Category: General
11. September 2017
The consumer credit reporting agency Equifax has been hacked in the middle of May. The operators have noticed the breach much later, on 29th July. The public has learned about the breach just last week on Thursday, 7th September.
The breach potentially affects the sensitive data of approximately 143 million consumers. Data concerned are the consumer’s name, social security numbers, birth dates, addresses and in some cases driver’s license numbers. As well as credit card numbers for 209.000 U.S. consumers and other dispute documents that contained identifying information for 182.000 consumers.
Not only the US is concerned. A hired third-party cybersecurity company also found some residents of the U.K. and Canada.
The Equifax Chairman and CEO Rick Smith announced steps Equifax is taking at the moment to respond on the breach and is working with authorities.
5. September 2017
According to the New Zealand Council of Civil Liberties, in several cases private data was handed over by banks to the police, after the police requested these data from them. It is further explained that the police used forms that looked official, instead of applying to a judge for a search warrant or examination. The police should neither have an oversight, nor a register which tracks the amount of filed requests.
The Police and banks rely on a legal loophole in the Privacy Act that allows organisations to reveal information about persons in order “to avoid prejudice to the maintenance of the law”. The Privacy Commissioner John Edwards is willing to end the further use of this backdoor. Referring to the case of handing over the private information of activist and journalist Martyn Bradbury, he said:
“…we concluded that Police had collected this information in an unlawful way by asking for such sensitive information without first putting the matter before a judicial officer. Our view is that this was a breach of Principle 4 of the Privacy Act, which forbids agencies from collecting information in an unfair, unreasonable or unlawful way.”
4. August 2017
The Indian Supreme Court has to decide if the “right to privacy” should be considered a fundamental human right.
According to the Wire, a bench of nine justices was set up after several petitions that challenged the constitutional validity of India’s Aadhaar scheme, with some petitioners claiming that the biometric authentication system is a violation of the privacy of Indians. The bench examined over the last two weeks the nature of privacy as a right in context of two earlier judgements. Back in 1954 and 1962 these judgements came to the conclusion that the right to privacy was not a fundamental right. Legal experts expect the judgement in the last week of August.
Times of India reports that the Supreme Court outlined a three-tier graded approach to examine the question whether privacy can be considered as a fundamental right. The Bench therefore configures privacy into three zones. As stated by a justice of the Bench, the first zone could be the most intimate zone concerning for example marriage or sexuality. The state should only intrude this zone under “extraordinary circumstances provided it met stringent norms”.
The second zone would be the private zone. This zone could involve personal data like the use of credit card or the income tax declaration. In this zone, “sharing of personal data by an individual will be used only for the purpose for which it is shared by an individual”, it is further said.
The third zone would be the public zone. This zone should require only minimal regulation. However, that should not mean that the individual would lose the right of privacy, but “retain his privacy to body and mind”.
10. May 2017
In April 2017, the Office of the Director of National Intelligence released its fourth annual Statistical Transparency Report Regarding Use of National Security Authorities for calendar year 2016.
The annual Transparency Report provides information (in form of statistics) about how often the US government uses certain national security authorities for surveillance activities. Further, it explains under which legal basis a surveillance has to be performed and names national security authorities (besides the FISA authorities) that are involved, such as the CIA, FBI or the NSA.
It is shown that based on the applied surveillance activity and the purpose of the investigation, U.S.-persons as well as non-U.S.-persons can be targets. Furthermore, it is described which legal prerequisites have to be fulfilled when investigating a target.
For example, the Transparency Report provides information about the number of issued National Security Letters (NSLs) by the Federal Bureau of Investigation (FBI). The number of NSLs slightly decreased compared to last year. However the number of issued NSLs does not contain the number of individuals or organisations that are the subjects of the NSLs.
During an investigation, personal data may be collected for example telephone numbers or email addresses.
10. April 2017
The social networks Facebook and Instagram improve the privacy of their customer data. In the past, a research held by the Civil Liberties Association (ACLU) had revealed data usage by third parties in he Internet analysis company “Geofeedia”, in which the company publicly viewed customer data from Facebook, Instagram and Twitter regarding participation in protest actions, which were evaluated and sold to government agencies. Facebook and Instagram responded by improving the conditions with regard to data usage so that they should be more stringent now. Accordingly, software developers are now expressly forbidden to use data from the networks for monitoring purposes. By the end of 2016 Twitter had already issued appropriate regulations.
2. March 2017
Yet another toy maker named Spiral Toys hit the headlines. The company suffered a big data breach with its stuffed animals called CloudPets resulting in the disclosure of 800,000 users’ personal data such as email addresses, passwords, profile pictures and 2 million voice recordings.
Spiral Toys’ CloudPets are able to connect to an app on a smartphone via Bluetooth so that parents can provide the toy with voice messages for their children.
The personal data were stored in an online database without authentication requirements so that hackers could easily access the database. According to Troy Hunt, a web security expert, the passwords were encrypted but Spiral Toys set no requirements for the password strength. That means hackers “could crack a large number of passwords, log on to accounts and pull down the voice recordings”.
Spiral Toys’ Mark Meyers denied that voice records were stolen. Still the company wants to increase the requirements for the password strength after the data breach was made public.
Both the decision of the German Federal Network Agency to take the doll “My friend Cayla” off the market in Germany and the data breach suffered by Spiral Toys, show that the privacy concerns smart toy producers are exposed to, should be taken seriously.
21. February 2017
The German Federal Network Agency took the “My friend Cayla” doll off the market due to privacy concerns. The doll, which is equipped with a microphone, can answer children’s questions by the use of the Internet. Thus it was deemed as “concealed listening device” in accordance with section 90 Telecommunications Act (“Telekommunikationsgesetz”).
The Agency stated that the doll could be used for recording and transmitting children’s conversations without parents’ knowledge. Besides, it shall be possible to listen to children’s conversations by connecting with the doll via an unsecured radio link (Bluetooth).
After complaints were also filed in the US, the Federal Trade Commission decided not to take any action.
Meanwhile, the doll’s German distributor stated that “My friend Cayla” is not an espionage device and that they will challenge the Agency’s decision in court.
16. January 2017
As a recent study shows (published by French research group Eleas in October), more than a third of French workers use their devices everyday in order to work out-of-hours.
Despite the fact that checking professional emails after work gives employees a sort of autonomy and flexibility speaking of working outside the office mode, such a habit may also lead to the „info-obesity“ (according to a report submitted in September 2015 by labour minister Myriam El Khomri).
Computing and work-life balance expert Anna Cox (University of College London – UCL) says: “Some of the challenges that come with flexibility are managing those boundaries between work and home and being able to say ‘actually I am not working now’.
From 1st of January therefore, French companies should guarantee a „right to disconnect“ to their employees, which means that the new employment law has just entered into force. Since then, all the organisations that employ over 50 workers will be obliged to define employees „disconection from technology“ rights.
Its aim is to minimise an overuse of digital devices by employees after their working hours, which lately surged in unpaid overtime.
To diminish the problem, some steps have already been taken, among which there are an automatic erasure of emails for employees on holiday or email connections cutoff.
Eventhough no sanction for a breach of this obligation is foreseen, the company should publish a charter with employees out-of-hours demands and rights.
9. December 2016
On Tuesday, Instagram announced the launching of some features for its users to help maintain privacy.
Some time ago, Instagram already included a feature to filter comments by introducing keywords. Now, it has also introduced the feature to turn off comments in any post if the user wishes to do so. Furthermore, a new feature to like posts will be added in order to maintain a positive environment.
Another important feature consists of the possibility to remove followers from private accounts. At the time, users that have a private account are able to choose the followers they want to accept. However, once a follower was accepted there was no way to remove it. This feature will make possible to remove followers and the removed followers will not be notified about it.
Finally, a reporting tool will be available for all users. This tool can be used in cases where a user suspects that another user will injure him/herself based on the published posts. This reporting tool can be used anonymously and aims at offering support and help and connect the reported persons with specialized organizations.
Instagram’s CEO announced ongoing changes in order to achieve a safe use of Instagram.
2. December 2016
CNIL, the French Data Protection Authority, just released the report of the public consultation. This report refers to the consultation of professionals about the upcoming General Data Protection Regulation, GDPR.
The basis of the report were 540 replies from 225 contributors and the main aspects relate to:
- the Data Protection Officer, DPO
- the right to data portability,
- the data protection impact assessments and
- the certification mechanism.
The report states that there are questions on how the requirements of the GDPR should be applied in practice. Some of the most frequently asked questions are:
- What is considered to be a conflict of interest – who can be appointed?
- Can a DPO be whole a team? Can a DPO be a legal person?
- What kind of investments will need to be made in order to implement the right to data portability?
Therefore, CNIL announced that some national communication campaigns will be launched and that there will be training sessions and workshops in cooperation with the current CILs, Correspondants Informatique et Libertés.