conversations by connecting with the doll via an unsecured radio link (Bluetooth).

After complaints were also filed in the US, the Federal Trade Commission decided not to take any action.

Meanwhile, the doll’s German distributor stated that “My friend Cayla” is not an espionage device and that they will challenge the Agency’s decision in court.

The „right to disconnect“

16. January 2017

As a recent study shows (published by French research group Eleas in October), more than a third of French workers use their devices everyday in order to work out-of-hours.

Despite the fact that checking professional emails after work gives employees a sort of autonomy and flexibility speaking of working outside the office mode, such a habit may also lead to the „info-obesity“ (according to a report submitted in September 2015 by labour minister Myriam El Khomri).

Computing and work-life balance expert Anna Cox (University of College London – UCL) says: “Some of the challenges that come with flexibility are managing those boundaries between work and home and being able to say ‘actually I am not working now’.

From 1st of January therefore, French companies should guarantee a „right to disconnect“ to their employees, which means that the new employment law has just entered into force. Since then, all the organisations that employ over 50 workers will be obliged to define employees „disconection from technology“ rights.

Its aim is to minimise an overuse of digital devices by employees after their working hours, which lately surged in unpaid overtime.

To diminish the problem, some steps have already been taken, among which there are an automatic erasure of emails for employees on holiday or email connections cutoff.

Eventhough no sanction for a breach of this obligation is foreseen, the company should publish a charter with employees out-of-hours demands and rights.

Instagram developes additional privacy features

9. December 2016

On Tuesday, Instagram announced the launching of some features for its users to help maintain privacy.

Some time ago, Instagram already included a feature to filter comments by introducing keywords. Now, it has also introduced the feature to turn off comments in any post if the user wishes to do so. Furthermore, a new feature to like posts will be added in order to maintain a positive environment.

Another important feature consists of the possibility to remove followers from private accounts. At the time, users that have a private account are able to choose the followers they want to accept. However, once a follower was accepted there was no way to remove it. This feature will make possible to remove followers and the removed followers will not be notified about it.

Finally, a reporting tool will be available for all users. This tool can be used in cases where a user suspects that another user will injure him/herself based on the published posts. This reporting tool can be used anonymously and aims at offering support and help and connect the reported persons with specialized organizations.

Instagram’s CEO announced ongoing changes in order to achieve a safe use of Instagram.

Category: General · Instagram
Tags: ,

CNIL released results of public consultation report about the GDPR

2. December 2016

CNIL, the French Data Protection Authority,  just released the report of the public consultation. This report refers to the consultation of  professionals about the upcoming General Data Protection Regulation, GDPR.

The basis of the report were 540 replies from 225 contributors and the main aspects relate to:

  • the Data Protection Officer, DPO
  • the right to data portability,
  • the data protection impact assessments and
  • the certification mechanism.

The report states that there are questions on how the requirements of the GDPR should be applied in practice. Some of the most frequently asked questions are:

  • What is considered to be a conflict of interest – who can be appointed?
  • Can a DPO be whole a team? Can a DPO be a legal person?
  • What kind of investments will need to be made in order to implement the right to data portability?

Therefore, CNIL announced that some national communication campaigns will be launched and that there will be training sessions and workshops in cooperation with the current CILs, Correspondants Informatique et Libertés.

 

Category: General
Tags:

NIST released guidelines on cybersecurity for internet-connected devices

18. November 2016

The National Institute of Standards and Technology, NIST, just released guidelines on cybersecurity for internet-connected devices. These guidelines are called Systems Security Engineering: Considerations for A Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems. The Guidance “addresses the engineering-driven perspective and actions necessary to develop more defensible and survivable systems.”

One of the main topics is the fact that the guidelines imply the importance of engineering Internet-connected devices in a way that security systems are directly built into the design and manufacturing processes. Furthermore, the guidelines describe the whole engineering process in order to improve cybersecurity, and reduce risk by implementing “trustworthy secure systems capable of protecting stakeholder assets.”

On top of this the guidelines state that the “objective is to address security issues from a stakeholder protection needs, concerns, and requirements perspective and to use established engineering processes to ensure that such needs, concerns, and requirements are addressed with appropriate fidelity and rigor, early and in a sustainable manner throughout the life cycle of the system.”

Category: General

ICO announces that Facebook agrees to suspend disclosures of personal data from WhatsApp’s users

8. November 2016

After WhatsApp announced in August changes in its privacy policy, several EU DPAs announced monitoring activities in order to ensure the proper use of WhatsApp user’s data. One of these changes on the privacy policy, involved disclosure of personal data of WhatsApp users to Facebook in order to fight spam and improve both, WhatsApp and Facebook’s services.

The EU DPAs had requested WhatsApp not to carry out such disclosures until an adequate level of data protection could be ensured.

On Monday, ICO announced that Facebook agreed to suspend these disclosures. ICO already remarked that consumers were not adequately protected and in most cases a valid consent was not in place. Moreover, it has requested both companies to undertake in writing to inform users about the purposes for which their data will be used. Until now, none of the companies has signed such committment.

If enforcement action takes place, huge fines may be imposed. This is especially relevant upon the applicability of the GDPR from May 2018.

Other EU DPAs, such as Spain, will contact Facebook regarding WhatsApp’s privacy policy.

On the other side, Facebook stated that it only collects the data necessary to offer their services and only a part of this data is shared with Facebook. A Facebook spokeswoman confirmed that WhatsApp’s update complies with applicable law, including UK law and that they will continue the conversations with the ICO regarding the questions raised on the Privacy Policy.

How to be prepared for the GPDR in 13 Steps

26. September 2016

Last week, the Belgian Data Protection Authority “Privacy Commission”, published Guidelines containing 13 Steps that will help organizations in order to prepare for the EU General Data Protection Regulation. The Guidelines were published in French and in Dutch.

The Belgian Data Protection Authority recommended to follow the steps shown below in order to be compliant with the GDPR:

  • Awareness: Instruct the relevant persons about the upcoming changes.
  • Internal Records: Document the stored data, where it came from and to whom it is transfered.
  • Privacy Notice: Review and update the Privacy Notice.
  • Individuals’ Rights: Check existing procedures in order to comply with individuals’ rights.
  • Access Requests: Review current procedures about access requests. Consider how these requests will be handled in accordance with the new GDPR time limits.
  • Legal Basis: Document all data processing procedures. Demonstrate the respective legal basis for each data processing procedure.
  • Consent: Review how consent is collected and recorded.
  • Children’s Personal Data: Plan procedures in order to verify the ages of individuals. Determine how to gather parental or legal guardian consent for processing procedures that involve children’s data.
  • Data Breach: Guarantee that procedures are implemented on how to handle data breaches.
  • Data Protection by Design and Data Protection Impact Assessments: Check these concepts. Consider how to implement them.
  • Data Protection Officer: Appoint and review the Data Protection Officer.
  • International: Check which Data Protection Authority will be responsible for you.
  • Existing Contracts: Review the current contracts.

Concerns about the PNR Agreement between Canada and the EU

12. September 2016

Last week, Paolo Mengozzi, Advocate General of the Court of Justice of the European Union, released his opinion on the draft agreement between Canada and the European Union concerning the transfer of passenger name record data, which is also known as the PNR Agreement, due to concerns about the compatibility with the EU Charter.

The respective Agreement allows that the data collected from passengers – including information about passenger travel habits, payment details, dietary requirements and information containing sensitive data about the passengers health, ethnic origin or religious beliefs – for the purpose of reserving flights between Canada and the EU, has to be transmitted to the respective Canadian authorities in order to prevent and detect not only terrorist threats but also other serious transnational criminal offenses.

Although the EU signed similar agreements with the U.S. and Australia having the approval of the European Parliament before, the European Parliament now decided to give the Agreement with Canada to the European Court of Justice due to concerns about the compatibility with the EU Charter as they worry about privacy and and data protection issues.

In his opinion Paolo Mengozzi stated that certain provisions of the draft were not compliant with the EU Charter such as:

  • Canada’s ability to process the collected data beyond what it is strictly necessary to the original purposes of the Agreement,
  • the processing and retention of sensitive data by Canada and
  • a lack of safeguards and oversight mechanisms for the transfer of data collected for this Agreement to other foreign authorities.

Paolo Mengozzi explained that the draft should be reviewed so that it includes:

  • a clear definition of the categories of data included within the scope of the Agreement,
  • an exclusion of sensitive data from the scope of the Agreement and
  • limiting the number of ‘targeted’ persons individuals being suspected of participating in a terrorist threat or a serious transnational crime on a reasonable level.
Category: General
Pages: Prev 1 2 3 4 5 6 7 8 9 10 11 12 13 Next
1 8 9 10 11 12 13