Category: General
1. June 2016
The European Data Protection Supervisor (EDPS), Giovanni Buttarelli, issued this week his opinion on the EU-U.S. Privacy Shield. The EDPS is an independent EU institution created in 2004 that assesses EU institutions on policies and legislation related to privacy and data protection and cooperates with authorities in these matters.
The EDPS emphasized on the following key aspects related to the EU-U.S. Privacy Shield:
- The current draft is not solid enough and improvements should be made in order to withstand scrutiny before the ECJ.
- The Privacy Shield should offer a long-term solution regarding international data transfers to the U.S.
- The protection provided by the Privacy Shield should ensure the rights to redress, transparency, data privacy and oversight.
- It should also prevent from indiscriminate surveillance by American authorities.
- The draft should comply with the GDPR, including international data transfers.
- International companies should be aware of and comply with their obligations on privacy and data protection issues.
To sum up, the Privacy Shield should offer an equivalent data protection level to that existing in the EU.
24. May 2016
Allo, the new instant messaging app from Google, has been presented this week and is expected to be available for users this summer. As many other technological companies, such as WhatsApp, Facebook, or Apple, Google has decided to implement end-to-end encryption in this app. End-to-end encryption ensures privacy in certain messaging and video call apps so that not even authorities have access to the information stored.
However, unlike WhatsApp, Facebook messenger or iMessage, end-to-end encryption in Allo has to be activated by the user by selecting the “incognito” mode, what has been subject to strong criticism. As Google explained, end-to-end encryption is not activated by default in order to be able to connect it with the functionalities of Google Assistant, which provides tailored recommendations to its users according to the data stored in Google apps. This means that queries to Google’s own servers may be necessary. If “incognito” mode is active Google Assistant’s features may not be able to be used.
Morey Haber, Vice-President of technology, at the cybersecurity company BeyondTrust, acknowledges the possibility to combine end-to-end encryption with the artificial intelligence feature, but he admits that in this case it is not possible that the queries to Google Assistant are fully processed.
Google engineer, Thai Duong, has posted in his personal blog about the security and privacy features of the app.
19. May 2016
In 2012 LinkedIn was hacked and 6.5 million encrypted passwords were posted online.
This data breach has now turned out to be far more extensive than originally thoght. This is due to the fact that a hacker called “Peace” is trying to sell account information of 117 million LinkedIn users, including their e-mail addresses and passwords.
The hacked data search engine LeakedSource, has also obtained the data. Although the passwords were originally encrypted, so that a series of random digits were attached to the end of hashes, in order to make them harder to be cracked, LeakedSource claims to have cracked 90 percent of the passwords in 72 hours.
The security researcher Troy Hunt, maintaining the breach notification site “Have I Been Pwned?,”talked to some of the victims of this data breach. Two of them confirmed that they were users of LinkedIn and that the password that Hunt shared with them was indeed the one they were using at the time of the data breach.
LinkedIn confirmed this week that the new data is legitimate:
The company’s chief information security officer Cory Scott stated that “Yesterday, we became aware of an additional set of data that had just been released that claims to be email and hashed password combinations of more than 100 million LinkedIn members from that same theft in 2012,“ and went on “We are taking immediate steps to invalidate the passwords of the accounts impacted, and we will contact those members to reset their passwords. We have no indication that this is as a result of a new security breach.“ Furthermore, Scott also suggested that in order to keep their accounts as safe as possible, members visit their safety center to learn about enabling two-step verification, and to use strong passwords.
17. May 2016
Two years ago, the Court of Justice of the European Union established the “right to be forgotten”. An organization named Reputation VIP launched a website, forget.me, that should help consumers in Europe submitting requests to Google and Bing.
Based on the consumer submissions through the site, 130,000 URLs, the company released a new report on the trends of the outcome of the requests of the “right to be forgotten” related to geographic location and success rates of those requests.
The study shows, that with regard to geographical means the top three countries from which requests originate are Germany, the UK and France. In more detail it is to say, that more than half of all requests came from Germany and the UK.
With respect to the success rates of the mentioned requests the report states, that Google denies about 70 percent to 75 percent of them.
Furthermore, the study shows, that Google most frequently denies removal requests concerning professional activity. Whereas the type of request is in 61 % of the cases due to an invasion of privacy.
11. May 2016
A clinic in London has been fined 180.000 GBP due to a “serious data breach”. The clinic offered a service to HIV-patients in order to receive newsletters and test results as well as make appointments via email. It sent an email newsletter to 781 of its patients with all patient emailaddresses in the “To” field and not in the “Bcc” field. 730 of the emailaddresses included the full names of the patients. The newsletter was used to inform the patients about sexual health services and general treatment details. The Information Commissioner´s Office (ICO) said, “the breach caused a great deal of upset to the people affected”. Information about the health or sexual life of a person is considered to be sensitive personal data and should be protected specifically. Chelsea and Westminster Hospital NHS Foundation Trust, which runs the clinic, has been fined 180.000 GBP. The responsible ICO investigation trust discovered, that a similar error had happened already in March 2010. Although some remedial measures were taken at that time, no specific training had taken place since then.
10. May 2016
Dataminr is used as a tool that analyzes and traces social media posts and notifies users about breaking news in real time, such as the terror attack in Brussel´s airport in March. This analysis is carried out by using key words, patterns, or geotags.
Twitter, that owns 5% of Dataminr, has now blocked U.S. intelligence services from its Dataminr service, in order not to appear to support the surveillance activities of the U.S. Intelligence services.
Dataminr services where used by the American Government in 2013 to detect any risks on the inauguration of U.S. President Obama´s second term. However, it is not clear how Dataminr provided this service to the U.S. Intelligence services, as Twitter´s privacy policy prohibits selling its data to governmental agencies.
29. April 2016
During this week credential data from hundreds of Spotify users was posted on the internet. This data includes country of registration, user name, password and type of account.
However, Spotify denied having suffered a data security breach. Furthermore, a company spokesman stated that they monitor certain websites regularly in order to find out if user credentials have been stolen and check if these credentials are authentic. If so, they inform the user and request a password change. Despite the statement of the spokesman, several users confirmed that their playlists had been accessed and their passwords and associated e-mails changed.
Spotify has suffered during the last years several hacker attacks. The last occurred in November 2015 and also user data was made public. Regarding the data posted online this week, the company states that it could affect data related to previous hack attacks.
12. April 2016
In the past week, the EU national governments endorsed the latest draft of the European Union’s General Data Protection Regulation (GDPR) in a vote held by the Council of Ministers. It is now expected that the European Parliament will approve the GDPR within this week, along with a new Data Protection Directive for police and criminal justice authorities.
According to a press release of the Council of Ministers, which was published shortly after the vote last week, one of the main benefits of the Regulation is the fact that it provides for a single set of rules, which are valid across the EU and applicable both to European and non-European companies offering online services in the EU. Thus, the regulation provides the framework for increased cooperation between EU member states to ensure coherent application of the data protection rules.
The regulation follows a risk-based approach, which means that data controllers will be able to implement measures according to the risk involved in the data processing operations they perform. This will likely reduce administrative costs, as companies will not be forced to implement a “one-size-fits all“ solution.
29. March 2016
The French Data Protection Authority (“CNIL”) fines Google for data protection violation. In May 2014, the European Court of Justice had decided, that citizens could request search engines to delist inadequate or irrelevant web search results of themselves; the so-called “right-to-be-forgotten” was born.
The CNIL has now fined the US search engine 100.000 Euros over the right-to-be-forgotten, since Google just delisted web search results regionally, for instance only accross their European websites, such as google.fr and not also on the google.com website. By delisting web search results of a person only regionally, the data subject will practically not be able to exercise her/his right-to-be-forgotten efficiently. Search engines should instead delist search results from all their domains.
With the refugee crisis, a new capital between Turkey and the EU has started. In order to receive visa liberalization for Turkish citizens in the EU, Turkey has to fulfill certain criteria. One of the required criteria for Turkey was to pass a personal data protection law. On March 24, the Turkish parliament has finally passed a personal data protection bill.
The Turkish personal data protection law will e. g. define personal data and sensitive personal data. Among others, it will also regulate data transfers and individual rights of the data subject.
Since the law has passed now, a next step will be creating a nine-member Committee of Personal Data Protection under the Personal Data Protection Institute, affiliated with the Prime Ministry.